From 72230bf38da18426c2f3e4d6e2246490c6537ec4 Mon Sep 17 00:00:00 2001 From: Mike Mooring Date: Thu, 28 May 2026 23:47:45 -0700 Subject: [PATCH] harden(api): escape HTML in email alerts + tighten events-endpoint authz MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Closes the two flagged-for-later items. 1. HTML escaping (alerting.ts): the email channel renders details into an HTML body, and some fields are user-controlled — `accountName` traces to req.body.name at cloud-account creation, and the cloud-monitoring path's `summary` embeds it. So the unescaped interpolation WAS reachable (via the core cloud path, not agent-guard). Adds escapeHtml() applied to every string interpolation in the email HTML (summary, provider, accountName, violation serviceName/metricName/values, actionsTaken). Audited the other channels: Slack/Discord/PagerDuty/webhook all transmit via JSON (values render as text), so only the email sink needed it. +1 regression test asserting a `; + await sendAlerts([emailChannel()], `summary ${xss}`, "critical", { + provider: "cloudflare", + accountName: `acct ${xss}`, + violations: [{ serviceName: `svc ${xss}`, metricName: "CPU", currentValue: 1, threshold: 0, severity: "critical" }], + actionsTaken: [`disconnect ${xss}`], + }); + + const [payload] = mockResendSend.mock.calls[0]; + // The raw