[dev] [Marfuen] mariano/trust-ff

[github-actions]

This is an automated pull request to merge mariano/trust-ff into dev.
It was created by the [Auto Pull Request] action.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
app	Ready	Preview	Comment	Nov 17, 2025 9:09pm
portal	Ready	Preview	Comment	Nov 17, 2025 9:09pm

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV: 3 npm CVEs found (xlsx@0.18.5: prototype pollution + ReDoS; ai@5.0.0: filetype whitelist bypass, fixed in 5.0.52). DomainVerificationDto lacks validation and has a restrictive domain regex.

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/api/src/trust-portal/dto/domain-status.dto.ts (MEDIUM Risk)

#	Issue	Risk Level
1	Missing validation on DomainVerificationDto fields: type, domain, value, reason	MEDIUM
2	No enum/format check for 'type' (should restrict to TXT/CNAME)	MEDIUM
3	Domain regex limits TLD to 2-6 chars; rejects valid longer TLDs/punycode	MEDIUM

Recommendations:

1. Add class-validator decorators to DomainVerificationDto fields. For example: @IsString() and @isnotempty() on type/domain/value, and @IsOptional()/@IsString() on reason as appropriate.
2. Restrict 'type' to allowed values with an enum or @isin(['TXT','CNAME']) (or similar) to prevent unexpected/invalid verification types.
3. Use a more robust domain validator rather than the current custom regex. Options: use class-validator's @IsFQDN({ require_tld: true }) or update the regex to allow longer TLDs and punycode labels. Ensure the regex/validator supports modern TLDs (longer than 6 chars) and IDN/punycode if required.
4. If these DTOs are used for incoming requests, enable and enforce NestJS ValidationPipe globally (app.useGlobalPipes(new ValidationPipe({ whitelist: true, forbidNonWhitelisted: true }))) so DTO decorators are actually applied.
5. For nested DTOs received from clients, add @ValidateNested() and @type(() => DomainVerificationDto) to ensure nested validation runs.
6. Sanitize/escape/validate DTO values before using them in security-sensitive contexts (SQL queries, shell commands, eval). Use parameterized queries or safe APIs; never interpolate raw DTO values into command strings.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade vulnerable packages: update ai to >=5.0.52, and upgrade xlsx to a patched release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9.
2. Harden DomainVerificationDto by adding class-validator decorators: e.g. @IsString() and @isnotempty() on type, domain, value; @IsOptional()/@IsString() on reason; and restrict type with @isin(['TXT','CNAME']).
3. Use a robust domain validator and enforce validation: replace the custom regex with @IsFQDN() (or an updated regex that allows TLDs >6 chars and punycode), add @ValidateNested() and @type(() => DomainVerificationDto) for nested DTOs, and enable NestJS ValidationPipe (e.g. new ValidationPipe({ whitelist: true, forbidNonWhitelisted: true })) so DTO rules are applied.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 17, 2025

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV scan found 2 high CVEs in xlsx@0.18.5 (GHSA-4r6h-8v6p-xvw6, GHSA-5pgg-2g8v-p4x9) and 1 low CVE in ai@5.0.0; code lacks DTO validation and unsafe orgId/pathname usage in main-menu.

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 2 file(s) with issues

🟡 apps/api/src/trust-portal/dto/domain-status.dto.ts (MEDIUM Risk)

#	Issue	Risk Level
1	No validation on DomainVerificationDto fields (type, domain, value, reason)	MEDIUM
2	No validation on DomainStatusResponseDto response fields	MEDIUM
3	Input validation relies on NestJS ValidationPipe which may be disabled	MEDIUM
4	Domain regex is inconsistent and may accept or reject invalid domains	MEDIUM

Recommendations:

1. Add class-validator decorators to DomainVerificationDto: e.g., @isin(['TXT','CNAME']) or @IsString() + @isnotempty() for type, @IsFQDN() or @matches(...) + @isnotempty() for domain, @IsString() and @maxlength(...) for value, and @IsOptional() + @IsString() for reason.
2. Add validation for DomainStatusResponseDto properties when constructing responses (or validate upstream inputs) and avoid returning sensitive/internal-only fields. Use manual checks or libraries to validate/shape outgoing responses if needed.
3. Enable and enforce NestJS global ValidationPipe in main.ts: app.useGlobalPipes(new ValidationPipe({ whitelist: true, forbidNonWhitelisted: true, transform: true })); do not rely on it being present by default.
4. Replace custom domain regex with a vetted approach: either use validator.isFQDN (class-validator provides @IsFQDN) or use a well-tested regex that accounts for 63-char labels and long TLDs (e.g., ensure total length <=253, label rules, TLD length up to current standards). Example regex: ^(?=.{1,253}$)(?!-)(A-Za-z0-9?.)+[A-Za-z]{2,63}$ or use @IsFQDN() with appropriate options.
5. Sanitize and validate any values before using them in DNS queries, database operations, command execution, or templates. Treat DTO fields as untrusted input and escape or canonicalize before use.
6. Add unit/integration tests to ensure ValidationPipe is active in deployed configuration and DTO constraints behave as expected.

