What's your request?
Update welcome email with the following text:

Subject: Welcome to Zipper Beta

Hey there,

Welcome to Zipper beta! We’re two engineers who believe simplicity can lead to incredibly creative software. We hope you enjoy building "applets" - web services that you can ship immediately.

As you build, feel free to send us questions, feedback, and general comments by replying to this email or through the Feedback button on the app. We genuinely like reading all that you have to say, so it all gets delivered to our inboxes - not middle management or a customer support chat bot.

Have fun and let us know what you think.

Regards,
Sachin & Ibu

What's the benefit of this feature or enhancement?
Specificity, clarity around purpose, nugget of intro to value prop, call to action

Is this recommended by a user or by Zipper team?
Zipper team

What's your request?

1. On signup, replace terms and conditions text with a required field with check box to accept Privacy Policy & Terms of Use. The text should read:

[] I agree to the Terms of Use and Privacy Policy.

2. The terms Terms of Use & Privacy Policy should be linked to their pages on the site.

3. If user does not check box and clicks on Continue button for email sign up or Google/Github auth options, they should see an error that reads: "Please agree to the Terms of Use and Privacy Policy."

What's the benefit of this feature or enhancement?
Affirmative acceptance to maximize enforceability of terms

Is this recommended by a user or by Zipper team?
Zipper legal counsel

What's the bug?
The Add an Input function does not respect comments and provide an undo action.

How to reproduce?

/** this comment will disappear */
export function handler() {}

Hit add input and your comment go bye bye. You cannot undo this.

What's the expected behavior?
Inputs should be added, comments left in tact. Should be undo-able.

What's your request?
A simpler version of Postman that lets you send server-side HTTP requests

Basic requirements:

• Ability to choose HTTP method
• Ability to set the URL
• Ability to set Headers (maybe as JSON?)
• Render HTML responses
• Show headers and any other useful information from the response
• Bonus: Accept cURL commands

What's the benefit of this feature or enhancement?
Shows how you can build useful interactive applets using Zipper. Highlights value of run pages for sharing output.

Is this recommended by a user or by Zipper team?
Zipper

Vulnerability details

URL

https://zipper.dev/

Description

The vulnerability, "Insufficient Token Invalidation" enables attackers to exploit the application's token-generation system. When a user requests a new token, the system generates a fresh token without rendering the previous one invalid. This oversight permits an attacker to gain unauthorized access to a user's account by simply using an old token, even if the user has generated a new token since. The absence of token expiration or one-time use constraints exacerbates the issue.

References

• OWASP's Session Management Cheat Sheet

Suggested fix

• Implement a token expiration mechanism that renders previously generated tokens invalid upon the creation of a new one and also make used token invalid. This prevents token reuse and enhances overall security.

#PT19512_7

--

Powered by Cobalt

Screenshots and/or Video
https://github.com/Zipper-Inc/zipper-functions/assets/2533750/646eaa0d-3814-4764-91db-9c4d72db09c8

What's the bug?
Being shown the "You're In" page even though I've been a user for a week and then when I click on Launch Zipper, nothing happens.

How to reproduce?
Using a zipper.works email address through Google, log into account.
When on the You're In page, click on Launch Zipper.

What's the expected behavior?
Being taken directly to Dashboard upon logging in and not seeing the You're In page.

What else?
Browser: Arc

Explain how it works and how to use it

What's the bug?
We should support string unions (as Type literals) without having to make it a type.

How to reproduce?

export const handler = ({ textOption } : { 
  textOption: 'optionOne' | 'optionTwo' 
}) => {
  /// whatever
}

That will not work unless you make a type Options = 'optionOne' | 'optionTwo'

What's the expected behavior?
The above handler should work the same as if you used the Options type

What's your request?
Add Display Name field in profile settings. Use this field for their gallery page name and the name after the "by" field on the applet Learn More/SEO page.

What's the benefit of this feature or enhancement?
User gets to decide which name to display, so we don't accidentally display their full name if they do not want us to.

Is this recommended by a user or by Zipper team?
Zipper

What else?
Nada.

