From a07d5e8e2c1b39041160308cdb66f21bfee0eb9b Mon Sep 17 00:00:00 2001
From: Keshav Malik <33570148+theinfosecguy@users.noreply.github.com>
Date: Fri, 27 Mar 2026 15:42:01 +0530
Subject: [PATCH 1/2] Escape changed file names in code-path notification
 emails.

Made-with: Cursor
---
 .github/workflows/code-path-changes.yml        |  1 +
 .../scripts/send-notification-on-change.js     | 18 ++++++++++++++----
 2 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/code-path-changes.yml b/.github/workflows/code-path-changes.yml
index f543394f479..8df5ff480bc 100644
--- a/.github/workflows/code-path-changes.yml
+++ b/.github/workflows/code-path-changes.yml
@@ -16,6 +16,7 @@ env:
 
 permissions:
   contents: read
+  pull-requests: read
 
 jobs:
   notify:
diff --git a/.github/workflows/scripts/send-notification-on-change.js b/.github/workflows/scripts/send-notification-on-change.js
index 57079ef37cb..a0426b9e8d9 100644
--- a/.github/workflows/scripts/send-notification-on-change.js
+++ b/.github/workflows/scripts/send-notification-on-change.js
@@ -10,6 +10,15 @@ const path = require('path');
 const axios = require('axios');
 const nodemailer = require('nodemailer');
 
+function escapeHtml(value) {
+  return String(value)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 async function getAccessToken(clientId, clientSecret, refreshToken) {
   try {
     const response = await axios.post('https://oauth2.googleapis.com/token', {
@@ -109,12 +118,14 @@ async function getAccessToken(clientId, clientSecret, refreshToken) {
 
     // Send one email per recipient
     for (const [email, files] of Object.entries(matchesByEmail)) {
+      const safeFiles = files.map(file => `<li>${escapeHtml(file)}</li>`).join('');
+      const prUrl = `https://github.com/${owner}/${repoName}/pull/${encodeURIComponent(prNumber)}`;
       const emailBody = `
-        ${email},
+        ${escapeHtml(email)},
         <p>
-        Files relevant to your integration have been changed in open source ${repo}. The <a href="https://github.com/${repo}/pull/${prNumber}">pull request is #${prNumber}</a>. These are the files you monitor that have been modified:
+        Files relevant to your integration have been changed in open source ${escapeHtml(repo)}. The <a href="${prUrl}">pull request is #${escapeHtml(prNumber)}</a>. These are the files you monitor that have been modified:
         <ul>
-          ${files.map(file => `<li>${file}</li>`).join('')}
+          ${safeFiles}
         </ul>
       `;
 
@@ -127,7 +138,6 @@ async function getAccessToken(clientId, clientSecret, refreshToken) {
         });
 
         console.log(`Email sent successfully to ${email}`);
-        console.log(`${emailBody}`);
       } catch (error) {
         console.error(`Failed to send email to ${email}:`, error.message);
       }

From 568906a81b613adb3153a9ea36951a4c78d32a29 Mon Sep 17 00:00:00 2001
From: Keshav Malik <33570148+theinfosecguy@users.noreply.github.com>
Date: Fri, 27 Mar 2026 18:37:47 +0530
Subject: [PATCH 2/2] Skip code-path notifications when mail secrets are
 unavailable.

Made-with: Cursor
---
 .github/workflows/code-path-changes.yml                  | 7 +++++++
 .github/workflows/scripts/send-notification-on-change.js | 7 ++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/code-path-changes.yml b/.github/workflows/code-path-changes.yml
index 8df5ff480bc..8c3b346bf50 100644
--- a/.github/workflows/code-path-changes.yml
+++ b/.github/workflows/code-path-changes.yml
@@ -31,8 +31,15 @@ jobs:
           node-version: '18'
 
       - name: Install dependencies
+        if: ${{ env.OAUTH2_CLIENT_ID != '' && env.OAUTH2_CLIENT_SECRET != '' && env.OAUTH2_REFRESH_TOKEN != '' }}
         run: npm install axios nodemailer
 
+      - name: Skip notification when mail secrets are missing
+        if: ${{ env.OAUTH2_CLIENT_ID == '' || env.OAUTH2_CLIENT_SECRET == '' || env.OAUTH2_REFRESH_TOKEN == '' }}
+        run: |
+          echo "Mail OAuth secrets are not configured. Skipping notification run."
+
       - name: Run Notification Script
+        if: ${{ env.OAUTH2_CLIENT_ID != '' && env.OAUTH2_CLIENT_SECRET != '' && env.OAUTH2_REFRESH_TOKEN != '' }}
         run: |
           node .github/workflows/scripts/send-notification-on-change.js
diff --git a/.github/workflows/scripts/send-notification-on-change.js b/.github/workflows/scripts/send-notification-on-change.js
index a0426b9e8d9..271623a8091 100644
--- a/.github/workflows/scripts/send-notification-on-change.js
+++ b/.github/workflows/scripts/send-notification-on-change.js
@@ -46,11 +46,16 @@ async function getAccessToken(clientId, clientSecret, refreshToken) {
   const refreshToken = process.env.OAUTH2_REFRESH_TOKEN;
 
   // validate params
-  if (!repo || !prNumber || !token || !clientId || !clientSecret || !refreshToken) {
+  if (!repo || !prNumber || !token) {
     console.error('Missing required environment variables.');
     process.exit(1);
   }
 
+  if (!clientId || !clientSecret || !refreshToken) {
+    console.log('Mail OAuth secrets are not configured. Skipping notifications.');
+    process.exit(0);
+  }
+
   // the whole process is in a big try/catch. e.g. if the config file doesn't exist, github is down, etc.
   try {
     // Read and process the configuration file