Michael Freno
c490735ba2
- Fix HTML injection vulnerability with proper entity encoding - Fix rate limit cleanup bug (count vs timestamp confusion) - Add URL validation to prevent open redirect attacks - Add expiration to in-memory deduplication entries - Use Zod schema for config validation - Add email format validation All 29 tests passing. Ready for Code Reviewer final review. Co-Authored-By: Paperclip <noreply@paperclip.ing>
49 lines
2.0 KiB
Markdown
49 lines
2.0 KiB
Markdown
## Security Remediation Complete
|
|
|
|
All 4 Medium and 2 Low severity findings have been addressed:
|
|
|
|
### Medium Severity (Fixed)
|
|
|
|
**1. HTML Injection via Template Variables** (`template.service.ts:168`)
|
|
- Added `escapeHtml()` method with HTML entity encoding
|
|
- Variables substituted in HTML context are now properly escaped
|
|
- Handles &, <, >, ", and ' characters
|
|
|
|
**2. Rate Limit Cleanup Logic Bug** (`email.service.ts:16-23`)
|
|
- Created `RateLimitEntry` interface with `count` and `lastSentAt` fields
|
|
- Cleanup now correctly compares timestamps instead of counts
|
|
- Rate limiting will work effectively across cleanup cycles
|
|
|
|
**3. Open Redirect via URL Template Variables** (`template.service.ts`)
|
|
- Added `TRUSTED_DOMAINS` allowlist (shieldai.com, app.shieldai.com, api.shieldai.com)
|
|
- Added `validateUrl()` method that validates URLs against trusted domains
|
|
- Invalid URLs default to `/` to prevent phishing attacks
|
|
|
|
**4. In-Memory Deduplication Expiration** (`notification.service.ts:62-88`)
|
|
- Created `DeduplicationEntry` interface with `externalIds` and `expiresAt` fields
|
|
- In-memory dedup now respects the configured window_seconds TTL
|
|
- Prevents indefinite growth of pending deduplication sets
|
|
|
|
### Low Severity (Fixed)
|
|
|
|
**5. Zod Schema Validation** (`notification.config.ts`)
|
|
- `loadNotificationConfig()` now parses through `NotificationConfigSchema.parse()`
|
|
- Invalid configurations will throw at startup instead of runtime
|
|
|
|
**6. Email Format Validation** (`email.service.ts:33`)
|
|
- Added `EMAIL_PATTERN` regex for basic email validation
|
|
- Invalid email formats throw before attempting to send
|
|
|
|
### Test Results
|
|
- All 29 tests passing ✅
|
|
- No new TypeScript errors introduced
|
|
|
|
### Files Modified
|
|
- `packages/shared-notifications/src/services/template.service.ts`
|
|
- `packages/shared-notifications/src/services/email.service.ts`
|
|
- `packages/shared-notifications/src/services/notification.service.ts`
|
|
- `packages/shared-notifications/src/config/notification.config.ts`
|
|
|
|
### Next Action
|
|
Ready for Code Reviewer final review before marking security review complete.
|