Vulnerability details

URL

https://zipper.dev/api/live/auth,https://api.liveblocks.io/v6/?token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2OTYzMjQyMzIsImV4cCI6MTY5NjMyNzgzMiwiayI6InNlYy1sZWdhY3kiLCJyb29tSWQiOiJBdnVld3N5bWV4Rmh1TjVYSFZHUnciLCJhcHBJZCI6IjYzNzU1ZTBhYTE4NzAxMDAwZjRjMmUzNCIsImFjdG9yIjoxMSwic2NvcGVzIjpbInJvb206d3JpdGUiXSwiaWQiOiI2ODI1NzU0MS1jOTU3LTQ3YzgtOWFlNi04ZTVjYmQ0MTExNjciLCJtYXhDb25uZWN0aW9uc1BlclJvb20iOjUwfQ.preYfoDEFMDrdMRJzIUssVwUC_8qqfeLCJGf5PWFoo1OkwVNQufMvc1kz3w_e1ujDWgBbzUBvMYYYweEZp6POST7eaWWag0yH-bdaMDDZbp19nEv4zQWAcRnw7ifBRAW8S6WZ9w6ORINCOnIRJCdssEnbTwp_p5Sb9dUUyWMmGvCfGE5twAQDLdjIhtSlq1i8WYQHBSJEAzfPz3FmxrbhUeR14wengr7SITLM09sQpn1D09VK0lF5jQEMVgO_y5DAHh27IC40A3Leamb5BQTdf7PsjDrcWI2tR4G5h39G3LhetExYlQAcNaZJRPKIwCMuUiikBHEaym7Fok4_g551Q&version=1.0.0

Description

Access Controls help an application determine which users should have access to which resources based on user roles, responsibilities, or other relevant criteria. For example, an application dealing with Personally Identifiable Information (PII) should allow only authorized users to view or edit stored PII, and deny access to users who do not need to access it.

Access Controls are “Broken” when a user can access resources they are not authorized to access. An attacker can bypass any access control mechanisms in a web application, and gain unauthorized access to resources that are not available with their permissions.

Broken access control can allow attackers to:

• Access resources only accessible to certain users, thus allowing unauthorized access to data
• Perform operations on behalf of other users, leading to account takeovers in the worst cases
• Attempt privilege escalation
• Attempt to take over an account

The application uses websocket connection to gather some data of an applet. First, it creates session with /api/live/authAPI request. The request requires root parameter and it is automatically filled by selected applet name and username. ayuksel/echoing-greasy-jewellery} is a valid room name for ayuksel user and echoing-greasy-jewellery applet. The response includes a JWT token that is used at https://api.liveblocks.io/v6/ URL and it switches protocol to websocket. Then, the user will get some details including source code javascript/typescript files.
An attacker can change room parameter to any value and will gather source code of any applet. The attacker will need valid username and applet name to extract the data.

References

• OWASP C7: Enforce Access Controls

• OWASP's Authorization Cheat Sheet

• CWE-284

Suggested fix

• Check access. Each use of a direct object reference from an untrusted source must include an access control check to ensure the user is authorized for the requested object.
• Use per user or session indirect object references. This prevents attackers from directly targeting unauthorized resources. For example, instead of using the resource's database key, a drop-down list of six resources authorized for the current user could use the numbers 1 to 6 to indicate which value the user selected. The application has to map the per-user indirect reference back to the actual database key on the server. OWASP's ESAPI includes both sequential and random access reference maps that developers can use to eliminate direct object references.

#PT19512_12

--

Powered by Cobalt

Vulnerability details

URL

https://zipper.dev/api/trpc/app.add?batch=1

Description

Access Controls help an application determine which users should have access to which resources based on user roles, responsibilities, or other relevant criteria. For example, an application dealing with Personally Identifiable Information (PII) should allow only authorized users to view or edit stored PII, and deny access to users who do not need to access it. Access Controls are “Broken” when a user can access resources they are not authorized to access. An attacker can bypass any access control mechanisms in a web application, and gain unauthorized access to resources that are not available with their permissions.

