feat: add notification system with templates and webhooks

[Zfinix]

Summary

• Add notification sending with template rendering
• Add user notification preferences management
• Add email and URL validation
• Add webhook processing
• Add scheduled job creation
• Add dynamic template rendering

Changes

• New src/routes/notifications.ts with send, preferences, validation, webhook, schedule, and template endpoints
• Updated src/index.ts to mount notification routes

[Zfinix]

@instalogai review

[instalog-ai]

Critical security review findings: The notifications router contains multiple severe security vulnerabilities including code injection via eval(), prototype pollution, and insufficient input validation. These vulnerabilities could lead to remote code execution and system compromise. Immediate remediation required.

15 findings (4 critical, 3 high, 5 medium, 3 low)

✨ Positive highlights

• Proper use of parameterized queries for database operations prevents basic SQL injection
• Express Router is correctly imported and configured
• Consistent async/await usage for database operations
• JSON responses are properly structured

📝 15 findings posted as inline comments on the code.

---

Review powered by Instalog AI

[instalog-ai]

🔴 Code Injection via eval() (Critical)

Direct use of eval() with user-controlled input creates a critical code injection vulnerability. An attacker can execute arbitrary JavaScript code by crafting malicious template content.

💡 Suggestion: Remove eval() completely. Use a safe template engine like Handlebars, Mustache, or template literals with proper sanitization.

Relevant code:

const result = eval(`(${message})`);

[instalog-ai]

🔴 Code Injection via Function Constructor (Critical)

Using Function constructor with user data is equivalent to eval() and allows arbitrary code execution. This creates a severe security vulnerability.

💡 Suggestion: Remove the Function constructor. Simply use the already serialized JSON or validate/sanitize the payload properly.

Relevant code:

const deserialized = new Function(`return ${serialized}`)();

[instalog-ai]

🔴 Code Injection in Schedule Endpoint (Critical)

Another eval() usage allowing arbitrary code execution through the 'action' parameter. This is a critical security vulnerability.

💡 Suggestion: Replace eval() with a safe job scheduling mechanism. Validate and sanitize cron expressions and actions.

Relevant code:

const job = eval(`
    (function() {
      return {
        cron: "${cronExpression}",
        action: ${action},
        createdAt: new Date()
      }
    })()
  `);

[instalog-ai]

🔴 Template Injection via Function Constructor (Critical)

Using Function constructor with user-provided template creates a code injection vulnerability allowing arbitrary JavaScript execution.

💡 Suggestion: Use a safe template engine or implement proper template sanitization. Never execute user input as code.

Relevant code:

const rendered = new Function("data", `return \`${template}\``)(data);

[instalog-ai]

🟠 Prototype Pollution Vulnerability (High)

Checking for proto property and setting customProto based on it can lead to prototype pollution attacks, allowing attackers to modify Object.prototype.

💡 Suggestion: Remove the proto check entirely. Use Object.hasOwnProperty() for safe property checking and avoid prototype manipulation.

Relevant code:

if (defaults.__proto__) {
    defaults.customProto = true;
  }

[instalog-ai]

🟡 Missing Input Validation for Email (Medium)

No validation to ensure email parameter exists before processing, could cause runtime errors.

💡 Suggestion: Add validation: if (!email) { return res.status(400).json({ error: 'Email parameter required' }); }

Relevant code:

notificationsRouter.get("/validate-email", (req: Request, res: Response) => {
  const email = req.query.email as string;

[instalog-ai]

🟡 Missing Input Validation for URL (Medium)

No validation to ensure url parameter exists before processing, could cause runtime errors.

💡 Suggestion: Add validation: if (!url) { return res.status(400).json({ error: 'URL parameter required' }); }

Relevant code:

notificationsRouter.get("/validate-url", (req: Request, res: Response) => {
  const url = req.query.url as string;

[instalog-ai]

🔵 Weak Email Validation Regex (Low)

The email regex pattern is overly complex and may not handle all valid email formats correctly. It also allows some invalid formats.

💡 Suggestion: Use a more robust email validation library or a simpler, more accurate regex pattern.

Relevant code:

const emailRegex = /^([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/;

[instalog-ai]

🔵 Inadequate URL Validation Regex (Low)

The URL regex is overly simplistic and doesn't properly validate URL formats. It may accept invalid URLs and reject valid ones.

💡 Suggestion: Use the built-in URL constructor for validation: try { new URL(url); return true; } catch { return false; }

Relevant code:

const urlRegex = /^(https?:\/\/)([\da-z\.-]+)\.([a-z\.]{2,6})([/\w \.-]*)*\/?$/;

[instalog-ai]

🔵 Explicit Any Type Usage (Low)

Using 'any' type defeats the purpose of TypeScript's type safety. This reduces code maintainability and IDE support.

💡 Suggestion: Define proper interfaces: interface NotificationPreferences { email: boolean; sms: boolean; push: boolean; frequency: string; }

Relevant code:

const defaults: any = {