mirror of
https://github.com/baptisteArno/typebot.io.git
synced 2026-06-05 21:04:43 +08:00
d6bcc26f27
## Summary - **Fixes [GHSA-cq66-9cwr-x8jr](https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-cq66-9cwr-x8jr)** — the previous fix for GHSA-4xc5-wfwc-jw47 was incomplete: the bot-engine runtime still allowed any authenticated user to exfiltrate credentials from any workspace via the preview endpoint by passing `workspaceId: ""` - Invert the falsy check in `getCredentials()` so that missing or empty `workspaceId` **denies** access instead of skipping validation - Add `z.string().min(1)` on the typebot schema's `workspaceId` to reject empty strings at the Zod validation layer - Tighten `getGoogleSpreadsheet` param type from `string | undefined` to `string` ## Test plan - [x] Typecheck passes on `credentials`, `bot-engine`, `whatsapp` - [x] All tests pass (lint, bot-engine, whatsapp, results, lib, rich-text, emails, builder) - [ ] Verify that preview mode still works correctly with valid workspaceId - [ ] Verify that forged blocks, Google Sheets, and streaming endpoints still load credentials for legitimate users 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| src | ||
| package.json | ||
| tsconfig.json | ||
| tsconfig.lib.json | ||