Broken access control can allow attackers to:

• Access resources only accessible to certain users, thus allowing unauthorized access to data
• Perform operations on behalf of other users, leading to account takeovers in the worst cases
• Attempt privilege escalation
• Attempt to take over an account

References

• OWASP C7: Enforce Access Controls

• OWASP's Authorization Cheat Sheet

• CWE-284

Suggested fix

To mitigate the vulnerability the following remediation steps can be taken:

• Enforce strict access controls and segregation of tenant resources, ensuring that each tenant has its isolated environment.
• Implement role-based access controls (RBAC) to limit access to create applet function and ensure that only authorized individuals can view or modify them.
• Regularly review and update access control policies to reflect changes in user roles, responsibilities, and organizational structure.

#PT19512_6

--

Powered by Cobalt

Vulnerability details

URL

https://zipper.dev,https://*.zipper.run/**/*

Description

The HTTP protocol implements headers as a part of requests and responses, and these headers communicate with web browsers about allowed scripts, secure or insecure cookie transmission, cache control, content security policies, and other aspects.

Some HTTP response headers help web applications to increase their security and can protect modern browsers from easily preventable vulnerabilities. Some of the recommended security-related HTTP response headers are:
· HTTP Strict-Transport-Security (HSTS): Requires web servers to assert that web browsers should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
· X-Frame-Options: Assists in protecting the web applications against Clickjacking attacks. It informs the web browsers about whether the content can be displayed within HTML frames, such as the iframes.
· Content-Security-Policy (CSP): Provides protection against attacks, such as Cross-Site Scripting (XSS), by defining if scripts or frames are allowed. CSP should be carefully and securely implemented.
· Referrer-Policy: Determines whether the referrer information or value sent in the Referer request header must be forwarded or not. It also determines whether the header needs to be omitted completely.
· Cache-Control: Instructs browsers on whether responses should be stored or not. The Cache-Control header is found in both HTTP requests and responses.

References

• OWASP's Secure Headers Project

Suggested fix

1. Implement the recommended HTTP security response headers based on need and application requirements. Set attributes and values as securely as possible based on application requirements.

•  HTTP `Strict-Transport-Security` uses two attributes:
  

‘max-age=’ and ‘includeSubDomains’.

•  `X-Frame-Options` header takes three values:
  

  • Deny: no rendering of application in frames).
  • Allow-from: rendering allowed from specified domains).
  • same-origin: rendering allowed from same domain).

• `Content-Security-Policy` (CSP) takes multiple values, including the following: 
  

  • Script-src: Defines scripts which can be executed.
  • Img-src: efines which images can be loaded.
  • Child-src: efines which frames can be embedded into the application.
  • Base-uri: efines the base URI for relative URLs.

• A `Referrer-Policy` header takes the following values:
  

  • no-referrer: Used for omitting the header.
  • Same-origin: Header will be sent for same origin or domain requests but not for cross origin requests.
  • Origin: Only send the origin part of the URL.

• `Cache-control` header takes the following values:
  

  • No-store: Response must not be stored in any cache.
  • No-transform: Rhe response body cannot be edited.
  • Private: Response can be stored only in the web browser cache.

#PT19512_1

--

Powered by Cobalt

What's your request?
There are a bunch of things we do with Zipper storage that can be moved into some basic utility methods - CRUD on a specific record, findMany methods, etc.

What's the benefit of this feature or enhancement?
It becomes easier to work with Zipper storage

Is this recommended by a user or by Zipper team?
Zipper

Things to keep in mind
Is this worth doing if we're moving to Deno KV at some point?

Vulnerability details

URL

https://zipper.dev/api/trpc/schedule.all?batch=1&input=%7B%220%22%3A%7B%22json%22%3A%7B%22appId%22%3A%22<APP_ID>%22%7D%7D%7D,https://zipper.dev/api/trpc/schedule.all?batch=1&input=%7B%220%22%3A%7B%22json%22%3A%7B%22appId%22%3A%2279f78f19-c8e5-455a-a7bb-996abcd13773%22%7D%7D%7D

Description

Access Controls help an application determine which users should have access to which resources based on user roles, responsibilities, or other relevant criteria. For example, an application dealing with Personally Identifiable Information (PII) should allow only authorized users to view or edit stored PII, and deny access to users who do not need to access it. Access Controls are “Broken” when a user can access resources they are not authorized to access. An attacker can bypass any access control mechanisms in a web application, and gain unauthorized access to resources that are not available with their permissions.

