Release v1.53.2 (#1228)

* fix: stop dd rum when user not logged in
* chore: reduce custom API max payload size to 2 MB
* chore: copy changes for for-each
* chore: raise postman attachment size limit
* chore: sanitise invalid chars from postman sms

Author: kevinkim-ogp

package-lock.json

@@ -111,5 +111,5 @@
     "tsconfig-paths": "^4.2.0",
     "type-fest": "4.10.3"
   },
-  "version": "1.53.1"
+  "version": "1.53.2"
 }

packages/backend/package.json

@@ -50,9 +50,9 @@ describe('createSizeMonitor', () => {
     expect(mocks.warn).not.toHaveBeenCalled()
   })
 
-  it('errors when total size exceeds 20MB', async () => {
+  it('errors when total size exceeds 2 MB', async () => {
     const monitor = createSizeMonitor()
-    const overLimit = Buffer.alloc(20 * 1024 * 1024 + 1)
+    const overLimit = Buffer.alloc(2 * 1024 * 1024 + 1)
     await expect(writeBuffers(monitor, [overLimit])).rejects.toMatchObject({
       name: 'AxiosError',
       isAxiosError: true,

packages/backend/src/apps/custom-api/__tests__/common/size-monitor.test.ts

@@ -2,9 +2,13 @@ import { Transform } from 'stream'
 
 import logger from '@/helpers/logger'
 
-const MAX_SIZE_IN_MB = 20
+/**
+ * NOTE: we set the limit to 2 MB to prevent abuse and protect frontend performance
+ * for large JSON payloads
+ */
+const MAX_SIZE_IN_MB = 2
 const MB = 1024 * 1024
-const MAX_CONTENT_LENGTH = MAX_SIZE_IN_MB * MB // 20MB
+const MAX_CONTENT_LENGTH = MAX_SIZE_IN_MB * MB
 const MAX_COMPRESSION_RATIO = 100 // Maximum compression ratio to prevent gzip bombs
 
 const ERROR_RESPONSE = {

packages/backend/src/apps/custom-api/common/size-monitor.ts

@@ -1,5 +1,7 @@
 import z from 'zod'
 
+import { replaceInvalidCharacters } from '@/helpers/replace-invalid-characters'
+
 // From Postman API docs
 // https://postman-v2.guides.gov.sg/faq/postman-v2-api-faq/campaign-related-inquiries
 export const MAX_SMS_CHARS = 1000
@@ -21,7 +23,8 @@ export const fieldSchema = z.object({
     .min(1, { message: 'Provide a non-empty message' })
     .max(MAX_SMS_CHARS, {
       message: `Message cannot exceed ${MAX_SMS_CHARS.toLocaleString()} characters`,
-    }),
+    })
+    .transform((message) => replaceInvalidCharacters(message)),
 })
 
 // Subset of the full reply; the other fields are not needed.

packages/backend/src/apps/postman-sms/actions/send-sms/schema.ts

@@ -26,17 +26,21 @@ const action: IRawAction = {
   description: 'Repeat actions for each item',
   groupsLaterSteps: true,
   isNew: true,
+  linkToGuide:
+    'https://guide.plumber.gov.sg/user-guides/actions/for-each-item-coming-soon',
   arguments: [
     {
       label: 'Choose items',
       description:
-        'Supported items include rows in Tiles/M365 Excel and FormSG checkboxes',
+        'Items you can choose from: Find multiple rows, Find multiple table rows, or checkboxes/table from your form.',
       key: 'items',
       type: 'string' as const,
       required: true,
       variables: true,
       variableTypes: ['array', 'table'],
       singleVariableSelection: true,
+      noVariablesMessage:
+        ' No variables available - add/check one of the following steps above: Find multiple rows, Find multiple table rows, or include a checkbox/table field in your FormSG.',
     },
   ],
 

packages/backend/src/apps/toolbox/actions/for-each/index.ts

@@ -20,7 +20,7 @@ vi.mock('@/helpers/s3', () => ({
   COMMON_S3_BUCKET: 'test-bucket',
   COMMON_S3_MOCK_FOLDER_PREFIX: 's3:test-bucket:mock/',
   parseS3Id: vi.fn(),
-  MAX_FILE_SIZE: 1024 * 1024 * 2,
+  MAX_FILE_SIZE: 1024 * 1024 * 10,
   ACCEPTED_FILE_TYPES: ['text/plain'],
   validateObjectKey: vi.fn((objectKey) => {
     const invalidCharacters = /[\\{}^`%~#<>|[\]]/
@@ -88,10 +88,10 @@ describe('generatePresignedPost', () => {
       userId: context.currentUser.id,
     })
 
-    const tooLargeParams = { ...VALID_PARAMS, size: 2 * 1024 * 1024 + 1 }
+    const tooLargeParams = { ...VALID_PARAMS, size: 10 * 1024 * 1024 + 1 }
     await expect(
       generatePresignedPost(null, { input: tooLargeParams }, context),
-    ).rejects.toThrow('Size of attachment exceeds 2MB')
+    ).rejects.toThrow('Size of attachment exceeds 10MB')
   })
 
   it.each([

packages/backend/src/graphql/__tests__/mutations/generate-presigned-post.itest.ts

@@ -17,7 +17,7 @@ const generatePresignedPost: MutationResolvers['generatePresignedPost'] =
     const { flowId, filename, fileType, size, updatedAt } = params.input
 
     if (size > MAX_FILE_SIZE) {
-      throw new Error('Size of attachment exceeds 2MB')
+      throw new Error('Size of attachment exceeds 10MB')
     }
     if (!ACCEPTED_FILE_TYPES.includes(fileType)) {
       throw new Error('Unsupported file type')

packages/backend/src/graphql/mutations/generate-presigned-post.ts

@@ -167,6 +167,7 @@ type Action {
   groupsLaterSteps: Boolean
   setupMessage: SetupMessage
   isNew: Boolean
+  linkToGuide: String
   substeps: [ActionSubstep]
 }
 
@@ -206,6 +207,7 @@ type ActionSubstepArgument {
   hiddenIf: FieldVisibilityCondition
   addRowButtonText: String
   tooltipText: String
+  noVariablesMessage: String
 
   # Only for string and multiline
   singleVariableSelection: Boolean