Merge pull request #523 from CodeForAfrica/code-review-fixes

fix(security): restrict access to settings and tenant fields

Author: kelvinkipruto

.env.example

@@ -31,3 +31,9 @@ SMTP_FROM_NAME=
 # Payload jobs cron schedule
 PAYLOAD_JOBS_CRON_SCHEDULE="* * * * *"
 PAYLOAD_JOBS_QUEUE=everyMinute
+
+# Meedan Image Hosts (Optional)
+MEEDAN_ALLOWED_IMAGE_HOSTS=
+
+# Max Download Size in Bytes (Optional)
+MAX_DOWNLOAD_BYTES=104857600

next.config.mjs

@@ -5,9 +5,7 @@ import { withPayload } from "@payloadcms/next/withPayload";
 const nextConfig = {
   // Your Next.js config here
   eslint: {
-    // Warning: This allows production builds to successfully complete even if
-    // your project has ESLint errors.
-    ignoreDuringBuilds: true,
+    ignoreDuringBuilds: false,
   },
   output: "standalone",
   webpack: (webpackConfig) => {

src/app/(frontend)/[entitySlug]/promises/[promiseId]/page.tsx

@@ -45,12 +45,12 @@ const prefillAirtableForm = (
   embedCode: string,
   promiseTitle?: string,
   promiseUrl?: string,
-  updateDate?: string | Date
+  updateDate?: string | Date,
 ) => {
   const hasAny = Boolean(
     (promiseTitle && promiseTitle.trim()) ||
       (promiseUrl && promiseUrl.trim()) ||
-      (updateDate && String(updateDate).trim())
+      (updateDate && String(updateDate).trim()),
   );
 
   if (!hasAny) {
@@ -84,24 +84,24 @@ const prefillAirtableForm = (
       if (promiseTitle && promiseTitle.trim()) {
         params.push(
           `${encodeURIComponent("prefill_Promise")}=${encodeURIComponent(
-            promiseTitle.trim()
-          )}`
+            promiseTitle.trim(),
+          )}`,
         );
       }
       if (promiseUrl && promiseUrl.trim()) {
         params.push(
           `${encodeURIComponent("prefill_CheckMedia Link")}=${encodeURIComponent(
-            promiseUrl.trim()
-          )}`
+            promiseUrl.trim(),
+          )}`,
         );
         params.push(
-          `${encodeURIComponent("hide_CheckMedia Link")}=${encodeURIComponent("true")}`
+          `${encodeURIComponent("hide_CheckMedia Link")}=${encodeURIComponent("true")}`,
         );
       }
       const formattedDate = formatDate(updateDate);
       if (formattedDate) {
         params.push(
-          `${encodeURIComponent("prefill_Date")}=${encodeURIComponent(formattedDate)}`
+          `${encodeURIComponent("prefill_Date")}=${encodeURIComponent(formattedDate)}`,
         );
       }
       if (!params.length) {
@@ -139,7 +139,7 @@ export async function generateMetadata({
   const politicalEntity = await getPoliticalEntityBySlug(
     tenant,
     entitySlug,
-    tenantLocale
+    tenantLocale,
   );
   if (!politicalEntity) {
     return buildSeoMetadata({
@@ -181,7 +181,7 @@ export async function generateMetadata({
     composeTitleSegments(
       promise.title?.trim() || tenantTitleBase || tenantSeo.title,
       politicalEntity.name,
-      positionRegion
+      positionRegion,
     ) ??
     entitySeo.title ??
     tenantSeo.title;
@@ -209,7 +209,7 @@ const parseYear = (value?: string | null): number | null => {
 
 const computeTimelineInterval = (
   entityPeriod: { from?: string | null; to?: string | null },
-  statusHistory: { date: string }[]
+  statusHistory: { date: string }[],
 ): [number, number] => {
   const start = parseYear(entityPeriod.from);
   const end = parseYear(entityPeriod.to);
@@ -233,7 +233,7 @@ const computeTimelineInterval = (
 };
 
 const buildStatusDocument = (
-  promise: PromiseDocument
+  promise: PromiseDocument,
 ): PromiseStatusDocument | null => {
   const relation = promise.status;
   if (!relation) {
@@ -265,7 +265,7 @@ export default async function PromiseDetailPage({
 
   const { title, description, navigation, footer } = await getTenantNavigation(
     tenant,
-    locale
+    locale,
   );
 
   const entity = await getPoliticalEntityBySlug(tenant, entitySlug, locale);
@@ -317,14 +317,14 @@ export default async function PromiseDetailPage({
         rawPromiseUpdateEmbed,
         titleText,
         promiseUrl,
-        statusDate
+        statusDate,
       )
     : null;
 
   const { actNow } = siteSettings || {};
   const timelineInterval = computeTimelineInterval(
     { from: entity.periodFrom, to: entity.periodTo },
-    timelineStatusHistory
+    timelineStatusHistory,
   );
 
   const promiseImage = await resolveMedia(promise.image ?? null);

src/app/api/meedan-sync/route.ts

@@ -5,16 +5,24 @@ import * as Sentry from "@sentry/nextjs";
 
