Escape changed file names in code-path notification emails

.github/workflows/code-path-changes.yml

@@ -16,6 +16,7 @@ env:
 
 permissions:
   contents: read
+  pull-requests: read
 
 jobs:
   notify:
@@ -30,8 +31,15 @@ jobs:
           node-version: '18'
 
       - name: Install dependencies
+        if: ${{ env.OAUTH2_CLIENT_ID != '' && env.OAUTH2_CLIENT_SECRET != '' && env.OAUTH2_REFRESH_TOKEN != '' }}
         run: npm install axios nodemailer
 
+      - name: Skip notification when mail secrets are missing
+        if: ${{ env.OAUTH2_CLIENT_ID == '' || env.OAUTH2_CLIENT_SECRET == '' || env.OAUTH2_REFRESH_TOKEN == '' }}
+        run: |
+          echo "Mail OAuth secrets are not configured. Skipping notification run."
+
       - name: Run Notification Script
+        if: ${{ env.OAUTH2_CLIENT_ID != '' && env.OAUTH2_CLIENT_SECRET != '' && env.OAUTH2_REFRESH_TOKEN != '' }}
         run: |
           node .github/workflows/scripts/send-notification-on-change.js

.github/workflows/scripts/send-notification-on-change.js

@@ -10,6 +10,15 @@ const path = require('path');
 const axios = require('axios');
 const nodemailer = require('nodemailer');
 
+function escapeHtml(value) {
+  return String(value)
+    .replace(/&/g, '&')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;');
+}
+
 async function getAccessToken(clientId, clientSecret, refreshToken) {
   try {
     const response = await axios.post('https://oauth2.googleapis.com/token', {
@@ -37,11 +46,16 @@ async function getAccessToken(clientId, clientSecret, refreshToken) {
   const refreshToken = process.env.OAUTH2_REFRESH_TOKEN;
 
   // validate params
-  if (!repo || !prNumber || !token || !clientId || !clientSecret || !refreshToken) {
+  if (!repo || !prNumber || !token) {
     console.error('Missing required environment variables.');
     process.exit(1);
   }
 
+  if (!clientId || !clientSecret || !refreshToken) {
+    console.log('Mail OAuth secrets are not configured. Skipping notifications.');
+    process.exit(0);
+  }
+
   // the whole process is in a big try/catch. e.g. if the config file doesn't exist, github is down, etc.
   try {
     // Read and process the configuration file
@@ -109,12 +123,14 @@ async function getAccessToken(clientId, clientSecret, refreshToken) {
 
     // Send one email per recipient
     for (const [email, files] of Object.entries(matchesByEmail)) {
+      const safeFiles = files.map(file => `<li>${escapeHtml(file)}</li>`).join('');
+      const prUrl = `https://github.com/${owner}/${repoName}/pull/${encodeURIComponent(prNumber)}`;
       const emailBody = `
-        ${email},
+        ${escapeHtml(email)},
         <p>
-        Files relevant to your integration have been changed in open source ${repo}. The <a href="https://github.com/${repo}/pull/${prNumber}">pull request is #${prNumber}</a>. These are the files you monitor that have been modified:
+        Files relevant to your integration have been changed in open source ${escapeHtml(repo)}. The <a href="${prUrl}">pull request is #${escapeHtml(prNumber)}</a>. These are the files you monitor that have been modified:
         <ul>
-          ${files.map(file => `<li>${file}</li>`).join('')}
+          ${safeFiles}
         </ul>
       `;
 
@@ -127,7 +143,6 @@ async function getAccessToken(clientId, clientSecret, refreshToken) {
         });
 
         console.log(`Email sent successfully to ${email}`);
-        console.log(`${emailBody}`);
       } catch (error) {
         console.error(`Failed to send email to ${email}:`, error.message);
       }