Broken access control can allow attackers to:

• Access resources only accessible to certain users, thus allowing unauthorized access to data
• Perform operations on behalf of other users, leading to account takeovers in the worst cases
• Attempt privilege escalation
• Attempt to take over an account

References

• OWASP C7: Enforce Access Controls

• OWASP's Authorization Cheat Sheet

• CWE-284

Suggested fix

To mitigate the vulnerability the following remediation steps can be taken:

1. Enforce strict access controls and segregation of user resources, ensuring that each user has its isolated environment.
2. Implement role-based access controls (RBAC) to limit access to resources belonging to other users and ensure that only authorized individuals can view them.
3. Regularly review and update access control policies to reflect changes in user roles, responsibilities, and organizational structure.

#PT19512_8

--

Powered by Cobalt

What's your request?
Figure out who's on call by looking at a Google Calendar (discuss details in standup). Send a page to them using Twilio.

Applet should have a way to list who's on call now and who's up next.

What's the benefit of this feature or enhancement?

Reason to build out a Twilio integration

Is this recommended by a user or by Zipper team?

Zipper

What else?
Needs more product thought

SR: I need someone with more experience to flesh this out

Vulnerability details

URL

https://zipper.dev/dashboard,https://uploadthing-prod.s3.us-west-2.amazonaws.com/

Description

Some applications allow users to upload files to interact with certain features or functionalities. However, file upload functions that allow users to upload files with certain extensions, such as ‘.exe’, ‘.html’, or ‘.php’, may be insecure. An attacker could upload files with these file extensions and attempt to execute them on the web server, or otherwise cause harm to the application, server, or users. Insecure file upload functions can be an entry point for attackers to transfer malicious content to the application. The damage to the application, server, or the users depends on the type of file that is uploaded. If an application exposes user-uploaded files and allows other users to download them, the damage could be more significant. If large or unlimited files are allowed to be uploaded, it could also consume application resources and cause a Denial-of-Service (DoS).

References

• OWASP's Page on Unrestricted File Upload
• CWE's Definition of Unrestricted File Uploads

Suggested fix

To mitigate this vulnerability, the following measures should be implemented:

• Implement a robust antivirus scanning mechanism to analyze all uploaded files for potential malware or malicious content. Use commercial or reputable antivirus solutions that regularly update their signature databases to detect and mitigate known threats.
• Implement strict validation to ensure that only authorized file types are allowed for upload. Block potentially dangerous file types, such as executables or scripts, that can pose a higher risk of containing malicious code.
• Enforce reasonable size limitations on uploaded files and implement content restrictions to prevent the upload of files that may contain sensitive or harmful content.
• Apply strict validation and sanitization mechanisms to user-supplied file names, ensuring they conform to expected formats and do not contain any malicious elements or path traversal characters.
• Store uploaded files in a separate, secure location with restricted access permissions. Implement strong access controls and regularly monitor the uploaded files for any signs of suspicious activity.

#PT19512_11

--

Powered by Cobalt

What's your request?
Add an easy way to connect to a MySQL database either using the app config or by importing an applet.
Ideally provides a safe way to write and execute SQL queries.
An ORM is a bonus

What's the benefit of this feature or enhancement?
Developers can connect to existing datasource to build dashboards or run cron jobs

Is this recommended by a user or by Zipper team?
Zipper

Should have the same functionality as the Slack Connector

Vulnerability details

URL

https://.zipper.run/**/

Description

Cookies can be configured with multiple options to improve their security. Cobalt recommends setting the HttpOnly and Secure attributes for application cookies. A remote attacker could leverage cookies without these attributes to disclose sensitive information on vulnerable systems.

• The HttpOnly option prevents JavaScript code from accessing the cookie. This can provide some protection from cookie theft if an attacker successfully exploits a Cross-Site Scripting (XSS) vulnerability.
• The Secure cookie flag is an option that can be used to prevent the browser from sending the cookie over a plaintext connection. This can prevent an attacker from attempting session hijacking through Man-in-the-Middle (MitM) attacks.
• The SameSite flag instructs browsers whether to send the cookie with cross-site requests.

