Skip to content

Show devices only for employees within the organization #1646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Oct 16, 2025
Merged

Show devices only for employees within the organization #1646

merged 2 commits into from
Oct 16, 2025

Conversation

@github-actions
Copy link
Contributor

This is an automated pull request to merge chas/show-only-employe-devices into dev.
It was created by the [Auto Pull Request] action.

@vercel
Copy link

vercel bot commented Oct 13, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Oct 16, 2025 2:52pm
portal Ready Ready Preview Comment Oct 16, 2025 2:52pm

@chasprowebdev chasprowebdev changed the title [dev] [chasprowebdev] chas/show-only-employe-devices Show devices only for employees within the organization Oct 13, 2025
@chasprowebdev chasprowebdev requested a review from Marfuen October 13, 2025 18:15
@Marfuen Marfuen merged commit f5fc56e into main Oct 16, 2025
3 of 5 checks passed
@Marfuen Marfuen deleted the chas/show-only-employe-devices branch October 16, 2025 14:48
@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Oct 16, 2025
edited
Loading

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

No OSV/CVE findings. In apps/app/src/app/(app)/[orgId]/people/devices/data/index.ts: unvalidated fleetDmLabelId and host IDs enable path-injection; Promise.all used without per-call error handling or concurrency control.

📦 Dependency Vulnerabilities

✅ No known vulnerabilities detected in dependencies.

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/app/src/app/(app)/[orgId]/people/devices/data/index.ts (MEDIUM Risk)

# Issue Risk Level
1 Missing validation of employee fleetDmLabelId values MEDIUM
2 Unvalidated host IDs inserted into fleet.get URL (path injection risk) MEDIUM
3 No rate limiting/pagination: Promise.all on all hosts may cause DoS MEDIUM
4 No error handling: any fleet.get failure rejects Promise.all MEDIUM

Recommendations:

  1. Validate/sanitize fleetDmLabelId before using it in path segments (e.g., enforce expected format such as a numeric ID or a validated UUID). Reject or canonicalize unexpected values.
  2. Validate/encode host IDs before constructing paths (e.g., assert numeric type or use URL-safe encoding). Prefer passing IDs as query params or using client libraries that accept path segments safely.
  3. Avoid firing unlimited parallel requests. Introduce batching or concurrency limits (use p-limit, p-map with concurrency, or similar). Implement pagination when listing hosts rather than loading all at once.
  4. Wrap external calls in try/catch and/or use Promise.allSettled to return partial results when some requests fail. Log failures and surface an appropriate error/partial-response to the caller.
  5. Consider applying input/schema validation at the point of data ingestion for fleetDmLabelId values so DB-stored label IDs are constrained to expected formats.

💡 Recommendations

View 3 recommendation(s)
  1. Validate and canonicalize fleetDmLabelId before using it in a path segment (e.g., enforce /^\d+$/ or a UUID regex and reject unexpected values); or encode it with encodeURIComponent if it must be included in a URL path.
  2. Validate/encode host IDs before inserting into fleet.get paths (e.g., assert type/format, then use encodeURIComponent or pass the ID as a parameter to the client API instead of concatenating into the path).
  3. Avoid unbounded Promise.all on all hosts: use Promise.allSettled or a concurrency-controlled mapper (e.g., p-map/p-limit with a small concurrency value) and wrap each fleet.get call in try/catch so individual failures return partial results instead of rejecting the whole batch.

Powered by Comp AI - AI that handles compliance for you. Reviewed Oct 16, 2025

claudfuen pushed a commit that referenced this pull request Oct 17, 2025
@semantic-release-bot
chore(release): 1.56.1 [skip ci]
5c61372 
## [1.56.1](v1.56.0...v1.56.1) (2025-10-17)

### Bug Fixes

* **app:** show device list of only employees ([#1646](#1646)) ([f5fc56e](f5fc56e))
* **portal:** fixed the issue that the Posthog didn't identify people on the portal ([#1668](#1668)) ([5614d62](5614d62))
@claudfuen
Copy link
Contributor

🎉 This PR is included in version 1.56.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Marfuen Marfuen Awaiting requested review from Marfuen

Assignees

No one assigned

Labels

automated-pr released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@claudfuen @Marfuen @chasprowebdev