[dev] [Marfuen] mariano/onboarding-tracker-improvements

[github-actions]

This is an automated pull request to merge mariano/onboarding-tracker-improvements into dev.
It was created by the [Auto Pull Request] action.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app	Building	Preview	Comment	Nov 13, 2025 9:21pm

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
portal	Skipped			Nov 13, 2025 9:21pm

[comp-ai-code-review]

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

OSV: 1 npm CVE (ai@5.0.0 GHSA-rwvc-j5jr-mgvh). Code scan shows injection/XSS risk and a secret sent in an external POST from onboarding helpers.

---

📦 Dependency Vulnerabilities

🟢 NPM Packages (LOW)

Risk Score: 2/10 | Summary: 1 low CVE found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 2 file(s) with issues

🟡 apps/app/src/app/(app)/[orgId]/components/OnboardingTracker.tsx (MEDIUM Risk)

#	Issue	Risk Level
1	Unvalidated run.metadata usage (trusted external input)	MEDIUM
2	Meta fields cast without runtime type checks	MEDIUM
3	Using vendor/risk/policy ids as object keys (prototype pollution risk)	MEDIUM

Recommendations:

1. Validate and sanitize run.metadata as soon as it is received (preferably server-side). Treat run.metadata as untrusted input.
2. Perform explicit runtime type checks before using metadata fields: use typeof, Array.isArray(), Number.isFinite(), and more specific guards. E.g., if (!Array.isArray(meta.vendorsInfo)) fallback to [] instead of casting.
3. Avoid using user-provided IDs directly as object keys. Use a Map or create objects with null prototypes: const map = Object.create(null) or use new Map(). If you must use plain objects, canonicalize keys (e.g., prefix with 'id_' or replace reserved keys) and explicitly reject 'proto', 'constructor', 'prototype'.
4. When reading numeric metadata (vendorsTotal, vendorsCompleted, etc.) use Number.isFinite(Number(value)) and coerce safely with defaults: vendorsTotal = Number.isFinite(Number(meta.vendorsTotal)) ? Number(meta.vendorsTotal) : 0.
5. Guard string fields before use: ensure expected shape for vendorsInfo/risk/policies entries (have id/name string fields). E.g., for each item: if (typeof item?.id !== 'string' || typeof item?.name !== 'string') skip or coerce.
6. Add server-side whitelisting of allowed metadata keys and value shapes when populating run.metadata so clients only receive validated data.
7. Log and handle unexpected metadata shapes safely (report and fallback to safe defaults rather than letting UI logic assume types).

🔴 apps/app/src/jobs/tasks/onboarding/onboard-organization-helpers.ts (HIGH Risk)

#	Issue	Risk Level
1	LLM prompt injection via unvalidated vendor fields	HIGH
2	Storing AI-generated comment text to DB (stored XSS risk)	HIGH
3	Missing authorization checks for organization/vendor operations	HIGH
4	No input validation/sanitization on organizationId and vendorData	HIGH
5	REVALIDATION_SECRET sent in POST body to external URL	HIGH
6	Logging external response data may leak sensitive info	HIGH
7	Casting AI output without robust validation before DB write	HIGH

Recommendations:

1. Sanitize and canonicalize any untrusted text before embedding it into LLM prompts. Prefer strict allowlists (e.g., vendor category must be one of VendorCategory) and escape or remove characters/patterns that could alter prompt structure. Consider using a wrapper that encodes user-provided fields (e.g., JSON-encode fields or use a fixed prompt template and pass variables in a structured input) to reduce injection risk.
2. Treat AI output as untrusted. Validate structured AI outputs at runtime (check types, enum values, lengths, and value formats) before using them. Reject or quarantine records that do not pass strict validation. For free-text AI outputs destined for persistence, either sanitize/HTML-escape at render time or sanitize before storing if the UI assumes raw HTML-free text.
3. Enforce authorization & ownership checks before any read/write action that uses organizationId, vendor ids, risk ids, etc. At minimum: verify the acting principal is a member of the organization and has appropriate role/permission. Centralize these checks so task/job code cannot inadvertently bypass them.
4. Validate all external inputs: ensure organizationId conforms to expected format (e.g., UUID), and validate/normalize vendorData fields (max lengths, allowed characters, allowed enum values). Reject or sanitize unexpected values before DB writes or before embedding them in prompts.
5. Avoid sending sensitive secrets in request bodies to external endpoints. If revalidation is to an internal trusted service, ensure the URL is internal and restrict network access. Prefer sending secrets in Authorization headers and ensure communication is over TLS. Prefer verifying revalidation requests server-side where possible rather than sending long-lived secrets externally.
6. Limit and redact logs that may include sensitive data. Do not log full response bodies or secrets. If logging is necessary for debugging, ensure logs are sanitized and accessible only to authorized personnel and rotated/retained according to policy.
7. Rely on runtime schema validation of AI outputs (not only TypeScript types). Use strict JSON-schema validation for objects returned by generateObject and reject records that don't conform exactly. Add integrity checks (e.g., enum exact-match checks) and apply defensive defaults if fields are missing.
8. For stored text that may be rendered in web views, ensure the rendering layer always encodes output to prevent stored XSS. Apply a Content Security Policy (CSP) as an additional mitigation.
9. When building prompts from multiple sources, normalize and limit the amount of context passed to the model. Consider using a separate sanitization step that strips prompt-like directives from inputs (e.g., lines starting with 'system:' or 'assistant:') before inclusion.
10. Instrument thorough auditing: record which actor triggered DB writes and retain minimal audit trails (actor id, action, entity id) without storing raw secrets or untrusted long text in logs.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade the vulnerable dependency: bump package "ai" to >= 5.0.52 (fixes GHSA-rwvc-j5jr-mgvh) and verify server-side filetype checks for uploads.
2. Validate and sanitize all untrusted metadata/vendor fields before use (apps/.../OnboardingTracker.tsx and onboard-organization-helpers.ts): perform explicit runtime type checks, reject or canonicalize unexpected shapes, and JSON-encode or escape user-supplied text before embedding into LLM prompts or persisting to the DB to prevent prompt injection and stored XSS.
3. Do not send secrets in request bodies (apps/.../onboard-organization-helpers.ts): remove REVALIDATION_SECRET from POST payloads, avoid logging full external responses, and instead transmit credentials via secure headers and ensure external calls do not echo secrets into logs.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 13, 2025

[claudfuen]

🎉 This PR is included in version 1.58.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