🟡 apps/app/src/components/main-menu.tsx (MEDIUM Risk)

#	Issue	Risk Level
1	Protected menu flag not enforced in UI	MEDIUM
2	organizationId injected into paths without validation	MEDIUM
3	Client pathname used for access/active logic without guards	MEDIUM
4	No null-check before using pathname.split	MEDIUM

Recommendations:

1. Do not rely on UI flags for authorization. Enforce authorization checks on the server/route level for any protected pages or APIs. Remove or hide links in the UI only as a usability improvement — never as the sole access control.
2. Validate and canonicalize organizationId before using it to build URLs. Apply server-side validation (UUID or known allowed list), and sanitize/encode when interpolating into paths. Consider deriving organizationId from server-validated session or route params rather than untrusted props.
3. Ensure usePathname() is used only for UI state (highlighting) and never to make authorization decisions. If you must derive access control from the current route, verify on the server (or revalidate tokens/permissions) before granting access.
4. Guard against null/undefined pathname before calling pathname.split. Add a defensive check (e.g., if (!pathname) return false or use pathname?.split(...)) so the component does not throw when pathname is not yet available.
5. Use stable refs keyed by item id (e.g., a Map of id -> element) instead of relying on array index mapping to DOM refs, to avoid mismatches when visibleItems is filtered/ordered dynamically.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade the affected npm packages: update xlsx (0.18.5) to a release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9, and update ai to >= 5.0.52 (fixes GHSA-rwvc-j5jr-mgvh). Bump package.json entries and rebuild.
2. Harden Domain DTOs: add class-validator decorators to DomainVerificationDto (e.g., @isin(['TXT','CNAME']) or @IsString+@isnotempty for type, @IsFQDN() or @matches(...) for domain, @IsString()+@maxlength(...) for value, @IsOptional()+@IsString() for reason). Validate/shape DomainStatusResponseDto before returning (do not return internal-only fields).
3. Sanitize and guard routing inputs in main-menu: validate and canonicalize organizationId before interpolating into paths (e.g., server-validated UUID or allowlist and encode when building URLs). Add a null/undefined check for pathname before calling pathname.split (use pathname?.split or if (!pathname) guard) and avoid using client pathname for authorization decisions.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 17, 2025

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV scan: xlsx@0.18.5 has two HIGH issues (Prototype Pollution, ReDoS). ai@5.0.0 has a LOW filetype-whitelist bypass (fixed in 5.0.52).

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/api/src/trust-portal/dto/domain-status.dto.ts (MEDIUM Risk)

#	Issue	Risk Level
1	Missing validation on DomainVerificationDto input fields	MEDIUM
2	GetDomainStatusDto domain regex is inconsistent and may mis-validate domains	MEDIUM
3	No restriction on 'type' allows arbitrary verification types	MEDIUM

Recommendations:

1. Add class-validator decorators to DomainVerificationDto fields (e.g., @IsString(), @isnotempty(), @IsOptional() where appropriate) so incoming HTTP parameters are validated before use.
2. Restrict 'type' to an enum or use @isin(['TXT','CNAME', ...]) to only allow expected verification types.
3. Validate 'value' according to the 'type' (e.g., TXT values must not contain newlines or shell metacharacters; CNAME must be a valid FQDN). Use conditional validators (class-validator @ValidateIf) to enforce per-type rules.
4. Replace or supplement the custom regex with a well-tested domain validator (e.g., validator.js isFQDN with appropriate options) — the current regex is inconsistent (mixed case classes, lowercasing in a subgroup, TLD length limit) and may mis-accept or reject valid domains.
5. Sanitize and escape DTO inputs before any downstream use (database queries, shell/command construction, template rendering). Use parameterized DB queries and avoid interpolating raw DTO values into commands.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade xlsx (0.18.5) to a patched release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9 (or replace with a maintained parser). Ensure package.json and lockfile reflect the upgraded version.
2. Upgrade ai from 5.0.0 to >=5.0.52 as indicated by the scan to obtain the fix for the filetype whitelist bypass.
3. Harden code paths that parse uploaded files: enforce strict file-type checks before parsing, and validate/sanitize file contents in code handling XLSX or user uploads to limit exposure while dependency updates are applied.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 17, 2025

[claudfuen]

🎉 This PR is included in version 1.59.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