Skip to content

v0.5.36: hitl improvements, opengraph, slack fixes, one-click unsubscribe, auth checks, new db indexes #2474

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
waleedlatif1 merged 10 commits into from
Dec 19, 2025
Merged

v0.5.36: hitl improvements, opengraph, slack fixes, one-click unsubscribe, auth checks, new db indexes #2474

waleedlatif1 merged 10 commits into from
Dec 19, 2025

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Dec 19, 2025
edited
Loading

aadamgough and others added 9 commits December 18, 2025 17:56
@aadamgough
fix(tools): improved slack output ux and jira params (#2462)
fc40b4f 
* fixed slack output

* updated jira

* removed comment

* change team uuid
@waleedlatif1 @aadamgough
feat(i18n): update translations (#2463)
0005c3e 
Co-authored-by: aadamgough <aadamgough@users.noreply.github.com>
@Pbonmars-20031006
improvement(hitl): show resume url in tag dropdown within hitl block (#…
474762d 
…2464)

* fixed the human in the loop url resolution:

* greptilecomments

* greptilecomments

---------

Co-authored-by: Pbonmars-20031006@users.noreply.github.com
@waleedlatif1
feat(og): add opengraph images for templates, blogs, and updated exis…
a2f14ca 
…ting opengraph image for all other pages (#2466)

* feat(og): add opengraph images for templates, blogs, and updated existing opengraph image for all other pages

* added to workspace templates page as well

* ack PR comments
@aadamgough
fix(slack): respect message limit, remove duplicate canonical represe…
38be2b7 
…ntations (#2469)

* fix(slack): respect message limit, remove duplicate canonical representations

* removed comment

* updated docs script

---------

Co-authored-by: aadamgough <adam@sim.ai>
@waleedlatif1
feat(i18n): update translations (#2470)
6de1c04
@waleedlatif1
fix(unsubscribe): add one-click unsubscribe (#2467)
24356d9 
* fix(unsubscribe): add one-click unsubscribe

* ack Pr comments
@waleedlatif1
fix(authentication): added auth checks for various routes, mysql and …
3a33ec9 
…postgres query validation, csp improvements (#2472)
@waleedlatif1
improvement(db): added missing indexes for common access patterns (#2473
889b44c 
)
@vercel
Copy link

vercel bot commented Dec 19, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Review Updated (UTC)
docs Skipped Skipped Dec 19, 2025 9:27am

@waleedlatif1 waleedlatif1 changed the title v0.5.36: hitl improvements, slack fixes, unsubscribe, auth checks, new db indexes v0.5.36: hitl improvements, opengraph, slack fixes, one-click unsubscribe, auth checks, new db indexes Dec 19, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 19, 2025
View reviewed changes
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Dec 19, 2025

Greptile Summary

This PR consolidates multiple security, performance, and UX improvements across 9 merged PRs. The changes significantly strengthen the application's security posture through comprehensive authentication checks, SQL/NoSQL injection prevention, and CSP hardening while adding useful features like one-click unsubscribe and OpenGraph images.

Key Changes

  • Security hardening: Added authentication and permission checks to previously unprotected API routes (/api/jobs, /api/memory, /api/templates), created reusable permission helper functions, and implemented comprehensive SQL/NoSQL injection prevention for MySQL, PostgreSQL, and MongoDB query tools
  • CSP improvements: Restricted localhost URLs to development mode only, preventing accidental exposure in production environments
  • Path traversal protection: Enhanced SSH tool with extensive path traversal validation covering URL-encoded and multi-encoding attack vectors
  • One-click unsubscribe: Implemented RFC 8058-compliant one-click unsubscribe supporting both JSON and form-urlencoded requests with proper email headers
  • OpenGraph images: Added infrastructure for uploading, storing, and serving OG images for templates with client-side capture utilities
  • Performance optimization: Added database indexes for common access patterns (api_key, verification, workflow_blocks)
  • Slack improvements: Enforced 15-message read limit and removed duplicate canonicalParamId fields that were causing parameter conflicts
  • HITL enhancements: Allowed human_in_the_loop blocks to reference their own URL output in tag dropdowns
  • Jira tool expansion: Added support for labels, due dates, reporters, environments, and custom fields

