SCAL-284773 Spotter config for tool response branding

[animesh935]

No description provided.

[mnk-blr]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @animesh935, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the SpotterEmbed component by introducing new configuration options that provide greater control over the branding displayed within tool response cards. Developers can now choose to either hide the default branding or provide a custom label, allowing for a more tailored embedded experience.

Highlights

• New Branding Configuration Options: Introduced two new optional properties, hideToolResponseCardBranding and toolResponseCardBrandingLabel, to the SpotterEmbedViewConfig interface, allowing for customization of branding on tool response cards.
• Hide Tool Response Card Branding: Added the ability to hide the default ThoughtSpot logo and branding prefix on tool response cards by setting hideToolResponseCardBranding to true.
• Custom Tool Response Card Branding Label: Provided the option to specify a custom label to replace the 'ThoughtSpot' prefix on tool response cards using toolResponseCardBrandingLabel.
• URL Parameter Integration: Implemented logic to extract and pass these new branding configuration options as URL parameters (hideToolResponseCardBranding and toolResponseCardBrandingLabel) to the embedded ThoughtSpot instance.
• Parameter Enum Updates: Added new enum members HideToolResponseCardBranding and ToolResponseCardBrandingLabel to the Param enum in src/types.ts to support the new URL parameters.
• Unit Test Coverage: Added new unit tests in src/embed/conversation.spec.ts to verify that the SpotterEmbed correctly generates the iframe URL with the new branding parameters.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• src/embed/conversation.spec.ts
  • Added new test cases to validate the correct URL parameter generation for hideToolResponseCardBranding and toolResponseCardBrandingLabel.
• src/embed/conversation.ts
  • Introduced hideToolResponseCardBranding?: boolean and toolResponseCardBrandingLabel?: string to SpotterEmbedViewConfig.
  • Implemented logic to read and pass these new configuration properties as URL query parameters.
• src/types.ts
  • Added HideToolResponseCardBranding and ToolResponseCardBrandingLabel to the Param enum.

Activity

• No activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces new configuration options, hideToolResponseCardBranding and toolResponseCardBrandingLabel, for Spotter embeds to allow for branding customization on tool response cards. However, a critical security concern has been identified: the toolResponseCardBrandingLabel is passed into a query string without proper URL encoding, which could lead to URL parameter injection if the input is untrusted. It is recommended to encode this label before adding it to the query parameters. Additionally, there is a suggestion to improve code consistency.

[gemini-code-assist]

The toolResponseCardBrandingLabel parameter is currently added to the queryParams object without URL encoding. This poses a security risk, as an attacker could inject arbitrary query parameters into the ThoughtSpot iframe URL (e.g., MyBrand&debug=true could inject debug=true). It is critical to URL-encode this value before it is added to the query parameters to prevent such injection attacks. The provided suggestion remediates this by using encodeURIComponent. Additionally, for consistency with the rest of the file, consider refactoring the parameter setting to use the setParamIfDefined helper function, ensuring the encoding is still applied.

Suggested change

	if (!isUndefined(toolResponseCardBrandingLabel)) {
	queryParams[Param.ToolResponseCardBrandingLabel] = toolResponseCardBrandingLabel;
	}
	if (!isUndefined(toolResponseCardBrandingLabel)) {
	queryParams[Param.ToolResponseCardBrandingLabel] = encodeURIComponent(toolResponseCardBrandingLabel);
	}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/thoughtspot/visual-embed-sdk/@thoughtspot/visual-embed-sdk@423

commit: 51a64b6

[mouryab]

Can we move these two flag to an interface and import it across all components.

[sonar-prod-ts]

SonarQube Quality Gate

0 Bugs
0 Vulnerabilities
0 Security Hotspots
2 Code Smells

No Coverage information
0.0% Duplication