References

• CWE-1004
• CWE-614
• OWASP's Page on the HTTPOnly Flag
• OWASP's Page on the Secure Flag
• Mozilla: Set-Cookie

Suggested fix

• Set the HttpOnly & Secure options on any session cookies used by the application.
• Use the SameSite cookie attribute to mitigate the risk of cross-origin information leakage and help provide protection against Cross-Site Request Forgery (CSRF) attacks.

#PT19512_3

--

Powered by Cobalt

• @sachinr - Send emails from Slack #602
• @sachinr - spec Connectors v2
• @sachinr - Get Facet.ai onboarded
• @sachinr - Clerk adwords
• @imadha - twind & react stacks #549 #551
• @imadha - framework v2 prototype (Hono swap-in)
• @imadha / @miguel-nascimento - run page perf (50% faster) #605
• @arielconti10 / @antoniel - DB connectors #555 #553 #554 - #616
• @arielconti10 - Raycast blog post
• @arielconti10 - Fix uploadthing bugs
• @arielconti10 - profile page updates
• @MatheusLittig - Notion connector #266
• @MatheusLittig - Discord connector #566
• @MatheusLittig - MDX #550
• @MatheusLittig - June blog post #569
• @MatheusLittig - Gallery in the Dashboard
• @MatheusLittig - Better meta tags
• @antoniel - Postbin blog posts
• @antoniel - Fix request object in Context
  #612 feat(relay): adds body and queryParams to context.originalRequest
• @miguel-nascimento - ts/tsx support
• @miguel-nascimento - finish up LLM utils #557

What's your request?
An applet that lets you receive and inspect webhooks

Basic functionality:

• User can generate a postbin - /main.ts
• User can receive requests - /bin/raw?id=1234
• User can inspect requests - /bin?id=1234
• User can see list of their bins if they're signed in - /bin

What's the benefit of this feature or enhancement?
Relatively simple app that shows the usefulness of Zipper for working with event based systems

Is this recommended by a user or by Zipper team?
Zipper

Things to consider
This applet is only useful if it refreshes itself somehow. How would we do that?

What's your request?
Something is wrong with getServerSideProps let's figure out what it is

What's the benefit of this feature or enhancement?
Performance

Is this recommended by a user or by Zipper team?
Yes

What else?
https://zipper-inc.slack.com/archives/C01CTJVM51V/p1699656708425379

Vulnerability details

URL

https://zipper.dev

Description

DMARC, which stands for “Domain-based Message Authentication, Reporting & Conformance”, is an email authentication, policy, and reporting protocol. It builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (“From:”) domain name, published policies for recipient handling of authentication failures, and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email.

The domain zipper.dev does not currently have a DMARC record configured. This leaves the organization susceptible to email spoofing, where malicious actors can send emails that appear to be originating from the organization's domain. Without a DMARC record, there is no way to enforce email authentication and protect against these impersonation attempts. Even if a DMARC record were to be implemented, the lack of a Quarantine or Reject policy allows potentially malicious emails to be delivered to recipients' inboxes. A properly configured DMARC policy with a Quarantine or Reject action would help prevent unauthorized emails from reaching the recipients, thereby reducing the risk of successful phishing attacks and malware distribution.

https://dmarc.org/

Suggested fix

To address the identified vulnerability, the following recommendations are provided:

• Create and publish a DMARC record for the domain zipper.dev with a p=none policy initially. This policy will allow monitoring and reporting of email authentication results without impacting email delivery.
• After monitoring the DMARC reports and ensuring legitimate email sources are properly authenticated, gradually transition the DMARC policy to p=quarantine or p=reject to prevent unauthorized emails from reaching recipients.
• Regularly review DMARC reports to identify sources of unauthorized email and take appropriate actions to address them.
• Implement SPF and DKIM to enhance email authentication and reduce the likelihood of successful spoofing attacks.

#PT19512_10

--

Powered by Cobalt

What's your request?
Make it easy to use a tool like Merge API so that you can connect Zipper to any of the tools that they support

What's the benefit of this feature or enhancement?
Many integrations with one integration

Is this recommended by a user or by Zipper team?
Zipper

What else?
Needs more research

Screenshots and/or Video
If applicable, add screenshots and/or video to help explain your problem.

What's the bug?
A clear and concise description of the bug.

