v0.3.53: logs search, idempotency for webhooks, billing fixes for overage, i18n for docs #1338
Conversation
* update infra and remove railway * fix(security): fix ssrf vuln * fix path validation for file serve * Revert "update infra and remove railway" This reverts commit abfa2f8. * lint * ack PR comments
Co-authored-by: Adam Gough <[email protected]>
* update infra and remove railway * feat(logs): added intelligent search to logs * Revert "update infra and remove railway" This reverts commit abfa2f8. * cleanup * cleanup
* resolved variables for 2d arrays * added tests --------- Co-authored-by: Adam Gough <[email protected]> Co-authored-by: waleedlatif1 <[email protected]>
* fix(stripe): use latest version to fix event mismatch issues * fix enterprise handling * cleanup * update better auth version * fix overage order of ops * upgrade better auth version * fix image typing * change image type to string | undefined
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
There was a problem hiding this comment.
Greptile Summary
This PR introduces several critical improvements across security, billing, and system reliability. The most significant change is a comprehensive idempotency service that prevents duplicate execution of webhooks, triggers, and polling operations. This system uses a multi-tier storage approach (Redis, database fallback, in-memory cache) with configurable TTL settings for different operation types.
Security enhancements include fixing an SSRF vulnerability in the file serving and function execution APIs. The file serving route now implements path sanitization and directory boundary validation to prevent path traversal attacks like ../../../etc/passwd. The function execution API wraps user-accessible fetch calls with URL validation to block requests to private networks and dangerous protocols.
Billing system improvements address Stripe integration issues by upgrading the SDK to v18.5.0 and API version to '2025-08-27.basil'. The invoice processing logic has been restructured to handle new webhook formats, and a critical bug in usage calculation has been fixed where fallback logic incorrectly used lifetime costs instead of current period costs.
Variable resolution enhancements now support multi-dimensional array indexing, allowing patterns like <array.values[0][0]> to work in non-function blocks. This uses strict regex validation to prevent edge cases while maintaining backward compatibility.
The changes integrate throughout the codebase: webhook processing routes now use idempotency wrappers, Gmail polling service has been refactored to use the centralized service, and a cleanup cron job maintains database health by removing expired idempotency keys.
Confidence score: 4/5
- This PR addresses critical security vulnerabilities and system reliability issues but introduces complex new infrastructure that needs careful monitoring
- Score reflects comprehensive testing and well-architected solutions, but lowered due to the complexity of changes across billing, security, and core execution paths
- Pay close attention to the idempotency service implementation (
lib/idempotency/service.ts) and billing webhook handlers (lib/billing/webhooks/) as these handle critical business logic
24 files reviewed, 5 comments
| .where( | ||
| and( | ||
| ...toDelete.map((item) => | ||
| and(eq(idempotencyKey.key, item.key), eq(idempotencyKey.namespace, item.namespace)) | ||
| ) | ||
| ) | ||
| ) |
There was a problem hiding this comment.
style: The nested and() operations create a complex WHERE clause that could be inefficient for large batches. Consider using inArray() with composite keys or separate the deletion into smaller batches.
| const allKeys = await db | ||
| .select({ | ||
| namespace: idempotencyKey.namespace, | ||
| createdAt: idempotencyKey.createdAt, | ||
| }) | ||
| .from(idempotencyKey) |
There was a problem hiding this comment.
style: Loading all keys into memory for statistics could cause performance issues with large datasets. Consider using database aggregation functions or pagination.
| sanitized.includes('\x00') || // Null bytes | ||
| /[\x00-\x1F\x7F]/.test(sanitized) // Control characters |
There was a problem hiding this comment.
style: Consider using a more comprehensive regex for control characters: /[\x00-\x1F\x7F-\x9F]/ to include additional control characters
| return { | ||
| isFirstTime: false, | ||
| normalizedKey, | ||
| previousResult: JSON.parse(cachedResult), |
There was a problem hiding this comment.
logic: JSON.parse without error handling could throw and break the Redis flow
| } | ||
| await db | ||
| .delete(idempotencyKey) | ||
| .where(eq(idempotencyKey.key, normalizedKey)) |
There was a problem hiding this comment.
logic: Database cleanup operation uses only the key, missing namespace filter for proper isolation
| .where(eq(idempotencyKey.key, normalizedKey)) | |
| .where( | |
| and( | |
| eq(idempotencyKey.key, normalizedKey), | |
| eq(idempotencyKey.namespace, this.config.namespace) | |
| ) | |
| ) |
* update infra and remove railway * feat(docs): added footer for page navigation, i18n for docs * Revert "update infra and remove railway" This reverts commit abfa2f8. * added SEO-related stuff * fix image sizes * add missing pages * remove extraneous comments
* update infra and remove railway * fix(build): fixed the build * Revert "update infra and remove railway" This reverts commit abfa2f8.
* update infra and remove railway * fix(builds): upgraded fumadocs * Revert "update infra and remove railway" This reverts commit abfa2f8.
waleedlatif1
changed the title
Summary
Security fix: SSRF vulnerability and path validation for files route (#1325)
Logs change: updated search for folders and workflows (#1327)
Logs feature: intelligent search with suggestions (#1329)
Idempotency feature: generalized idempotency service for all triggers (#1335)
Array-index improvement: resolved variables for 2D arrays (#1328)
Stripe fix: update to latest version to address event mismatch issues (#1336)
Stripe fix: revert to stable versioning for better auth plugin (#1337)
Docs feature: add i18n to translate to fr, zh, and es (#1339)