Skip to content

[dev] [Itsnotaka] daniel/trust-access-doc #1821

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 25, 2025
Merged

[dev] [Itsnotaka] daniel/trust-access-doc #1821

merged 4 commits into from
Nov 25, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 24, 2025

This is an automated pull request to merge daniel/trust-access-doc into dev.
It was created by the [Auto Pull Request] action.

@vercel
Copy link

vercel bot commented Nov 24, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Nov 25, 2025 7:27pm
portal Ready Ready Preview Comment Nov 25, 2025 7:27pm

@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Nov 24, 2025
edited
Loading

🔒 Comp AI - Security Review

🔴 Risk Level: HIGH

OSV scan found 2 HIGH CVEs in xlsx@0.18.5 (prototype pollution; ReDoS) and 1 LOW CVE in ai@5.0.0 (filetype whitelist bypass; fixed in 5.0.52).

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package Version CVE Severity CVSS Summary Fixed In
xlsx 0.18.5 GHSA-4r6h-8v6p-xvw6 HIGH N/A Prototype Pollution in sheetJS No fix yet
xlsx 0.18.5 GHSA-5pgg-2g8v-p4x9 HIGH N/A SheetJS Regular Expression Denial of Service (ReDoS) No fix yet
ai 5.0.0 GHSA-rwvc-j5jr-mgvh LOW N/A Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files 5.0.52

🛡️ Code Security Analysis

View 1 file(s) with issues

🔴 packages/docs/trust-access.mdx (HIGH Risk)

# Issue Risk Level
1 Reclaim access via email only allows unauthorized access link issuance HIGH
2 Access links may be replayed if tokens aren't single-use HIGH
3 No enforced access checks described for downloading signed NDAs or PDF bundles HIGH
4 Resend NDA and reclaim flows lack rate limits or secondary verification HIGH

Recommendations:

  1. Require proof of email ownership before issuing reclaim/access links (e.g., one-time passcode sent to the email that must be entered on the portal, or a short-lived confirmation link that requires a previously authenticated session).
  2. Issue single-use, time-bound tokens for NDA signing and access links. Store only token hashes server-side and mark tokens consumed on first use.
  3. Bind tokens to user attributes and context where possible: email + grant identifier + (optional) device fingerprint or IP range, and include token issuance metadata to validate replays and tampering.
  4. Enforce server-side authorization checks for every protected resource (signed NDA PDF, generated PDF bundles, portal pages). Never rely solely on possession of a URL; validate the user's active grant, NDA status, token validity, and token usage state before returning content.
  5. On revoke: immediately invalidate all outstanding tokens and rotate any related signing keys. Ensure revocation changes are propagated to caches and CDNs.
  6. Add rate limiting and abuse protections on resend, reclaim, and NDA request endpoints (per IP, per email, per account) and implement exponential backoff or CAPTCHAs for repeated attempts.
  7. Log all reclaim/resend actions with sufficient metadata (requester email, IP, UA, timestamp, originating endpoint) and create alerts for suspicious patterns (many reclaims for different emails from same IP, repeated resends, rapid token consumption).
  8. Notify account owners/administrators of sensitive actions (reclaim/resend, revoke) via email or admin dashboard alerts so they can detect unauthorized activity quickly.
  9. Protect download endpoints against direct object references and enforce signed URLs with HMAC (short-lived) if using CDN-hosted assets; verify HMAC server-side before serving.
  10. Ensure watermarks and generated PDFs are produced server-side after authorization checks to avoid client-side tampering, and log the generation event tied to the user/account.
  11. Consider multi-factor verification for high-value requests (e.g., reclaims from new IPs or after revocation) such as SMS OTP or an authenticator app.

💡 Recommendations

View 3 recommendation(s)
  1. Upgrade xlsx (currently 0.18.5) to a patched release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9; update package.json and rebuild with the fixed version.
  2. Upgrade ai from 5.0.0 to >=5.0.52 to pick up the GHSA-rwvc-j5jr-mgvh fix (filetype whitelist bypass fixed in 5.0.52).
  3. Audit all code paths that parse or consume Excel files (calls to xlsx): treat parsed objects as untrusted, avoid merging parsed data into application prototypes, validate inputs (size/format/regexes) before parsing, and add parsing-level safeguards to mitigate prototype-pollution and ReDoS vectors.

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 25, 2025

@Marfuen Marfuen merged commit 2a4c14d into main Nov 25, 2025
9 of 11 checks passed
@Marfuen Marfuen deleted the daniel/trust-access-doc branch November 25, 2025 19:24
@claudfuen
Copy link
Contributor

claudfuen commented Nov 25, 2025

🎉 This PR is included in version 1.64.1 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated-pr released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@claudfuen @Marfuen @Itsnotaka