How to reproduce?
Try to rename a file. Add the TS extension. It's added twice.

What's the expected behavior?
We should allow users to use whatever extension they like (we just won't do fancy stuff with it?). Put generic file icons for extensions we don't know about.

In the right sidebar where we show stuff about the file/handler, we should tell them we do not recognize this filetype. Would be nice to have a feedback button that says "please support this" easy way to find out what kinda other shit ppl are putting in thee.

What's the bug?
The date picker in browsers are often not great experiences. Let's find one that works.
Also, sometimes (I think on zipper.run and not .dev?) the date shows up in a handler as a string and not a parsed Date object

What's the expected behavior?
Date picker should work, and should show up as a Date all the time

What's your request?
Provide a Stack for building React based UIs

What's the benefit of this feature or enhancement?
Opens up the ability to build more complex UIs using Zipper

Is this recommended by a user or by Zipper team?
Zipper

Vulnerability details

URL

https://zipper.dev/api/trpc/secret.all?batch=1&input={%220%22:{%22json%22:{%22appId%22:%22<APP_ID>%22}}},https://zipper.dev/api/trpc/secret.all?batch=1&input={%220%22:{%22json%22:{%22appId%22:%2279f78f19-c8e5-455a-a7bb-996abcd13773%22}}}

Description

Access Controls help an application determine which users should have access to which resources based on user roles, responsibilities, or other relevant criteria. For example, an application dealing with Personally Identifiable Information (PII) should allow only authorized users to view or edit stored PII, and deny access to users who do not need to access it. Access Controls are “Broken” when a user can access resources they are not authorized to access. An attacker can bypass any access control mechanisms in a web application, and gain unauthorized access to resources that are not available with their permissions.

Broken access control can allow attackers to:

• Access resources only accessible to certain users, thus allowing unauthorized access to data
• Perform operations on behalf of other users, leading to account takeovers in the worst cases
• Attempt privilege escalation
• Attempt to take over an account

References

• OWASP C7: Enforce Access Controls

• OWASP's Authorization Cheat Sheet

• CWE-284

Suggested fix

To mitigate the vulnerability the following remediation steps can be taken:

1. Enforce strict access controls and segregation of user resources, ensuring that each user has its isolated environment.
2. Implement role-based access controls (RBAC) to limit access to resources belonging to other users and ensure that only authorized individuals can view them.
3. Regularly review and update access control policies to reflect changes in user roles, responsibilities, and organizational structure.

#PT19512_5

--

Powered by Cobalt

Vulnerability details

URL

https://*.zipper.run/run/main.ts?worldString=

Description

A web application may require fields for user input in its regular operation. If the application does not validate this user input, an attacker could use it to inject a malicious payload that the server processes. Cross-Site Scripting (XSS) is an injection vulnerability where an attacker provides malicious JavaScript into the web application. XSS attacks occur when an attacker sends malicious code to victim users, such as through phishing or other social engineering attacks. Using XSS, an attacker could bypass authentication mechanisms, steal session information, and perform session-related attacks like session hijacking and session fixation, and even cause malicious code execution. XSS often leverages weaknesses in a web browser, in which the browser does not know whether the malicious JavaScript or payload can be trusted.

There are multiple types of XSS vulnerabilities:

• Stored or Persistent or Type 1: Stored XSS occurs when an attacker can store the XSS payload in the web server or database and the exploitation affects not one but many users of the application.
• Reflected or Type 2: In Reflected XSS, the application reflects or executes the payload immediately after the user submits it. In certain cases, a Reflected XSS payload may not even leave the browser.
• Self XSS: A Self XSS attack occurs when a user enters a crafted XSS link into their browser, and that link includes an XSS payload that the user’s browser executes. The link could come from an attacker during a phishing or similar attack. Unlike Stored or Reflected XSS, Self XSS payloads come from user input, rather than being stored on or reflected from the server.
• Document Object Model (DOM) XSS or Type 0: DOM-based XSS is an advanced type of XSS attack that affects the DOM environment. In a DOM-based XSS attack, the attacker can place a payload execution in the DOM environment or the browser itself. When an application writes the user-supplied input to the DOM environment, it then reads or processes the payload from there and executes it in the browser.

