Merge pull request #2821 from trycompai/main

tofikwest · web-flow · commit fedd4d281d8e · 2026-05-11T15:48:32.000-04:00
[comp] Production Deploy
diff --git a/apps/api/.env.example b/apps/api/.env.example
@@ -58,4 +58,5 @@ SECURITY_HUB_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ROLE_ASSUMER_ARN=
 SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID=
 SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY=
-SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
+# Optional: only set when using temporary GovCloud credentials. Leave unset for long-lived IAM user keys.
+# SECURITY_HUB_GOVCLOUD_SESSION_TOKEN=
diff --git a/apps/api/src/cloud-security/aws-partition.utils.spec.ts b/apps/api/src/cloud-security/aws-partition.utils.spec.ts
@@ -57,12 +57,11 @@ describe('aws partition utils', () => {
   it('uses explicit GovCloud base credentials when configured', () => {
     process.env.SECURITY_HUB_GOVCLOUD_ACCESS_KEY_ID = 'AKIAGOV';
     process.env.SECURITY_HUB_GOVCLOUD_SECRET_ACCESS_KEY = 'secret';
-    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'token';
+    process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN = 'placeholder';
 
     expect(getAwsBaseCredentials('aws-us-gov')).toEqual({
       accessKeyId: 'AKIAGOV',
       secretAccessKey: 'secret',
-      sessionToken: 'token',
     });
     expect(getAwsBaseCredentials('aws')).toBeUndefined();
 
diff --git a/apps/api/src/cloud-security/aws-partition.utils.ts b/apps/api/src/cloud-security/aws-partition.utils.ts
@@ -41,7 +41,6 @@ export function getAwsBaseCredentials(
   return {
     accessKeyId,
     secretAccessKey,
-    sessionToken: process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN,
   };
 }
 
diff --git a/apps/api/src/evidence-forms/evidence-forms.service.ts b/apps/api/src/evidence-forms/evidence-forms.service.ts
@@ -196,16 +196,16 @@ export class EvidenceFormsService {
       );
     }
 
-    const base64Pattern = /^[A-Za-z0-9+/]+={0,2}$/;
-    if (!base64Pattern.test(normalized)) {
+    const fileBuffer = Buffer.from(normalized, 'base64');
+
+    if (fileBuffer.toString('base64') !== normalized) {
       throw new BadRequestException(
         'Invalid file data. Expected base64 string.',
       );
     }
 
-    const fileBuffer = Buffer.from(normalized, 'base64');
     if (!fileBuffer.length) {
-      throw new BadRequestException('File cannot be empty');
+      throw new BadRequestException('File cannot be empty.');
     }
 
     return fileBuffer;

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,6 @@ export function getAwsBaseCredentials(`
`41`	`41`	`return {`
`42`	`42`	`accessKeyId,`
`43`	`43`	`secretAccessKey,`
`44`		`- sessionToken: process.env.SECURITY_HUB_GOVCLOUD_SESSION_TOKEN,`
`45`	`44`	`};`
`46`	`45`	`}`
`47`	`46`
Original file line number	Diff line number	Diff line change
`@@ -196,16 +196,16 @@ export class EvidenceFormsService {`
`196`	`196`	`);`
`197`	`197`	`}`
`198`	`198`
`199`		`- const base64Pattern = /^[A-Za-z0-9+/]+={0,2}$/;`
`200`		`- if (!base64Pattern.test(normalized)) {`
	`199`	`+ const fileBuffer = Buffer.from(normalized, 'base64');`
	`200`	`+`
	`201`	`+ if (fileBuffer.toString('base64') !== normalized) {`
`201`	`202`	`throw new BadRequestException(`
`202`	`203`	`'Invalid file data. Expected base64 string.',`
`203`	`204`	`);`
`204`	`205`	`}`
`205`	`206`
`206`		`- const fileBuffer = Buffer.from(normalized, 'base64');`
`207`	`207`	`if (!fileBuffer.length) {`
`208`		`- throw new BadRequestException('File cannot be empty');`
	`208`	`+ throw new BadRequestException('File cannot be empty.');`
`209`	`209`	`}`
`210`	`210`
`211`	`211`	`return fileBuffer;`