From 9d131b9a0925d230f287d770dbfca36842932141 Mon Sep 17 00:00:00 2001 From: Arunavo Ray Date: Wed, 18 Mar 2026 20:10:31 +0530 Subject: [PATCH] fix security alerts --- Dockerfile | 6 +++--- bun.lock | 6 +++--- package.json | 2 +- src/lib/notification-service.ts | 28 ++++++++++++++++++++++++++-- 4 files changed, 33 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 48325f2..f809791 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ FROM oven/bun:1.3.10-debian AS base WORKDIR /app -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN apt-get update && apt-get -y upgrade && apt-get install -y --no-install-recommends \ python3 make g++ gcc wget sqlite3 openssl ca-certificates \ && rm -rf /var/lib/apt/lists/* @@ -28,7 +28,7 @@ RUN bun install --production --omit=peer --frozen-lockfile # ---------------------------- # Build git-lfs from source with patched Go to resolve Go stdlib CVEs FROM debian:trixie-slim AS git-lfs-builder -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN apt-get update && apt-get -y upgrade && apt-get install -y --no-install-recommends \ wget ca-certificates git make \ && rm -rf /var/lib/apt/lists/* ARG GO_VERSION=1.25.8 @@ -50,7 +50,7 @@ RUN git clone --branch "v${GIT_LFS_VERSION}" --depth 1 https://github.com/git-lf # ---------------------------- FROM oven/bun:1.3.10-debian AS runner WORKDIR /app -RUN apt-get update && apt-get install -y --no-install-recommends \ +RUN apt-get update && apt-get -y upgrade && apt-get install -y --no-install-recommends \ git wget sqlite3 openssl ca-certificates \ && rm -rf /var/lib/apt/lists/* COPY --from=git-lfs-builder /usr/local/bin/git-lfs /usr/local/bin/git-lfs diff --git a/bun.lock b/bun.lock index 58e35a2..d1c3a48 100644 --- a/bun.lock +++ b/bun.lock @@ -83,7 +83,7 @@ "overrides": { "@esbuild-kit/esm-loader": "npm:tsx@^4.21.0", "devalue": "^5.6.4", - "fast-xml-parser": "^5.5.5", + "fast-xml-parser": "^5.5.6", "node-forge": "^1.3.3", "rollup": ">=4.59.0", "svgo": "^4.0.1", @@ -957,9 +957,9 @@ "fast-uri": ["fast-uri@3.1.0", "", {}, "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA=="], - "fast-xml-builder": ["fast-xml-builder@1.1.3", "", { "dependencies": { "path-expression-matcher": "^1.1.3" } }, "sha512-1o60KoFw2+LWKQu3IdcfcFlGTW4dpqEWmjhYec6H82AYZU2TVBXep6tMl8Z1Y+wM+ZrzCwe3BZ9Vyd9N2rIvmg=="], + "fast-xml-builder": ["fast-xml-builder@1.1.4", "", { "dependencies": { "path-expression-matcher": "^1.1.3" } }, "sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg=="], - "fast-xml-parser": ["fast-xml-parser@5.5.5", "", { "dependencies": { "fast-xml-builder": "^1.1.3", "path-expression-matcher": "^1.1.3", "strnum": "^2.1.2" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-NLY+V5NNbdmiEszx9n14mZBseJTC50bRq1VHsaxOmR72JDuZt+5J1Co+dC/4JPnyq+WrIHNM69r0sqf7BMb3Mg=="], + "fast-xml-parser": ["fast-xml-parser@5.5.6", "", { "dependencies": { "fast-xml-builder": "^1.1.4", "path-expression-matcher": "^1.1.3", "strnum": "^2.1.2" }, "bin": { "fxparser": "src/cli/cli.js" } }, "sha512-3+fdZyBRVg29n4rXP0joHthhcHdPUHaIC16cuyyd1iLsuaO6Vea36MPrxgAzbZna8lhvZeRL8Bc9GP56/J9xEw=="], "fdir": ["fdir@6.5.0", "", { "peerDependencies": { "picomatch": "^3 || ^4" }, "optionalPeers": ["picomatch"] }, "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg=="], diff --git a/package.json b/package.json index d5082aa..fe74be0 100644 --- a/package.json +++ b/package.json @@ -46,7 +46,7 @@ "overrides": { "@esbuild-kit/esm-loader": "npm:tsx@^4.21.0", "devalue": "^5.6.4", - "fast-xml-parser": "^5.5.5", + "fast-xml-parser": "^5.5.6", "node-forge": "^1.3.3", "svgo": "^4.0.1", "rollup": ">=4.59.0" diff --git a/src/lib/notification-service.ts b/src/lib/notification-service.ts index 82aad66..4c8f981 100644 --- a/src/lib/notification-service.ts +++ b/src/lib/notification-service.ts @@ -6,6 +6,31 @@ import { db, configs } from "@/lib/db"; import { eq } from "drizzle-orm"; import { decrypt } from "@/lib/utils/encryption"; +function sanitizeTestNotificationError(error: unknown): string { + if (!(error instanceof Error)) { + return "Failed to send test notification"; + } + + const safeErrorPatterns = [ + /topic is required/i, + /url and token are required/i, + /unknown provider/i, + /bad request/i, + /unauthorized/i, + /forbidden/i, + /not found/i, + /timeout/i, + /network error/i, + /invalid/i, + ]; + + if (safeErrorPatterns.some((pattern) => pattern.test(error.message))) { + return error.message; + } + + return "Failed to send test notification"; +} + /** * Sends a notification using the configured provider. * NEVER throws -- all errors are caught and logged. @@ -63,8 +88,7 @@ export async function testNotification( } return { success: true }; } catch (error) { - const message = error instanceof Error ? error.message : String(error); - return { success: false, error: message }; + return { success: false, error: sanitizeTestNotificationError(error) }; } }