Merge pull request #1471 from isomerpages/release_v0.95.0

Release v0.95.0

Author: dcshzj

.github/workflows/deploy_prod.yml

@@ -13,7 +13,7 @@ jobs:
     uses: ./.github/workflows/aws_deploy.yml
     with:
       aws-region: "ap-southeast-1"
-      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-github-oidc-role-16ea937"
+      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-prod-deploy-role"
       ecr-repository: "isomer-infra-prod-ecr"
       ecs-cluster-name: "isomer-prod-ecs"
       ecs-web-service-name: "isomer-prod-ecs-service"
@@ -38,7 +38,7 @@ jobs:
     uses: ./.github/workflows/aws_deploy.yml
     with:
       aws-region: "ap-southeast-1"
-      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-github-oidc-role-16ea937"
+      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-prod-deploy-role"
       ecr-repository: "isomer-infra-prod-ecr"
       ecs-cluster-name: "isomer-prod-ecs"
       ecs-web-service-name: "prod-support-ecs-service"

.github/workflows/deploy_staging.yml

@@ -16,7 +16,7 @@ jobs:
     uses: ./.github/workflows/aws_deploy.yml
     with:
       aws-region: "ap-southeast-1"
-      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-github-oidc-role-16ea937"
+      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-stg-deploy-role"
       ecr-repository: "isomer-infra-staging-ecr"
       ecs-cluster-name: "isomer-stg-ecs"
       ecs-web-service-name: "isomer-stg-ecs-service"
@@ -41,7 +41,7 @@ jobs:
     uses: ./.github/workflows/aws_deploy.yml
     with:
       aws-region: "ap-southeast-1"
-      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-github-oidc-role-16ea937"
+      cicd-role: "arn:aws:iam::095733531422:role/isomer-infra-stg-deploy-role"
       ecr-repository: "isomer-infra-staging-ecr"
       ecs-cluster-name: "isomer-stg-ecs"
       ecs-web-service-name: "stg-support-ecs-service"

CHANGELOG.md

@@ -4,10 +4,20 @@ All notable changes to this project will be documented in this file. Dates are d
 
 Generated by [`auto-changelog`](https://github.com/CookPete/auto-changelog).
 
+#### [v0.95.0](https://github.com/isomerpages/isomercms-backend/compare/v0.94.0...v0.95.0)
+
+- fix: validate path is safe for creates [`#1469`](https://github.com/isomerpages/isomercms-backend/pull/1469)
+- chore: update IAM deploy role [`#1468`](https://github.com/isomerpages/isomercms-backend/pull/1468)
+- fix(vapt): prevent users from requesting themselves to be reviewers [`#1467`](https://github.com/isomerpages/isomercms-backend/pull/1467)
+- chore: bump version to v0.94.0 [`#1465`](https://github.com/isomerpages/isomercms-backend/pull/1465)
+
 #### [v0.94.0](https://github.com/isomerpages/isomercms-backend/compare/v0.93.0...v0.94.0)
 
+> 16 October 2025
+
 - fix: validate path traversal [`#1463`](https://github.com/isomerpages/isomercms-backend/pull/1463)
 - chore: bump version to v0.93.0 [`#1462`](https://github.com/isomerpages/isomercms-backend/pull/1462)
+- chore: bump version to v0.94.0 [`b5f109c`](https://github.com/isomerpages/isomercms-backend/commit/b5f109c02c36bb0e3ce91a0c0a9095d624eb68be)
 
 #### [v0.93.0](https://github.com/isomerpages/isomercms-backend/compare/v0.92.0...v0.93.0)
 

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "isomercms",
-  "version": "0.94.0",
+  "version": "0.95.0",
   "private": true,
   "scripts": {
     "build": "tsc -p tsconfig.build.json",

package.json

@@ -13,6 +13,7 @@ import { mockUserId } from "@fixtures/identity"
 import { MOCK_USER_EMAIL_ONE, MOCK_USER_EMAIL_TWO } from "@fixtures/users"
 import { CollaboratorRoles, ReviewRequestStatus } from "@root/constants"
 import MissingSiteError from "@root/errors/MissingSiteError"
+import { MOCK_USER_SESSION_DATA_ONE } from "@root/fixtures/sessionData"
 import GitHubService from "@root/services/db/GitHubService"
 import CollaboratorsService from "@services/identity/CollaboratorsService"
 import NotificationsService from "@services/identity/NotificationsService"
@@ -335,6 +336,34 @@ describe("Review Requests Router", () => {
       ).not.toHaveBeenCalled()
       expect(mockNotificationsService.create).not.toHaveBeenCalled()
     })
+
+    it("should return 400 if the user requests themselves to review", async () => {
+      // Arrange
+      mockCollaboratorsService.getRole.mockResolvedValueOnce("role")
+      mockIdentityUsersService.findByEmail.mockResolvedValueOnce("user")
+
+      // Act
+      const response = await request(app)
+        .post("/mockSite/review/request")
+        .send({
+          // NOTE: this is injected via `generateRouterForDefaultUserWithSite`
+          // and from there, `attachDefaultUserSessionDataWithSite`
+          reviewers: [MOCK_USER_SESSION_DATA_ONE.email],
+          title: "mockTitle",
+          description: "mockDescription",
+        })
+
+      // Assert
+      expect(response.status).toEqual(400)
+      expect(mockSitesService.getBySiteName).toHaveBeenCalledTimes(1)
+      expect(mockCollaboratorsService.getRole).toHaveBeenCalledTimes(1)
+      expect(mockIdentityUsersService.findByEmail).toHaveBeenCalledTimes(1)
+      expect(mockCollaboratorsService.list).not.toHaveBeenCalled()
+      expect(
+        mockReviewRequestService.createReviewRequest
+      ).not.toHaveBeenCalled()
+      expect(mockNotificationsService.create).not.toHaveBeenCalled()
+    })
   })
 
   describe("listReviews", () => {

src/routes/v2/authenticated/__tests__/review.spec.ts

@@ -210,6 +210,26 @@ export class ReviewsRouter {
     )
     const { reviewers, title, description } = req.body
 
