Conversation
* fix(github): improve dependabot status check and handling * fix(github): update dependabot status handling to include paused state --------- Co-authored-by: Tofik Hasanov <annexcies@gmail.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
PR SummaryHigh Risk Overview Implements provider client validation and robust error mapping, persists org ownership for provider run IDs, and adds a per-run webhook handshake (token hashing + replay/idempotency tracking) enforced by the webhook endpoint. Enables a feature-flagged Security section in the app shell with new pages for penetration test listing, run details (including progress), and a mocked checkout redirect flow; adds SWR hooks/types plus Written by Cursor Bugbot for commit 5c6e34e. This will update automatically on new commits. Configure here. |
…le, and provider integration (#2193) * feat(app): add security vulnerability report module * fix(app): stabilize shell tooltip and menu ids * fix(app): wrap shell tooltips in provider for hydration * feat(security): add vulnerability reports checkout flow and report pages * feat(security): add vulnerability reports module and checkout flow * feat(security): gate security tab and routes behind feature flag * feat(security): add vulnerability reports flow with mock checkout and Maced webhook reconciliation * fix(security): address review feedback for vulnerability reports * fix(app): correct vulnerability report api proxy imports * fix(app): guard temporal ui url before window.open * fix(app): resolve remaining vulnerability reports build type errors * fix(app): address latest vulnerability reports review feedback * fix(app): sync active organization before vulnerability report token * refactor(app): remove vuln-report proxy routes and call Nest directly * fix(api): stop forwarding comp org header to Maced * fix(security): harden webhook handling and preserve checkout metadata * feat(api): persist per-job webhook handshake for vuln reports * feat(api): consume Maced-issued webhook tokens for vuln reports * refactor(api): remove maced org mapping from vulnerability reports * fix(security-reports): address remaining review threads * chore(security): rebrand vulnerability reports UI as penetration tests * fix(security-reports): enforce org ownership and harden report UI * fix(api): satisfy build typing in vulnerability report parser * docs: add public penetration tests guide * chore(security): remove vulnerability report wording from shipped docs and metadata * fix(api): enforce ownership persistence and early list short-circuit * feat(security): rename penetration test routes and add run ownership table * fix(security): harden pentest create flow and extract Maced client * feat(security): validate Maced client contracts and fix checkout URL typing * refactor(security): finalize penetration-tests naming and strict provider id contract * chore(security): polish penetration-tests naming and config formatting * fix(security): harden webhook handshake and reduce progress provider calls * feat(api): reconcile penetration webhook by runId and drop orgId query * fix(api): align webhook trust checks and run ownership migration
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| ); | ||
| } | ||
|
|
||
| return createdReport as SecurityPenetrationTest; |
There was a problem hiding this comment.
Webhook authentication token leaked to API clients
High Severity
The createReport, getReport, and listReports methods return the full provider response object (cast via as SecurityPenetrationTest) which includes the raw webhookToken. This token is the server-side secret used for webhook callback authentication — the service hashes it before persisting via persistWebhookHandshake, yet returns the plaintext value to the frontend client. The frontend never uses webhookToken, so it's an unnecessary data leak. An attacker observing the API response could use the token to forge authenticated webhook callbacks to the /v1/security-penetration-tests/webhook endpoint.
Additional Locations (2)
|
🎉 This PR is included in version 1.87.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
2 participants
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.