References

OWASP on XSS Attacks
OWASP on Types of XSS
Portswigger on XSS
OWASP XSS Prevention Cheat Sheet

Suggested fix

• Require strong input validation. Do not accept untrusted input or HTML content in your application unless required. If needed, perform HTML encoding.
• Always perform output encoding. Do not render or process input as it is. Perform encoding, escaping, or any technique to break the structure of a malicious payload so it is not rendered.
• Use libraries and software components, such as the OWASP ESAPI, which provide reusable software components for input validation, escaping, and more.
• Turn off support for HTTP TRACE on all web servers.
  Set cookies with the HttpOnly flag.
• Use updated JavaScript and Bootstrap libraries.
• Use a securely configured Content-Security-Policy (CSP) HTTP header.

#PT19512_4

--

Powered by Cobalt

What's your request?
Add a stack for building UIs using MDX

What's the benefit of this feature or enhancement?
Developers can build more complex UIs using Zipper

Is this recommended by a user or by Zipper team?
Zipper

What's your request?
Build a triage bot for Discord:

• https://slack.com/blog/productivity/assign-and-complete-how-to-run-a-triage-channel
• https://github.com/slackapi/template-triage-bot

What's the benefit of this feature or enhancement?
Reason to build out a Discord integration

Is this recommended by a user or by Zipper team?
Zipper

Can be short but should explain how we built it and how to extend it further

What's your request?

Build an applet that provides the core parts of lodash and can be easily imported into any Zipper applet

What's the benefit of this feature or enhancement?

Provides core utilities and shows off the power of importing applets

Is this recommended by a user or by Zipper team?

Zipper

Vulnerability details

URL

https://zipper.dev/api/trpc/app.edit?batch=1

Description

A Server-Side Request Forgery (SSRF) attack occurs when an attacker can cause a vulnerable server-side application to make HTTP requests to any arbitrary domain. The attack is called “Request forgery”, because a successful SSRF attack leads to unauthorized or unintended actions on the part of the target application server.

SSRF attacks exploit applications that use URL fetching without validating the URL supplied by a user, and cause the server to make a connection to an organization’s internal services or force the server to connect to an attacker-controlled external system to perform port scanning, or enumerate services.

Blind SSRF attacks occur when the vulnerable server does not return responses or indicate how the malicious request was received, and does not return an error. However, an attacker could exploit Blind SSRF vulnerabilities to attempt remote code execution.

An attacker can change value, that is used to import external scripts, to internal server address, and the application will send a request to that server. The attacker can also access localhost services, but the functionality doesn't allow to show HTML response. This can only be used for port scanning internal network and localhost.

References

• OWASP’s Definition of Server-Side Request Forgery
• OWASP’s Server-Side Request Forgery Cheat Sheet

Suggested fix

1. Whitelist the URLs or IP addresses that the application can access.
2. Disable HTTP redirection.
3. Sanitize responses and do not send raw responses on the client-side.
4. Enable authentication on Elasticsearch, Redis, and similar services.

#PT19512_9

--

Powered by Cobalt

What's your request?
Update text on blue banner to read:

Check out the applet preview below and explore the code to see how it works. When you’re ready, customize this applet in the Playground.

What's the benefit of this feature or enhancement?
More direct and clear instructions/overview; less redundant.

Is this recommended by a user or by Zipper team?
Zipper

What else?
Check out screenshot.

Vulnerability details

URL

https://zipper.dev/,https://*.zipper.run/**/*

Description

When a web application does not invalidate the authentication token upon logout, the session token remains valid until it expires. In some web applications, old security tokens can be reused after a user has logged out. An attacker with access to the user’s computer could steal their security token and use it to interact with the server as that user. The attacker would then have full access to the user's account and any actions they would be able to perform. Depending on how the application is designed, an attacker's security token could remain valid even if the user logged back out of their account after noticing suspicious activity.

References

• OWASP's Session Management Cheat Sheet

Suggested fix

• Invalidate the session on the server-side when the user logs out of their session.
• Ensure that security tokens expire when a user logs out. Generate new tokens each time a user logs into an account. This ensures previous security tokens cannot be reused in requests that the application accepts.

