Skip to content

Show MDM Policy on app and Fix MDM policy status issue on portal #1740

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Marfuen merged 3 commits into from
Nov 12, 2025
Merged

Show MDM Policy on app and Fix MDM policy status issue on portal #1740

Marfuen merged 3 commits into from
Nov 12, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 12, 2025

This is an automated pull request to merge chas/show-mdm-policy into dev.
It was created by the [Auto Pull Request] action.

@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Nov 12, 2025
edited
Loading

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

One low-severity OSV finding: GHSA-rwvc-j5jr-mgvh in npm package "ai" v5.0.0 (Vercel AI SDK filetype whitelist bypass).

📦 Dependency Vulnerabilities

🟢 NPM Packages (LOW)

Risk Score: 2/10 | Summary: 1 low CVE found

Package Version CVE Severity CVSS Summary Fixed In
ai 5.0.0 GHSA-rwvc-j5jr-mgvh LOW N/A Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files 5.0.52

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx (MEDIUM Risk)

# Issue Risk Level
1 Download token sent in URL query string (leaks via referer or logs) MEDIUM
2 detectedOS value not validated before use in download request MEDIUM
3 POST /api/download-agent/token may be vulnerable to CSRF MEDIUM
4 Server error messages shown to user (possible info leak) MEDIUM
5 Client sends orgId/employeeId for token creation without extra checks MEDIUM
6 No integrity verification of downloaded installer (no checksum) MEDIUM

Recommendations:

  1. Do not place sensitive tokens in URL query strings. Return the installer via an authenticated request (e.g., Authorization header) or POST the token in the body; or serve the file directly from the token-issuing endpoint. If you must use a token in a URL, make it single-use, very short-lived, and ensure it is bound to the requesting user/session.
  2. Validate and whitelist the detectedOS value server-side (and normalize on the client). Treat any os parameter from the client as untrusted input and only allow expected enum values (e.g., 'macos', 'macos-intel', 'windows').
  3. Protect /api/download-agent/token against CSRF. Require an anti-CSRF token or use an authentication mechanism that isn't vulnerable to CSRF (e.g., require a bearer token in Authorization header rather than relying on cookies). Ensure server-side checks that the authenticated principal is allowed to request a token for the provided orgId/employeeId.
  4. Avoid echoing raw server error messages to the user. Display generic error messages in the UI and log detailed error text server-side for debugging/audit purposes. Example: toast.error('Failed to prepare download. Please try again or contact support.') and log the server error with correlation id.
  5. Do not trust client-sent orgId/employeeId. Server must verify that the caller is authenticated/authorized for those IDs (e.g., check session or JWT and ensure org membership) before issuing a download token. Consider binding issued tokens to the authenticated user's id and org.
  6. Provide an integrity verification mechanism for installers: publish checksums (SHA256) signed by the vendor or use digital signatures. The client installer verification flow (or the download flow) should verify checksum/signature before trusting the installer. Additionally, serve files over HTTPS with appropriate headers and consider code signing for macOS/Windows installers.
  7. Additional improvements: set strict referrer-policy and ensure the download endpoint sets appropriate Content-Disposition and Cache-Control headers; implement rate limiting on token issuance endpoints; log token issuance and downloads for auditing.

💡 Recommendations

View 3 recommendation(s)
  1. Upgrade the ai dependency to a fixed version (>= 5.0.52) in package.json and reinstall so the patched SDK is used at runtime.
  2. Do not rely only on client-side/SDK whitelists: validate uploaded file types server-side by inspecting content (magic bytes/MIME sniffing) and enforce an explicit allowed-enum of types/extensions before passing files to the SDK.
  3. Sanity-check and normalize any file metadata the app sends to the SDK (filename, declared MIME type). Reject or quarantine files where declared type and actual content do not match and log the rejection for investigation.

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 12, 2025

@vercel
Copy link

vercel bot commented Nov 12, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Nov 12, 2025 7:36pm
portal Ready Ready Preview Comment Nov 12, 2025 7:36pm

@chasprowebdev chasprowebdev changed the title [dev] [chasprowebdev] chas/show-mdm-policy Show MDM Policy on app and Fix MDM policy status issue on portal Nov 12, 2025
@chasprowebdev
Copy link
Contributor

chasprowebdev commented Nov 12, 2025

image

@Marfuen Marfuen merged commit 7a3fe75 into main Nov 12, 2025
9 checks passed
@Marfuen Marfuen deleted the chas/show-mdm-policy branch November 12, 2025 19:52
@claudfuen
Copy link
Contributor

claudfuen commented Nov 13, 2025

🎉 This PR is included in version 1.57.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Marfuen Marfuen Marfuen approved these changes

Assignees

No one assigned

Labels

automated-pr released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@chasprowebdev @claudfuen @Marfuen