 import { getGlobalPayload } from "@/lib/payload";
 import { downloadFile } from "@/utils/files";
-import type {
-  Promise as PayloadPromise,
-} from "@/payload-types";
+import type { Promise as PayloadPromise } from "@/payload-types";
 import {
   buildMeedanIdCandidates,
   normaliseString,
   type MeedanWebhookPayload,
 } from "./utils";
 
 const WEBHOOK_SECRET_ENV_KEY = "WEBHOOK_SECRET_KEY";
+const DEFAULT_MAX_IMAGE_BYTES =
+  Number(process.env.MEEDAN_MAX_IMAGE_BYTES) || 10 * 1024 * 1024;
+const ALLOWED_IMAGE_MIME_TYPES = [
+  "image/jpeg",
+  "image/jpg",
+  "image/png",
+  "image/gif",
+  "image/webp",
+  "image/svg+xml",
+];
 
 type WithOptionalId = {
   id?: unknown;
@@ -63,7 +71,7 @@ export const POST = async (request: NextRequest) => {
     Sentry.captureMessage(message, "error");
     return NextResponse.json(
       { ok: false, updated: false, error: "Service misconfigured" },
-      { status: 200 }
+      { status: 500 },
     );
   }
 
@@ -84,10 +92,6 @@ export const POST = async (request: NextRequest) => {
     Sentry.captureMessage(message, "error");
     return NextResponse.json({ error: "Invalid JSON" }, { status: 400 });
   }
-  Sentry.captureMessage(
-    `meedan-sync:: Received webhook payload ${JSON.stringify(parsed)}`,
-    "info"
-  );
   const annotationType = parsed?.object?.annotation_type?.trim();
   if (annotationType && annotationType !== "report_design") {
     return NextResponse.json({ ok: true, skipped: true }, { status: 200 });
@@ -103,7 +107,7 @@ export const POST = async (request: NextRequest) => {
       {
         error: "Missing Meedan ID",
       },
-      { status: 400 }
+      { status: 400 },
     );
   }
 
@@ -119,10 +123,19 @@ export const POST = async (request: NextRequest) => {
   const url = normaliseString(options?.published_article_url);
   const headline = normaliseString(options?.headline);
   const fieldValue = normaliseString(
-    annotationData?.fields?.[0]?.value ?? null
+    annotationData?.fields?.[0]?.value ?? null,
   );
   const imageUrl = normaliseString(parsed?.object?.file?.[0]?.url ?? null);
 
+  Sentry.withScope((scope) => {
+    scope.setTag("route", "meedan-sync");
+    scope.setContext("webhook", {
+      annotationType,
+      meedanId,
+    });
+    Sentry.captureMessage("meedan-sync:: Received webhook", "info");
+  });
+
   try {
     const payload = await getGlobalPayload();
 
@@ -145,10 +158,7 @@ export const POST = async (request: NextRequest) => {
 
       console.error(message);
       Sentry.captureMessage(message, "error");
-      return NextResponse.json(
-        { error: "Promise not found" },
-        { status: 404 }
-      );
+      return NextResponse.json({ error: "Promise not found" }, { status: 404 });
     }
 
     const updateData: Partial<PayloadPromise> = {};
@@ -176,13 +186,16 @@ export const POST = async (request: NextRequest) => {
       Sentry.captureMessage(message, "error");
       return NextResponse.json(
         { error: "Failed to persist promise" },
-        { status: 500 }
+        { status: 500 },
       );
     }
 
     if (!imageUrl) {
       return NextResponse.json({ ok: true, created, updated }, { status: 200 });
     }
+    if (!imageUrl.startsWith("https://")) {
+      return NextResponse.json({ error: "Invalid image URL" }, { status: 400 });
+    }
 
     const fallbackAlt =
       headline ??
@@ -196,7 +209,10 @@ export const POST = async (request: NextRequest) => {
     let filePath: string | null = null;
 
     try {
-      filePath = await downloadFile(imageUrl);
+      filePath = await downloadFile(imageUrl, {
+        allowedMimeTypes: ALLOWED_IMAGE_MIME_TYPES,
+        maxBytes: DEFAULT_MAX_IMAGE_BYTES,
+      });
 
       const existingImageId = getRelationId(promise.image);
       let mediaId = existingImageId;
@@ -233,12 +249,12 @@ export const POST = async (request: NextRequest) => {
           });
           Sentry.captureMessage(
             "meedan-sync:: Failed to cache image after processing webhook",
-            "error"
+            "error",
           );
         });
         return NextResponse.json(
           { error: "Failed to cache image" },
-          { status: 500 }
+          { status: 500 },
         );
       }
 
@@ -251,18 +267,15 @@ export const POST = async (request: NextRequest) => {
       });
 
       updated = true;
-      return NextResponse.json(
-        { ok: true, created, updated },
-        { status: 200 }
-      );
+      return NextResponse.json({ ok: true, created, updated }, { status: 200 });
     } finally {
       if (filePath) {
         try {
           await unlink(filePath);
         } catch (cleanupError) {
           console.warn(
             "meedan-sync:: Failed to clean up temp image",
-            cleanupError
+            cleanupError,
           );
 
           Sentry.withScope((scope) => {
@@ -289,7 +302,7 @@ export const POST = async (request: NextRequest) => {
     });
     return NextResponse.json(
       { ok: false, updated: false, error: "Failed to process webhook" },
-      { status: 200 }
+      { status: 500 },
     );
   }
 };