Update device-agent-windows-api to download .exe file instead of zip

[github-actions]

This is an automated pull request to merge chas/device-agent-windows-api into dev.
It was created by the [Auto Pull Request] action.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
app	Skipped			Nov 19, 2025 2:36pm
portal	Skipped			Nov 19, 2025 2:36pm

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

2 high CVEs in xlsx (Prototype Pollution, ReDoS) and 1 low CVE in ai; controller uses unsanitized filenames and unvalidated Content-Type; service reads AWS creds from env with non-null assertions.

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 2 file(s) with issues

🟡 apps/api/src/device-agent/device-agent.controller.ts (MEDIUM Risk)

#	Issue	Risk Level
1	Unsanitized filename in Content-Disposition header (HTTP header injection/response splitting)	MEDIUM
2	Content-Type taken from service without validation (MIME sniffing risk)	MEDIUM
3	OrganizationId not used for access control (possible horizontal access/IDOR)	MEDIUM

Recommendations:

1. Sanitize/validate filenames: strip CRLF, quotes; enforce whitelist or safe fallback name
2. Avoid embedding raw filename in header; use encoded filename* only or a server-side token
3. Whitelist and validate contentType before setting the Content-Type header
4. Enforce org-scoped authorization checks using organizationId and authContext
5. Log/downloads, validate stream source and add rate limiting for downloads

🟡 apps/api/src/device-agent/device-agent.service.ts (MEDIUM Risk)

#	Issue	Risk Level
1	Long-lived AWS credentials loaded from environment variables	MEDIUM
2	Service methods lack explicit authorization checks	MEDIUM
3	Error logs may expose sensitive info (stack traces, S3 keys)	MEDIUM
4	Non-null assertions on env vars can crash app if missing	MEDIUM

Recommendations:

1. Use IAM roles (EC2/ECS/EKS task roles) or temporary STS credentials / AWS SDK default credential provider chain instead of hardcoding credentials from environment variables.
2. Validate and fail fast at application startup for required configuration (avoid non-null assertions at usage sites). Use a config validation library (e.g., Joi, class-validator) or NestJS ConfigModule validation to ensure required env vars and provide clear error messages.
3. Enforce authentication and authorization at the API boundary (controllers/middleware/guards). If this service can be called from other parts of the app, ensure callers perform proper authz or add checks here (or document that only internal callers should use it).
4. Avoid logging sensitive information. Remove or sanitize logs that contain S3 keys, bucket names, or full error objects. Log only necessary identifiers and, for errors, log sanitized messages and use structured logging for non-sensitive metadata.
5. Prefer the AWS SDK default credential provider chain and environment + role-based providers. If env creds are necessary for certain deployments, rotate them regularly and scope IAM permissions to the minimal required S3 actions and buckets.

---

💡 Recommendations

View 3 recommendation(s)

1. Remediate reported CVEs: upgrade xlsx to a version that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9, and update ai to >= 5.0.52 (GHSA-rwvc-j5jr-mgvh).
2. Fix header injection/MIME issues in device-agent.controller.ts: sanitize/validate any filename before embedding in Content-Disposition (strip CR/LF and control chars, remove quotes, enforce a whitelist or safe fallback), use RFC5987-encoded filename* where appropriate, and validate/whitelist Content-Type values before setting the Content-Type header.
3. Eliminate fragile env usage and sensitive logging in device-agent.service.ts: validate required AWS env vars at startup (avoid non-null assertions at use sites), avoid logging full errors or credentials/S3 keys, and add explicit org-scoped authorization checks (verify organizationId against caller/auth context) in controller/service paths.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 19, 2025

[comp-ai-code-review]

🔒 Comp AI - Security Review

🟡 Risk Level: MEDIUM

OSV scan: xlsx@0.18.5 contains GHSA-4r6h-8v6p-xvw6 (Prototype Pollution) and GHSA-5pgg-2g8v-p4x9 (ReDoS). ai@5.0.0 contains GHSA-rwvc-j5jr-mgvh (filetype whitelist bypass, fixed in 5.0.52).

---

📦 Dependency Vulnerabilities

🟠 NPM Packages (HIGH)

Risk Score: 8/10 | Summary: 2 high, 1 low CVEs found

Package	Version	CVE	Severity	CVSS	Summary	Fixed In
xlsx	0.18.5	GHSA-4r6h-8v6p-xvw6	HIGH	N/A	Prototype Pollution in sheetJS	No fix yet
xlsx	0.18.5	GHSA-5pgg-2g8v-p4x9	HIGH	N/A	SheetJS Regular Expression Denial of Service (ReDoS)	No fix yet
ai	5.0.0	GHSA-rwvc-j5jr-mgvh	LOW	N/A	Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files	5.0.52

---

🛡️ Code Security Analysis

View 1 file(s) with issues

🟡 apps/api/src/device-agent/device-agent.service.ts (MEDIUM Risk)

#	Issue	Risk Level
1	No authorization checks for agent download endpoints	MEDIUM
2	organizationId and employeeId parameters are unused and not validated	MEDIUM
3	AWS credentials loaded from env and used as static credentials	MEDIUM
4	Potential logging of sensitive data via error logging	MEDIUM
5	No integrity or signature verification for downloaded binaries	MEDIUM
6	No size or content validation for S3 download streams	MEDIUM

Recommendations:

1. Enforce authentication and per-organization authorization at the controller/endpoint layer before calling these service methods. Ensure only authorized orgs/users can download agent binaries.
2. Validate and use organizationId and employeeId (or remove them) to enforce access control and auditability. Reject or log requests with missing/invalid IDs.
3. Prefer the AWS default provider chain or IAM roles (e.g., EC2/ECS task role, IRSA) rather than hard-coded/static credentials from environment variables. If env creds are required, rotate/store them securely and minimize privilege scope.
4. Avoid logging raw error objects that may contain sensitive information. Log safe, contextual messages and an error ID; capture full error details in secure, access-controlled logs or monitoring only.
5. Verify integrity of downloaded binaries before exposing them to clients: use signatures (e.g., code signing), signed S3 objects, or verify checksums (e.g., SHA256) against a trusted source.
6. Enforce content and size validation for S3 downloads: check content-length/Content-Type, impose size limits, and stream with limits to prevent resource exhaustion. Consider scanning binaries for malware before distribution.

---

💡 Recommendations

View 3 recommendation(s)

1. Upgrade vulnerable npm packages: update xlsx (currently 0.18.5) to a patched release that addresses GHSA-4r6h-8v6p-xvw6 and GHSA-5pgg-2g8v-p4x9, and update ai to >= 5.0.52 to address GHSA-rwvc-j5jr-mgvh.
2. Remove static AWS credential usage in apps/api/src/device-agent/device-agent.service.ts: do not construct or load static credentials from environment variables directly in service code. Instantiate AWS clients without embedding static creds in source and avoid logging full error objects that may contain sensitive data.
3. Harden the agent download flow in apps/api/src/device-agent/device-agent.service.ts: validate and use organizationId/employeeId for access control (reject missing/invalid IDs), enforce authorization before serving binaries, verify binary integrity (signature or trusted checksum) prior to returning files, and validate S3 response headers (Content-Type/Content-Length) and enforce size/stream limits.

---

Powered by Comp AI - AI that handles compliance for you. Reviewed Nov 19, 2025

[claudfuen]

🎉 This PR is included in version 1.60.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