+    // NOTE: reject requests that asks for the user to be the reviewer
+    // rather than accept and filter later.
+    // We should be stricter because this is prohibited on frontend
+    // so this means that the user is trying to do something they know is forbidden
+    if (reviewers.includes(userWithSiteSessionData.email)) {
+      logger.error({
+        message: `User ${userWithSiteSessionData.email} attempted to request a review from themselves for site ${siteName}`,
+        method: "createReviewRequest",
+        meta: {
+          userId: userWithSiteSessionData.isomerUserId,
+          email: userWithSiteSessionData.email,
+          siteName,
+        },
+      })
+      return res.status(400).send({
+        message:
+          "Please ensure that you are not requesting a review from yourself!",
+      })
+    }
+
     // Step 3: Check if reviewers are admins of repo
     // Check if number of requested reviewers > 0
     if (reviewers.length === 0) {

src/routes/v2/authenticated/review.ts

@@ -7,6 +7,8 @@ const {
 } = require("@utils/markdown-utils")
 const { slugifyCollectionName } = require("@utils/utils")
 
+const { isSafePath } = require("@root/validators/validators")
+
 const INDEX_FILE_NAME = "index.html"
 
 class ResourceDirectoryService {
@@ -79,7 +81,13 @@ class ResourceDirectoryService {
     sessionData,
     { resourceRoomName, resourceCategoryName }
   ) {
-    if (/[^a-zA-Z0-9- ]/g.test(resourceCategoryName)) {
+    if (
+      /[^a-zA-Z0-9- ]/g.test(resourceCategoryName) ||
+      !isSafePath(
+        `/${resourceRoomName}/${resourceCategoryName}`,
+        `/${resourceRoomName}`
+      )
+    ) {
       // Contains non-allowed characters
       throw new BadRequestError(
         "Special characters not allowed in resource category name"
@@ -111,7 +119,13 @@ class ResourceDirectoryService {
     githubSessionData,
     { resourceRoomName, resourceCategoryName, newDirectoryName }
   ) {
-    if (/[^a-zA-Z0-9- ]/g.test(newDirectoryName)) {
+    if (
+      /[^a-zA-Z0-9- ]/g.test(newDirectoryName) ||
+      !isSafePath(
+        `/${resourceRoomName}/${newDirectoryName}`,
+        `/${resourceRoomName}`
+      )
+    ) {
       // Contains non-allowed characters
       throw new BadRequestError(
         "Special characters not allowed in resource category name"

src/services/directoryServices/ResourceDirectoryService.js

@@ -5,7 +5,11 @@ const {
   convertDataToMarkdown,
 } = require("@utils/markdown-utils")
 
-const { hasSpecialCharInTitle, isDateValid } = require("@validators/validators")
+const {
+  hasSpecialCharInTitle,
+  isDateValid,
+  isSafePath,
+} = require("@validators/validators")
 
 class ResourcePageService {
   constructor({ gitHubService }) {
@@ -16,7 +20,7 @@ class ResourcePageService {
     const fileNameArray = fileName.split(".md")[0]
     const tokenArray = fileNameArray.split("-")
     const date = tokenArray.slice(0, 3).join("-")
-    if (!isDateValid(date))
+    if (!isDateValid(date) || !isSafePath(`/${fileName}`, "/"))
       throw new BadRequestError("Special characters not allowed in file name")
 
     const type = ["file", "post", "link"].includes(tokenArray[3])

src/services/fileServices/MdPageServices/ResourcePageService.js

@@ -6,7 +6,7 @@ const {
 } = require("@utils/markdown-utils")
 const { deslugifyCollectionName } = require("@utils/utils")
 
-const { hasSpecialCharInTitle } = require("@validators/validators")
+const { hasSpecialCharInTitle, isSafePath } = require("@validators/validators")
 
 class SubcollectionPageService {
   constructor({ gitHubService, collectionYmlService }) {
@@ -27,7 +27,11 @@ class SubcollectionPageService {
   ) {
     if (
       !shouldIgnoreCheck &&
-      hasSpecialCharInTitle({ title: fileName, isFile: true })
+      (hasSpecialCharInTitle({ title: fileName, isFile: true }) ||
+        !isSafePath(
+          `/${collectionName}/${subcollectionName}/${fileName}`,
+          `/${collectionName}`
+        ))
     )
       throw new BadRequestError(
         `Special characters not allowed when creating files. Given name: ${fileName}`
@@ -117,7 +121,13 @@ class SubcollectionPageService {
       sha,
     }
   ) {
-    if (hasSpecialCharInTitle({ title: newFileName, isFile: true }))
+    if (
+      hasSpecialCharInTitle({ title: newFileName, isFile: true }) ||
+      !isSafePath(
+        `/${collectionName}/${subcollectionName}/${newFileName}`,
+        `/${collectionName}`
+      )
+    )
       throw new BadRequestError(
         `Special characters not allowed when renaming files. Given name: ${newFileName}`
       )