Merge master into develop (15 Jan)#3089
Merged
Merged
Conversation
…he Experiments table.
… descending order
Added LLM Arena
…rch-2970 fix: align risk table sorting with actual database enum values
…signee fix: allow same assignee and reviewer for vendors
Removed section about VerifyWise product line from README.
Add loading state to PersistGate to wait for Redux rehydration before
rendering the app. This prevents API calls from firing before the auth
token is restored from localStorage.
## Problem
On first dashboard load, multiple API calls returned 406 errors:
- GET /api/users
- GET /api/user-preferences/{id}
- GET /api/eu-ai-act/all/compliances/progress
This happened because React hooks fired API requests before Redux
finished rehydrating the auth token from localStorage.
## Solution
Changed PersistGate from `loading={null}` to display a loading state,
ensuring the app waits for state restoration before mounting components
that make authenticated API calls.
Removes the logging of user prompts (first 100 characters) from the advisor controller debug logs. This addresses a security concern where sensitive user information could be exposed in log files. The log now only includes tenant ID, user ID, and LLM key ID for debugging purposes without exposing user input. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds authenticateJWT middleware to the /users/chng-pass/:id endpoint which was previously accessible without authentication. This was a critical security vulnerability that could allow unauthorized password change attempts. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Moves /chng-pass/:id route before /:id route. Express matches routes in order, so the parameterized /:id route was catching all requests including those intended for /chng-pass/:id. Also adds JSDoc documentation for the password change endpoint.
Adds defense-in-depth validation for tenant schema names before they are used in SQL queries. Changes: 1. Updated isValidTenantHash() to match exact format (10 alphanumeric chars) 2. Added validateTenantSchema() utility for query-level validation 3. Added format check in auth middleware before setting req.tenantId While tenant values already come from signed JWTs and are validated against organization hash, this additional format check ensures that only safe alphanumeric characters can reach SQL query interpolation.
Previously, any authenticated user could download any file by ID, regardless of project membership or ownership. This fix adds proper authorization checks to prevent IDOR vulnerabilities. Access is now granted only if the user: - Has Admin role - Uploaded the file - Owns the project the file belongs to - Is a member of the project
Add authLimiter middleware to prevent brute-force attacks on: - /users/register - /users/refresh-token - /users/reset-password - /users/chng-pass/:id Also adds missing authenticateJWT to password change endpoint.
Auto-disable the ExportMenu component when there's no data to export. The button now appears disabled (grayed out) when data array is empty, preventing users from clicking print/export options that would produce empty results.
…hen-empty fix: disable export menu when no data is available
## Changes ### Share button - Reduced icon size from 20px to 16px to match other icons ### Button theme - Removed hover shadow effects from all contained/outlined buttons ### User guide header - Hidden chevron when at top level - Disabled breadcrumb dropdown and home button when at top level ### Help section - Changed community link to Discord - Updated description and button text ### AI Trust Center Settings - Fixed Trust Center title alignment with input field - Disabled Remove button when no logo exists - Fixed "Failed to load logo" showing when no logo exists - Added hover effect to Remove button - Replaced visibility toggle with Published/Unpublished button group ### Subprocessors & Resources - Changed "Enabled and visible" to "Visible?" - Made label clickable to toggle visibility
…n-14 fix: UI/UX improvements across multiple components
…eval Fix kubernetes llm eval issue
## Changes - Fix Back button navigation in tooltips by using native HTML buttons - Add CSS hover effects for tooltip buttons (close, back, next) - Close button now shows on all steps (not just non-last steps) - Audit and fix all page tour steps to match current UI elements - Remove steps targeting non-existent UI elements - Add new tooltips for vendor risks, model risks, evidence hub tabs - Rearrange risk management tooltips by importance - Add upload button tooltip to file manager - Add more tooltips to AI Trust Center ## Files updated - PageTour CustomStep component refactored with CSS classes - All *Steps.tsx files audited and updated - Added data-joyride-id attributes to missing UI elements
fix: onboarding tooltip fixes and improvements
Replace MUI Grid-based percentage layout with flexbox layout to fix width inconsistencies after MUI update. - Left sidebar: fixed 250px width - Center panel: flexible width (flex: 1) - Right panel: fixed 340px width
…dths fix: automations page layout with fixed width sidebars
Changed SearchBox from fullWidth={false} (160px default) to 220px
width to ensure "Search files by name..." placeholder is fully visible.
…dths fix: layout width fixes for automations and file manager pages
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -608,7 +666,7 @@ | |||
| "rowspan", | |||
| ], | |||
| ALLOWED_URI_REGEXP: | |||
| /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|[^a-z]|[a-z.+\-]+(?:[^a-z.+\-:]|$))/i, | |||
| /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|[^a-z]|[a-z.+-]+(?:[^a-z.+-:]|$))/i, | |||
Check warning
Code scanning / CodeQL
Overly permissive regular expression range Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 3 months ago
In general, overly permissive ranges inside character classes should be fixed by either (1) escaping the dash - when you want it literally (e.g. [A-Z0-9\-_.]), or (2) rearranging the characters so - is first or last in the class (e.g. [-A-Z0-9_.]), which most regex engines interpret as a literal dash rather than a range delimiter.
Here, within Clients/src/presentation/components/Policies/PolicyDetailsModal.tsx, the problematic part is the character class [a-z.+-:] in the ALLOWED_URI_REGEXP on line 766. The clear intent is to allow lowercase letters plus ., +, and - in the scheme before the colon (as in https, mailto, tel, xmpp, etc.). To fix this without changing functionality, we should make the dash literal by escaping it: [a-z.+\-:]. That keeps exactly the same intended characters but avoids the unintended range. No new imports or methods are needed; we only adjust the regex literal in place.
Concretely: in PolicyDetailsModal.tsx, locate the ALLOWED_URI_REGEXP assignment and change /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|[^a-z]|[a-z.+-]+(?:[^a-z.+-:]|$))/i to /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|[^a-z]|[a-z.+\-]+(?:[^a-z.+\-:]|$))/i, escaping the dash in both character classes ([a-z.+-] → [a-z.+\-] and [^a-z.+-:] → [^a-z.+\-:]).
Suggested changeset
1
Clients/src/presentation/components/Policies/PolicyDetailsModal.tsx
| @@ -763,7 +763,7 @@ | ||
| "rowspan", | ||
| ], | ||
| ALLOWED_URI_REGEXP: | ||
| /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|[^a-z]|[a-z.+-]+(?:[^a-z.+-:]|$))/i, | ||
| /^(?:(?:(?:f|ht)tps?|mailto|tel|callto|cid|xmpp|data):|[^a-z]|[a-z.+\-]+(?:[^a-z.+\-:]|$))/i, | ||
| ADD_ATTR: ["target"], | ||
| FORBID_TAGS: [ | ||
| "script", |
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
gorkem-bwl
approved these changes
Jan 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Describe your changes
Provide a concise description of the changes made and their intended purpose.
Write your issue number after "Fixes "
Enter the corresponding issue number after "Fixes #"
Please ensure all items are checked off before requesting a review: