Mike/ShieldAI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e580a693c77f99dd358d01ad51be519fe5626716
ShieldAI/packages/shared-notifications/SECURITY_REMEDIATION.md
Michael Freno c490735ba2 FRE-4520: Fix security vulnerabilities in notification template system 
- Fix HTML injection vulnerability with proper entity encoding
- Fix rate limit cleanup bug (count vs timestamp confusion)
- Add URL validation to prevent open redirect attacks
- Add expiration to in-memory deduplication entries
- Use Zod schema for config validation
- Add email format validation

All 29 tests passing. Ready for Code Reviewer final review.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
2026-05-01 19:35:22 -04:00

2.0 KiB
Raw Blame History

Security Remediation Complete

All 4 Medium and 2 Low severity findings have been addressed:

Medium Severity (Fixed)

1. HTML Injection via Template Variables (template.service.ts:168)

  • Added escapeHtml() method with HTML entity encoding
  • Variables substituted in HTML context are now properly escaped
  • Handles &, <, >, ", and ' characters

2. Rate Limit Cleanup Logic Bug (email.service.ts:16-23)

  • Created RateLimitEntry interface with count and lastSentAt fields
  • Cleanup now correctly compares timestamps instead of counts
  • Rate limiting will work effectively across cleanup cycles

3. Open Redirect via URL Template Variables (template.service.ts)

  • Added TRUSTED_DOMAINS allowlist (shieldai.com, app.shieldai.com, api.shieldai.com)
  • Added validateUrl() method that validates URLs against trusted domains
  • Invalid URLs default to / to prevent phishing attacks

4. In-Memory Deduplication Expiration (notification.service.ts:62-88)

  • Created DeduplicationEntry interface with externalIds and expiresAt fields
  • In-memory dedup now respects the configured window_seconds TTL
  • Prevents indefinite growth of pending deduplication sets

Low Severity (Fixed)

5. Zod Schema Validation (notification.config.ts)

  • loadNotificationConfig() now parses through NotificationConfigSchema.parse()
  • Invalid configurations will throw at startup instead of runtime

6. Email Format Validation (email.service.ts:33)

  • Added EMAIL_PATTERN regex for basic email validation
  • Invalid email formats throw before attempting to send

Test Results

  • All 29 tests passing
  • No new TypeScript errors introduced

Files Modified

  • packages/shared-notifications/src/services/template.service.ts
  • packages/shared-notifications/src/services/email.service.ts
  • packages/shared-notifications/src/services/notification.service.ts
  • packages/shared-notifications/src/config/notification.config.ts

Next Action

Ready for Code Reviewer final review before marking security review complete.

Reference in New Issue View Git Blame Copy Permalink