Confidence Score: 5/5

  • This PR is safe to merge with excellent security improvements and minimal risk
  • The PR demonstrates high-quality security engineering with comprehensive input validation, proper authentication/authorization patterns, and defensive programming practices. All security-critical changes follow established patterns, validation logic is thorough without being overly restrictive, and the changes are well-tested according to the PR descriptions. The only minor issue is a style preference for parameter visibility in the Jira tool.
  • No files require special attention - all changes follow security best practices

Important Files Changed

Filename Overview
apps/sim/app/api/tools/mysql/utils.ts Added comprehensive SQL injection prevention with extensive validation patterns for WHERE clauses
apps/sim/app/api/tools/postgresql/utils.ts Enhanced SQL injection prevention with PostgreSQL-specific validation patterns
apps/sim/lib/core/security/csp.ts Improved CSP to restrict localhost URLs to development mode only, enhancing production security
apps/sim/app/api/templates/[id]/route.ts Added comprehensive permission checks for template updates and deletes using new permission helper functions
apps/sim/lib/templates/permissions.ts New permission utility module providing reusable functions for template ownership verification
apps/sim/app/api/jobs/[jobId]/route.ts Added authentication and workflow access validation to prevent unauthorized task status queries
apps/sim/app/api/memory/[id]/route.ts Added authentication and permission checks for memory operations with proper read/write access control
apps/sim/app/api/users/me/settings/unsubscribe/route.ts Implemented one-click unsubscribe support via URL-encoded form data to comply with RFC 8058
apps/sim/lib/messaging/email/mailer.ts Added List-Unsubscribe and List-Unsubscribe-Post headers for RFC 8058 compliance in batch emails
apps/sim/blocks/blocks/slack.ts Enforced message limit of 15 max, removed duplicate canonicalParamId fields causing conflicts
apps/sim/app/api/tools/ssh/utils.ts Enhanced path traversal prevention with comprehensive validation and command injection warnings
apps/sim/app/api/templates/[id]/og-image/route.ts New API endpoint for uploading and managing OpenGraph images for templates with validation
packages/db/migrations/0125_eager_lily_hollister.sql Added performance indexes for common query patterns (api_key, verification, workflow_blocks)

Sequence Diagram

sequenceDiagram
    participant Client
    participant API
    participant Auth
    participant Perm
    participant DB
    participant Valid
    participant Email

    Note over Client,Email: Authentication and Authorization Flow
    
    Client->>API: API Request
    API->>Auth: Check authentication
    Auth-->>API: User ID
    API->>Perm: Verify permissions
    Perm->>DB: Query memberships
    DB-->>Perm: Membership data
    Perm-->>API: Permission result
    alt Unauthorized
        API-->>Client: 403 Error
    else Authorized
        API->>DB: Perform operation
        DB-->>API: Data
        API-->>Client: Success
    end

    Note over Client,Email: Query Validation
    
    Client->>API: Database query request
    API->>Valid: Validate query
    Valid->>Valid: Check patterns
    alt Dangerous pattern
        Valid-->>API: Error
        API-->>Client: 400 Error
    else Safe
        Valid-->>API: Approved
        API->>DB: Execute
        DB-->>API: Data
        API-->>Client: Success
    end

    Note over Client,Email: Unsubscribe Flow
    
    Client->>API: Unsubscribe request
    API->>API: Verify token
    alt Valid
        API->>DB: Update preferences
        DB-->>API: Updated
        API-->>Client: Success
    else Invalid
        API-->>Client: 401 Error
    end

    Note over Client,Email: Email with Unsubscribe
    
    Email->>Email: Prepare message
    Email->>Email: Check preferences
    alt Unsubscribed
        Email-->>Email: Skip
    else Subscribed
        Email->>Email: Add headers
        Email->>Email: Send message
    end
Loading

greptile-apps[bot]
greptile-apps bot reviewed Dec 19, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

77 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@waleedlatif1
fix(sanitization): added more input sanitization to tool routes (#2475)
656a6b8 
* fix(sanitization): added more input sanitization to tool routes

* ack PR comments
@waleedlatif1 waleedlatif1 merged commit 4d1a9a3 into main Dec 19, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@waleedlatif1 @aadamgough @Pbonmars-20031006