Skip to content

ENG-36 Support Intel build for mac, not just Apple Silicon #1714

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 9 commits into from
Nov 6, 2025
Merged

ENG-36 Support Intel build for mac, not just Apple Silicon #1714

merged 9 commits into from
Nov 6, 2025

Conversation

@github-actions
Copy link
Contributor

@github-actions github-actions bot commented Nov 5, 2025

This is an automated pull request to merge chas/intel-support into dev.
It was created by the [Auto Pull Request] action.

@vercel
Copy link

vercel bot commented Nov 5, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
app Ready Ready Preview Comment Nov 6, 2025 8:13pm
portal Ready Ready Preview Comment Nov 6, 2025 8:13pm

@comp-ai-code-review
Copy link

comp-ai-code-review bot commented Nov 5, 2025
edited
Loading

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

DeviceAgentAccordionItem.tsx places download tokens in URL query, uses tokenResponse without JSON validation, embeds unsanitized detectedOS in requests, and sends org/member IDs without client-side validation.

📦 Dependency Vulnerabilities

✅ No known vulnerabilities detected in dependencies.

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/portal/src/app/(app)/(home)/[orgId]/components/tasks/DeviceAgentAccordionItem.tsx (MEDIUM Risk)

# Issue Risk Level
1 Download token included in URL query (exposed via Referer/logs) MEDIUM
2 No validation of tokenResponse JSON before use MEDIUM
3 detectedOS used unsanitized in download URL MEDIUM
4 member IDs sent to API with no client-side validation MEDIUM

Recommendations:

  1. Avoid placing sensitive tokens in URL query parameters. Instead: (a) perform an authenticated POST to /api/download-agent that returns the file as a streamed response/blob, or (b) fetch the file via fetch() with the token passed in an Authorization header, then create a Blob and use URL.createObjectURL() + an to trigger the save. This prevents tokens from leaking via Referer headers, logs, or browser history.
  2. Validate the tokenResponse JSON shape before use. After tokenResponse.ok, parse the JSON and assert the presence and type of token (e.g., typeof token === 'string' && token.length > 0) and handle the failure case explicitly instead of destructuring blindly.
  3. Allowlist and validate detectedOS before embedding it in requests. Do not trust user agent parsing or client-controlled values. Example: const allowed = ['macos','macos-intel','windows']; if (!allowed.includes(detectedOS)) detectedOS = 'unknown'; and send only allowlisted values to the server.
  4. Ensure the server fully validates and authorizes any request that uses orgId/employeeId from the client. Client-side values can be tampered with; the server must check that the authenticated user is permitted to request a token for that org/employee. Do not rely on client-side validation for access control.
  5. Use short-lived, single-use download tokens on the server side and revoke them after use. Log token issuance and usage carefully on the server (not client) and avoid returning tokens that would permit unlimited downloads.
  6. Set appropriate Referrer-Policy headers (e.g., no-referrer or strict-origin-when-cross-origin) and avoid exposing tokens via redirects. Consider Content-Disposition headers set by the server to provide the filename instead of setting download filenames client-side.
  7. Consider additional protections: require CSRF protections where appropriate, mark cookies Secure/HttpOnly/SameSite if using cookies for auth, and ensure TLS is enforced for all endpoints.

💡 Recommendations

View 3 recommendation(s)
  1. Avoid placing tokens in query strings: fetch the agent via a protected endpoint and pass the token in an Authorization header; receive the binary and trigger download via Blob + URL.createObjectURL() (or stream the response) instead of appending ?token=... to a link.
  2. Validate tokenResponse JSON before use. Example: const json = await tokenResponse.json(); if (!json || typeof json.token !== 'string' || json.token.length===0) throw new Error('invalid token'); const token = json.token; do not destructure blindly from tokenResponse.body.
  3. Allowlist and validate client-controlled fields before embedding them in requests. Example for detectedOS: const allowed = ['macos','macos-intel','windows']; detectedOS = allowed.includes(detectedOS) ? detectedOS : 'unknown'; also validate orgId/employeeId formats (regex or UUID check) on the client and ensure the server performs authoritative authorization checks.

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 6, 2025

@chasprowebdev chasprowebdev requested a review from Marfuen November 5, 2025 17:28
@chasprowebdev chasprowebdev changed the title [dev] [chasprowebdev] chas/intel-support ENG-36 Support Intel build for mac, not just Apple Silicon Nov 5, 2025
@linear
Copy link

linear bot commented Nov 5, 2025

ENG-36 Support Intel build for mac, not just Apple Silicon

@vercel vercel bot temporarily deployed to Preview – app November 5, 2025 17:36 Inactive
@Marfuen Marfuen merged commit 14a5d34 into main Nov 6, 2025
6 of 8 checks passed
@Marfuen Marfuen deleted the chas/intel-support branch November 6, 2025 20:10
@claudfuen
Copy link
Contributor

claudfuen commented Nov 7, 2025

🎉 This PR is included in version 1.56.7 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Marfuen Marfuen Marfuen approved these changes

Assignees

No one assigned

Labels

automated-pr released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@claudfuen @Marfuen @chasprowebdev