Release v1.54.0 (#1239)

feat(tiles): revoke shareable link
feat(tiles): allow users to toggle between editing and viewing
feat: duplicate and reorder step
fix: trim long sender names for postman email
fix: blacklisted emails and invalid attachments getting escaped
fix: temporarily disable dd test visibility

Author: kevinkim-ogp

.github/workflows/test-and-build.yml

@@ -19,21 +19,21 @@ jobs:
       - run: npm ci
         env:
           NPM_TASKFORCESH_TOKEN: ${{ secrets.NPM_TASKFORCESH_TOKEN }}
-      - name: Configure Datadog Test Visibility
-        env:
-          DD_SERVICE_NAME: ${{ secrets.DD_SERVICE_NAME }}
-          DD_API_KEY: ${{ secrets.DD_API_KEY }}
-        uses: datadog/test-visibility-github-action@v1
-        with:
-          languages: js
-          service: ${{ secrets.DD_SERVICE_NAME }}
-          api_key: ${{ secrets.DD_API_KEY }}
+      # - name: Configure Datadog Test Visibility
+      #   env:
+      #     DD_SERVICE_NAME: ${{ secrets.DD_SERVICE_NAME }}
+      #     DD_API_KEY: ${{ secrets.DD_API_KEY }}
+      #   uses: datadog/test-visibility-github-action@v1
+      #   with:
+      #     languages: js
+      #     service: ${{ secrets.DD_SERVICE_NAME }}
+      #     api_key: ${{ secrets.DD_API_KEY }}
       - run: npm run lint
       - run: echo "✅ Your code has been linted."
       - run: npm run test
-        env:
-          # Required to allow Datadog to trace Vitest tests
-          NODE_OPTIONS: -r ${{ env.DD_TRACE_PACKAGE }} --import ${{ env.DD_TRACE_ESM_IMPORT }}
+        # env:
+        #   # Required to allow Datadog to trace Vitest tests
+        #   NODE_OPTIONS: -r ${{ env.DD_TRACE_PACKAGE }} --import ${{ env.DD_TRACE_ESM_IMPORT }}
       - run: echo "✅ All tests passed."
       - run: VITE_MODE=test npm run build
       - run: echo "✅ Your code has been built."

package-lock.json

@@ -111,5 +111,5 @@
     "tsconfig-paths": "^4.2.0",
     "type-fest": "4.10.3"
   },
-  "version": "1.53.3"
+  "version": "1.54.0"
 }

packages/backend/package.json

@@ -188,4 +188,12 @@ describe('postman transactional email schema zod validation', () => {
       )
     },
   )
+
+  it('should trim long reply to email', () => {
+    validPayload.senderName = 'a'.repeat(256)
+    const validLength = 255 - ' <[email protected]>'.length
+    const result = transactionalEmailSchema.safeParse(validPayload)
+    assert(result.success === true)
+    expect(result.data.senderName).toEqual('a'.repeat(validLength))
+  })
 })

packages/backend/src/apps/postman/__tests__/common/parameters.test.ts

@@ -4,6 +4,7 @@ import validator from 'email-validator'
 import { uniq } from 'lodash'
 import { z } from 'zod'
 
+import appConfig from '@/config/app'
 import { parseS3Id } from '@/helpers/s3'
 
 import { POSTMAN_SUPPORTED_ATTACHMENTS_GUIDE_URL } from './constants'
@@ -121,7 +122,16 @@ export const transactionalEmailSchema = z.object({
     }
     return value.trim() === '' ? undefined : value.trim()
   }, z.string().email({ message: 'Invalid reply to email' }).optional()),
-  senderName: z.string().min(1, { message: 'Empty sender name' }).trim(),
+  senderName: z
+    .string()
+    .min(1, { message: 'Empty sender name' })
+    .trim()
+    // NOTE: we trim the sender name so that long sender names do not cause the email to fail.
+    // Postman limits the sender name to 255 characters.
+    // the API sends "{senderName} <[email protected]>" so it needs to be included in the calculation.
+    .transform((value) =>
+      value.substring(0, 255 - ` <${appConfig.postman.fromAddress}>`.length),
+    ),
   attachments: z.array(z.string()).transform((array, context) => {
     const result: string[] = []
     for (const value of array) {

packages/backend/src/apps/postman/common/parameters.ts

@@ -1,7 +1,7 @@
 import { DateTime } from 'luxon'
 
 import { redisClient as pipeErrorRedisClient } from '@/helpers/generate-error-email'
-import { safeHtml } from '@/helpers/html-utils'
+import { escapeHtml, safeHtml, trustedHtml } from '@/helpers/html-utils'
 import { sendEmail } from '@/helpers/send-email'
 
 const MAX_LENGTH = 80
@@ -58,7 +58,11 @@ function createBodyErrorMessage(props: BlacklistEmailProps): string {
     <br>
     We have detected that your pipe <strong>${flowName}</strong> has attempted to send an email to one or more blacklisted email addresses:
     <ul>
-      ${blacklistedRecipients.map((email) => `<li>${email}</li>`).join('\n')}
+      ${trustedHtml(
+        blacklistedRecipients
+          .map((email) => `<li>${escapeHtml(email)}</li>`)
+          .join('\n'),
+      )}
     </ul>
     Emails could be blacklisted for one of the following reasons:
     <ul>

packages/backend/src/apps/postman/common/send-blacklist-email.ts

@@ -1,5 +1,5 @@
 import { truncateFlowName } from '@/helpers/generate-error-email'
-import { safeHtml } from '@/helpers/html-utils'
+import { escapeHtml, safeHtml, trustedHtml } from '@/helpers/html-utils'
 import { sendEmail } from '@/helpers/send-email'
 
 interface SendInvalidAttachmentsEmailProps {
@@ -23,7 +23,9 @@ export function createInvalidAttachmentsMessage(props: CreateMessageProps) {
   const bodyMessage = safeHtml`
     We have detected that your pipe <strong>${flowName}</strong> has attempted to send an email with one or more attachments that are not supported:
     <ul>
-        ${invalidAttachments.map((a) => `<li>${a}</li>`).join('\n')}
+        ${trustedHtml(
+          invalidAttachments.map((a) => `<li>${escapeHtml(a)}</li>`).join('\n'),
+        )}
     </ul>
     The details of the affected execution are as follows:
     <ul>