v0.5.36: hitl improvements, opengraph, slack fixes, one-click unsubscribe, auth checks, new db indexes

[waleedlatif1]

• fix(tools): improved slack output ux and jira params (fix(tools): improved slack output ux and jira params #2462)
• feat(i18n): update translations (feat(i18n): update translations #2463)
• improvement(hitl): show resume url in tag dropdown within hitl block (improvement(hitl): show resume url in tag dropdown within hitl block #2464)
• feat(og): add opengraph images for templates, blogs, and updated existing opengraph image for all other pages (feat(og): add opengraph images for templates, blogs, and updated existing opengraph image for all other pages #2466)
• fix(slack): respect message limit, remove duplicate canonical representations (fix(slack): respect message limit, remove duplicate canonical representations #2469)
• feat(i18n): update translations (feat(i18n): update translations #2470)
• fix(unsubscribe): add one-click unsubscribe (fix(unsubscribe): add one-click unsubscribe #2467)
• fix(authentication): added auth checks for various routes, mysql and postgres query validation, csp improvements (fix(authentication): added auth checks for various routes, mysql and postgres query validation, csp improvements #2472)
• improvement(db): added missing indexes for common access patterns (improvement(db): added missing indexes for common access patterns #2473)
• fix(sanitization): added more input sanitization to tool routes (fix(sanitization): added more input sanitization to tool routes #2475)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Dec 19, 2025 9:27am

[greptile-apps]

Greptile Summary

This PR consolidates multiple security, performance, and UX improvements across 9 merged PRs. The changes significantly strengthen the application's security posture through comprehensive authentication checks, SQL/NoSQL injection prevention, and CSP hardening while adding useful features like one-click unsubscribe and OpenGraph images.

Key Changes

• Security hardening: Added authentication and permission checks to previously unprotected API routes (/api/jobs, /api/memory, /api/templates), created reusable permission helper functions, and implemented comprehensive SQL/NoSQL injection prevention for MySQL, PostgreSQL, and MongoDB query tools
• CSP improvements: Restricted localhost URLs to development mode only, preventing accidental exposure in production environments
• Path traversal protection: Enhanced SSH tool with extensive path traversal validation covering URL-encoded and multi-encoding attack vectors
• One-click unsubscribe: Implemented RFC 8058-compliant one-click unsubscribe supporting both JSON and form-urlencoded requests with proper email headers
• OpenGraph images: Added infrastructure for uploading, storing, and serving OG images for templates with client-side capture utilities
• Performance optimization: Added database indexes for common access patterns (api_key, verification, workflow_blocks)
• Slack improvements: Enforced 15-message read limit and removed duplicate canonicalParamId fields that were causing parameter conflicts
• HITL enhancements: Allowed human_in_the_loop blocks to reference their own URL output in tag dropdowns
• Jira tool expansion: Added support for labels, due dates, reporters, environments, and custom fields

Confidence Score: 5/5

• This PR is safe to merge with excellent security improvements and minimal risk
• The PR demonstrates high-quality security engineering with comprehensive input validation, proper authentication/authorization patterns, and defensive programming practices. All security-critical changes follow established patterns, validation logic is thorough without being overly restrictive, and the changes are well-tested according to the PR descriptions. The only minor issue is a style preference for parameter visibility in the Jira tool.
• No files require special attention - all changes follow security best practices

Important Files Changed

Filename	Overview
apps/sim/app/api/tools/mysql/utils.ts	Added comprehensive SQL injection prevention with extensive validation patterns for WHERE clauses
apps/sim/app/api/tools/postgresql/utils.ts	Enhanced SQL injection prevention with PostgreSQL-specific validation patterns
apps/sim/lib/core/security/csp.ts	Improved CSP to restrict localhost URLs to development mode only, enhancing production security
apps/sim/app/api/templates/[id]/route.ts	Added comprehensive permission checks for template updates and deletes using new permission helper functions
apps/sim/lib/templates/permissions.ts	New permission utility module providing reusable functions for template ownership verification
apps/sim/app/api/jobs/[jobId]/route.ts	Added authentication and workflow access validation to prevent unauthorized task status queries
apps/sim/app/api/memory/[id]/route.ts	Added authentication and permission checks for memory operations with proper read/write access control
apps/sim/app/api/users/me/settings/unsubscribe/route.ts	Implemented one-click unsubscribe support via URL-encoded form data to comply with RFC 8058
apps/sim/lib/messaging/email/mailer.ts	Added List-Unsubscribe and List-Unsubscribe-Post headers for RFC 8058 compliance in batch emails
apps/sim/blocks/blocks/slack.ts	Enforced message limit of 15 max, removed duplicate canonicalParamId fields causing conflicts
apps/sim/app/api/tools/ssh/utils.ts	Enhanced path traversal prevention with comprehensive validation and command injection warnings
apps/sim/app/api/templates/[id]/og-image/route.ts	New API endpoint for uploading and managing OpenGraph images for templates with validation
packages/db/migrations/0125_eager_lily_hollister.sql	Added performance indexes for common query patterns (api_key, verification, workflow_blocks)

Sequence Diagram

sequenceDiagram
    participant Client
    participant API
    participant Auth
    participant Perm
    participant DB
    participant Valid
    participant Email

    Note over Client,Email: Authentication and Authorization Flow
    
    Client->>API: API Request
    API->>Auth: Check authentication
    Auth-->>API: User ID
    API->>Perm: Verify permissions
    Perm->>DB: Query memberships
    DB-->>Perm: Membership data
    Perm-->>API: Permission result
    alt Unauthorized
        API-->>Client: 403 Error
    else Authorized
        API->>DB: Perform operation
        DB-->>API: Data
        API-->>Client: Success
    end

    Note over Client,Email: Query Validation
    
    Client->>API: Database query request
    API->>Valid: Validate query
    Valid->>Valid: Check patterns
    alt Dangerous pattern
        Valid-->>API: Error
        API-->>Client: 400 Error
    else Safe
        Valid-->>API: Approved
        API->>DB: Execute
        DB-->>API: Data
        API-->>Client: Success
    end

    Note over Client,Email: Unsubscribe Flow
    
    Client->>API: Unsubscribe request
    API->>API: Verify token
    alt Valid
        API->>DB: Update preferences
        DB-->>API: Updated
        API-->>Client: Success
    else Invalid
        API-->>Client: 401 Error
    end

    Note over Client,Email: Email with Unsubscribe
    
    Email->>Email: Prepare message
    Email->>Email: Check preferences
    alt Unsubscribed
        Email-->>Email: Skip
    else Subscribed
        Email->>Email: Add headers
        Email->>Email: Send message
    end

Loading

[greptile-apps]

_{77 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}