Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(root): budapest #7762

Open
wants to merge 26 commits into
base: next
Choose a base branch
from
Open

feat(root): budapest #7762

wants to merge 26 commits into from

Conversation

djabarovgeorge
Copy link
Contributor

What changed? Why was the change needed?

Screenshots

Expand for optional sections

Related enterprise PR

Special notes for your reviewer

BiswaViraj and others added 17 commits February 21, 2025 15:37
@BiswaViraj
feat(environment): add external authentication issuer URLs support
929f62b
@djabarovgeorge
feat(api-service): add pub pk
69de238
@djabarovgeorge
Merge remote-tracking branch 'origin/budapest' into budapest
aeb1973
@BiswaViraj
feat(api): implement use case for adding external authentication issu…
d25916f 
…er URLs
@tatarco
jwt generator
b27b042
@tatarco
jwt generator
0f8b712
@tatarco
jwt generator
670197f
@tatarco
jwt generator
9362bfd
@djabarovgeorge
feat(api-service): fix pk delimiter
9130637
@djabarovgeorge
Merge remote-tracking branch 'origin/budapest' into budapest
beb525e
@tatarco
Merge remote-tracking branch 'origin/budapest' into budapest
1e91771
@djabarovgeorge
feat(api-service): add new env method
b73d286
@ChmaraX
feat: verify inbox jwt
5f381e7
@djabarovgeorge
feat(api-service): add migration
332a832
@djabarovgeorge
Merge remote-tracking branch 'origin/budapest' into budapest
b0c0aeb
@tatarco
jwt generator
0d1ec1b
@tatarco
Merge remote-tracking branch 'origin/budapest' into budapest
a4252c8
@netlify Netlify
Copy link

netlify bot commented Feb 21, 2025
edited
Loading

Deploy Preview for dev-web-novu ready!

Name Link
🔨 Latest commit f7ed9e6
🔍 Latest deploy log https://app.netlify.com/sites/dev-web-novu/deploys/67b8a786956ca900087546db
😎 Deploy Preview https://deploy-preview-7762.dashboard.novu-staging.co
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@netlify Netlify
Copy link

netlify bot commented Feb 21, 2025
edited
Loading

Deploy Preview for dashboard-v2-novu-staging failed. Why did it fail? →

Name Link
🔨 Latest commit f7ed9e6
🔍 Latest deploy log https://app.netlify.com/sites/dashboard-v2-novu-staging/deploys/67b8a786693a570008050afa

github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 21, 2025
View reviewed changes
libs/dal/src/repositories/environment/environment.repository.ts
let data: mongoose.Document<unknown, {}, EnvironmentDBModel> | null = null;

if (identifierOrPublishableKey.startsWith('pk_')) {
data = await this.MongooseModel.findOne({ publishableKey: identifierOrPublishableKey }).read(

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query object depends on a
user-provided value
Loading
.
This query object depends on a
user-provided value
Loading
.

Copilot Autofix AI 18 days ago

To fix the problem, we need to ensure that the user input is properly sanitized or validated before being used in the MongoDB query. The best way to fix this issue is to use the $eq operator to ensure that the user input is interpreted as a literal value and not as a query object. This approach prevents NoSQL injection attacks by treating the input as a simple value.

Suggested changeset 1
libs/dal/src/repositories/environment/environment.repository.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/dal/src/repositories/environment/environment.repository.ts b/libs/dal/src/repositories/environment/environment.repository.ts
--- a/libs/dal/src/repositories/environment/environment.repository.ts
+++ b/libs/dal/src/repositories/environment/environment.repository.ts
@@ -20,3 +20,3 @@
     if (identifierOrPublishableKey.startsWith('pk_')) {
-      data = await this.MongooseModel.findOne({ publishableKey: identifierOrPublishableKey }).read(
+      data = await this.MongooseModel.findOne({ publishableKey: { $eq: identifierOrPublishableKey } }).read(
         'secondaryPreferred'
@@ -24,3 +24,3 @@
     } else {
-      data = await this.MongooseModel.findOne({ identifier: identifierOrPublishableKey }).read('secondaryPreferred');
+      data = await this.MongooseModel.findOne({ identifier: { $eq: identifierOrPublishableKey } }).read('secondaryPreferred');
     }
EOF
@@ -20,3 +20,3 @@
if (identifierOrPublishableKey.startsWith('pk_')) {
data = await this.MongooseModel.findOne({ publishableKey: identifierOrPublishableKey }).read(
data = await this.MongooseModel.findOne({ publishableKey: { $eq: identifierOrPublishableKey } }).read(
'secondaryPreferred'
@@ -24,3 +24,3 @@
} else {
data = await this.MongooseModel.findOne({ identifier: identifierOrPublishableKey }).read('secondaryPreferred');
data = await this.MongooseModel.findOne({ identifier: { $eq: identifierOrPublishableKey } }).read('secondaryPreferred');
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
libs/dal/src/repositories/environment/environment.repository.ts
'secondaryPreferred'
);
} else {
data = await this.MongooseModel.findOne({ identifier: identifierOrPublishableKey }).read('secondaryPreferred');

Check failure

Code scanning / CodeQL

Database query built from user-controlled sources High

This query object depends on a
user-provided value
Loading
.
This query object depends on a
user-provided value
Loading
.

Copilot Autofix AI 18 days ago

To fix the problem, we need to ensure that the user-provided identifierOrPublishableKey is treated as a literal value in the MongoDB query. This can be achieved by using the $eq operator, which ensures that the value is interpreted as a literal and not as a query object. This approach will prevent NoSQL injection attacks.

Suggested changeset 1
libs/dal/src/repositories/environment/environment.repository.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/libs/dal/src/repositories/environment/environment.repository.ts b/libs/dal/src/repositories/environment/environment.repository.ts
--- a/libs/dal/src/repositories/environment/environment.repository.ts
+++ b/libs/dal/src/repositories/environment/environment.repository.ts
@@ -20,3 +20,3 @@
     if (identifierOrPublishableKey.startsWith('pk_')) {
-      data = await this.MongooseModel.findOne({ publishableKey: identifierOrPublishableKey }).read(
+      data = await this.MongooseModel.findOne({ publishableKey: { $eq: identifierOrPublishableKey } }).read(
         'secondaryPreferred'
@@ -24,3 +24,3 @@
     } else {
-      data = await this.MongooseModel.findOne({ identifier: identifierOrPublishableKey }).read('secondaryPreferred');
+      data = await this.MongooseModel.findOne({ identifier: { $eq: identifierOrPublishableKey } }).read('secondaryPreferred');
     }
EOF
@@ -20,3 +20,3 @@
if (identifierOrPublishableKey.startsWith('pk_')) {
data = await this.MongooseModel.findOne({ publishableKey: identifierOrPublishableKey }).read(
data = await this.MongooseModel.findOne({ publishableKey: { $eq: identifierOrPublishableKey } }).read(
'secondaryPreferred'
@@ -24,3 +24,3 @@
} else {
data = await this.MongooseModel.findOne({ identifier: identifierOrPublishableKey }).read('secondaryPreferred');
data = await this.MongooseModel.findOne({ identifier: { $eq: identifierOrPublishableKey } }).read('secondaryPreferred');
}
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
@novu/api-service @novu/dal @novu/dashboard @novu/shared
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@djabarovgeorge @SokratisVidros @LetItRock @BiswaViraj @desiprisg @tatarco @ChmaraX