#PT19512_2

--

Powered by Cobalt

What's your request?
Add an easy way to connect to a pg database either using the app config or by importing an applet.
Ideally provides a safe way to write and execute SQL queries.
An ORM is a bonus

What's the benefit of this feature or enhancement?
Developers can connect to existing datasource to build dashboards or run cron jobs

Is this recommended by a user or by Zipper team?
Zipper

What's your request?
Add an easy way to connect to a Mongo database either using the app config or by importing an applet.
Ideally provides a safe way to write and execute SQL queries.
An ORM is a bonus

What's the benefit of this feature or enhancement?
Developers can connect to existing datasource to build dashboards or run cron jobs

Is this recommended by a user or by Zipper team?
Zipper

What's your request?
Add a stack for building UIs using Tailwind

What's the benefit of this feature or enhancement?
Developers can build more complex UIs using Zipper

Is this recommended by a user or by Zipper team?
Zipper

What's your request?
A system of record keeping that captures:

1. when and how each user accepted the privacy policy and terms of use, including a date/time stamp and record of method (web vs. mobile etc.), and
2. of the signup process and terms in place at any given date and time.

What's the benefit of this feature or enhancement?
Documentation of enforcement as recommended by legal counsel

Is this recommended by a user or by Zipper team?
Zipper legal counsel

What else?
Related to #1 above: I believe we need to talk through this because capturing user signup with date/time of signup and method may qualify as keeping a record of terms acceptance since users cannot signup without accepting the terms.

Related to #2 above: record keeping for "signup process with terms in place at any given time" can be captured on Notion in a Company Policies section.

Tried updating my username in the user settings, got a prisma error

Slack Message

What's your request?
It's really confusing what's what in terms of whether you can read code or whether you can run code

Private (code is not public) Closed-source or Private code
Public (code is pubic) Open Source

Open source should also be the default?

Change the icons too

What's the benefit of this feature or enhancement?
Make it clear

Is this recommended by a user or by Zipper team?
If Ibu and Sachin get tripped up by this then everyone will

Screenshots and/or Video
If applicable, add screenshots and/or video to help explain your problem.

What's the bug?
Stacks and paragraphs don't behave nicely - p has more spacing then stack which feels wrong.
Too much padding in JSON tables.
Markdown just has weird spacing all around.

What's the bug?
Empty string form values (which should probably be null) are passed to functions which makes doing basic JavaScript stuff like this impossible.

export function handler({ value = 'my default' } : { value: string}) {
   // value will be '' when it should really be `my default`
   return value;
}

How to reproduce?
Steps to reproduce the behavior:

1. On '...' page, click on '...'
2. Scroll down to '....'
3. See error

What's the expected behavior?
Better way: We need to handle optional inputs a little better. Adding a default parameter value should consider it optional and fill in the default as placeholder. Other optionals should have the default undefined.

Easiest way: Turn any '' submissions into undefined so that the handler does the right thing. This means using a form to submit an empty string probably won't work but that's less likely than empty form meaning undefined

Vulnerability details

URL

https://.zipper.run/**/

Description

Cookies can be configured with multiple options to improve their security. Cobalt recommends setting the HttpOnly and Secure attributes for application cookies. A remote attacker could leverage cookies without these attributes to disclose sensitive information on vulnerable systems.

• The HttpOnly option prevents JavaScript code from accessing the cookie. This can provide some protection from cookie theft if an attacker successfully exploits a Cross-Site Scripting (XSS) vulnerability.
• The Secure cookie flag is an option that can be used to prevent the browser from sending the cookie over a plaintext connection. This can prevent an attacker from attempting session hijacking through Man-in-the-Middle (MitM) attacks.
• The SameSite flag instructs browsers whether to send the cookie with cross-site requests.

References

• CWE-1004
• CWE-614
• OWASP's Page on the HTTPOnly Flag
• OWASP's Page on the Secure Flag
• Mozilla: Set-Cookie

Suggested fix

• Set the HttpOnly & Secure options on any session cookies used by the application.
• Use the SameSite cookie attribute to mitigate the risk of cross-origin information leakage and help provide protection against Cross-Site Request Forgery (CSRF) attacks.

#PT19512_3

--

Powered by Cobalt