fix(security): address notification system security audit findings

- SSRF: guard sendWebhook() with checkSsrf() + createPinnedAgent() to block requests to loopback, link-local, private network, and cloud metadata endpoints - XSS: escape subject, body, and ctaHref in buildEmailHtml() via escapeHtml() to prevent HTML injection through user-controlled params (actor, preview, etc.) - Encrypt webhook URLs at rest: apply maybe_encrypt_api_key on save (settingsService for user URLs, authService for admin URL) and decrypt_api_key on read in getUserWebhookUrl() / getAdminWebhookUrl() - Log failed channel dispatches: inspect Promise.allSettled() results and log rejections via logError instead of silently dropping them - Log admin webhook failures: replace fire-and-forget .catch(() => {}) with .catch(err => logError(...)) and await the call - Migration 69: guard against missing notification_preferences table on fresh installs - Migration 70: drop the now-unused notification_preferences table - Refactor: extract applyUserChannelPrefs() helper to deduplicate setPreferences / setAdminPreferences logic - Tests: add SEC-016 (XSS, 5 cases) and SEC-017 (SSRF, 6 cases) test suites; mock ssrfGuard in notificationService tests
2026-04-05 03:36:22 +02:00
parent 6df8b2555d
commit 7b37d337c1
8 changed files with 237 additions and 46 deletions
--- a/server/tests/unit/services/notificationService.test.ts
+++ b/server/tests/unit/services/notificationService.test.ts
@@ -49,6 +49,10 @@ vi.mock('nodemailer', () => ({

 vi.mock('node-fetch', () => ({ default: fetchMock }));
 vi.mock('../../../src/websocket', () => ({ broadcastToUser: broadcastMock }));
+vi.mock('../../../src/utils/ssrfGuard', () => ({
+  checkSsrf: vi.fn(async () => ({ allowed: true, isPrivate: false, resolvedIp: '1.2.3.4' })),
+  createPinnedAgent: vi.fn(() => ({})),
+}));

 import { createTables } from '../../../src/db/schema';
 import { runMigrations } from '../../../src/db/migrations';