fix(connectors): address remaining audit findings

waleedlatif1 · waleedlatif1 · commit 9014c087e126 · 2026-05-02T14:29:45.000-07:00
- slack: detect message edits and new threaded replies via edited.ts/latest_reply in contentHash
- github: skip binary files via NUL-byte sniff and filter oversized files at tree-list time
- servicenow: add 'outdated' workflow state to allowlist and dropdown; add Canceled (8) to incident state dropdown
- salesforce: drop 400 from userinfo host fallthrough (Salesforce returns 401/403 for cross-env tokens)
diff --git a/apps/sim/connectors/github/github.ts b/apps/sim/connectors/github/github.ts
@@ -11,6 +11,19 @@ const GITHUB_API_URL = 'https://api.github.com'
 const BATCH_SIZE = 30
 const GIT_SHA_PREFIX = 'git-sha:'
 const MAX_FILE_SIZE = 10 * 1024 * 1024 // 10 MB
+const BINARY_SNIFF_BYTES = 8000
+
+/**
+ * Heuristic binary detection: Git treats files containing a NUL byte in the
+ * first 8000 bytes as binary. Matches `git diff` / `git grep` semantics.
+ */
+function isBinaryBuffer(buf: Buffer): boolean {
+  const len = Math.min(buf.length, BINARY_SNIFF_BYTES)
+  for (let i = 0; i < len; i++) {
+    if (buf[i] === 0) return true
+  }
+  return false
+}
 
 /**
  * Parses the repository string into owner and repo.
@@ -228,10 +241,11 @@ export const githubConnector: ConnectorConfig = {
     } else {
       const tree = await fetchTree(accessToken, owner, repo, branch)
 
-      // Filter by path prefix and extensions
+      // Filter by path prefix, extensions, and size
       const filtered = tree.filter((item) => {
         if (pathPrefix && !item.path.startsWith(pathPrefix)) return false
         if (!matchesExtension(item.path, extSet)) return false
+        if (typeof item.size === 'number' && item.size > MAX_FILE_SIZE) return false
         return true
       })
 
@@ -311,7 +325,12 @@ export const githubConnector: ConnectorConfig = {
       const encoding = data.encoding as string | undefined
       let content: string
       if (encoding === 'base64' && rawContent.length > 0) {
-        content = Buffer.from(rawContent, 'base64').toString('utf8')
+        const buf = Buffer.from(rawContent, 'base64')
+        if (isBinaryBuffer(buf)) {
+          logger.info('Skipping binary GitHub file', { path, size })
+          return null
+        }
+        content = buf.toString('utf8')
       } else if (encoding === 'none' && data.sha && size > 0) {
         content = await fetchBlobContent(accessToken, owner, repo, data.sha as string)
       } else {
diff --git a/apps/sim/connectors/salesforce/salesforce.ts b/apps/sim/connectors/salesforce/salesforce.ts
@@ -102,7 +102,7 @@ async function fetchUserinfo(
 
     // Only fall through to the next host on auth-shaped failures; surface
     // other errors (e.g. 5xx) immediately so we don't mask real problems.
-    if (response.status !== 400 && response.status !== 401 && response.status !== 403) {
+    if (response.status !== 401 && response.status !== 403) {
       break
     }
   }
diff --git a/apps/sim/connectors/servicenow/servicenow.ts b/apps/sim/connectors/servicenow/servicenow.ts
@@ -23,7 +23,7 @@ const PAGE_SIZE = 100
 const SYS_ID_PATTERN = /^[a-f0-9]{32}$/i
 const NUMERIC_ID_PATTERN = /^\d+$/
 const KB_CATEGORY_PATTERN = /^[\w \-./]+$/
-const VALID_WORKFLOW_STATES = new Set(['published', 'draft', 'review', 'retired'])
+const VALID_WORKFLOW_STATES = new Set(['published', 'draft', 'review', 'retired', 'outdated'])
 
 interface ServiceNowRecord {
   sys_id: string
@@ -474,6 +474,7 @@ export const servicenowConnector: ConnectorConfig = {
         { label: 'Draft', id: 'draft' },
         { label: 'Review', id: 'review' },
         { label: 'Retired', id: 'retired' },
+        { label: 'Outdated', id: 'outdated' },
       ],
     },
     {
@@ -497,6 +498,7 @@ export const servicenowConnector: ConnectorConfig = {
         { label: 'On Hold', id: '3' },
         { label: 'Resolved', id: '6' },
         { label: 'Closed', id: '7' },
+        { label: 'Canceled', id: '8' },
       ],
     },
     {
diff --git a/apps/sim/connectors/slack/slack.ts b/apps/sim/connectors/slack/slack.ts
@@ -17,6 +17,9 @@ interface SlackMessage {
   text?: string
   ts: string
   subtype?: string
+  edited?: { ts: string; user?: string }
+  latest_reply?: string
+  reply_count?: number
 }
 
 interface SlackChannel {
@@ -301,7 +304,22 @@ async function buildSlackChannelDocument(
 
   const content = await formatMessages(accessToken, messages, syncContext)
   const messageCount = messages.length
-  const contentHash = `slack:${channel.id}:${oldestTs ?? 'empty'}:${lastActivityTs ?? 'empty'}:${messageCount}`
+
+  /**
+   * Edit/thread fingerprint: max(edited.ts) and max(latest_reply) across the
+   * window. `ts` is immutable for messages, so without these signals an
+   * in-place edit (chat.update) or a new threaded reply would not change the
+   * channel hash. Slack returns `edited.ts` only when a message was edited
+   * and `latest_reply` only when threaded replies exist.
+   */
+  let maxEditTs = ''
+  let maxReplyTs = ''
+  for (const m of messages) {
+    if (m.edited?.ts && m.edited.ts > maxEditTs) maxEditTs = m.edited.ts
+    if (m.latest_reply && m.latest_reply > maxReplyTs) maxReplyTs = m.latest_reply
+  }
+
+  const contentHash = `slack:${channel.id}:${oldestTs ?? 'empty'}:${lastActivityTs ?? 'empty'}:${messageCount}:${maxEditTs || 'noedit'}:${maxReplyTs || 'noreply'}`
 
   return { content, contentHash, messageCount, lastActivityTs }
 }

Original file line number	Diff line number	Diff line change
`@@ -102,7 +102,7 @@ async function fetchUserinfo(`
`102`	`102`
`103`	`103`	`// Only fall through to the next host on auth-shaped failures; surface`
`104`	`104`	`// other errors (e.g. 5xx) immediately so we don't mask real problems.`
`105`		`- if (response.status !== 400 && response.status !== 401 && response.status !== 403) {`
	`105`	`+ if (response.status !== 401 && response.status !== 403) {`
`106`	`106`	`break`
`107`	`107`	`}`
`108`	`108`	`}`