fix: prevent data leak in getConnectedApps by explicitly picking safe fields

[arpittkhandelwal]

Fixes #28923

Description

This PR resolves a potential data leak vulnerability in packages/app-store/_utils/getConnectedApps.ts identified by an existing developer TODO.

What changed:
Removed the object spread operator (...app) and replaced it with a strict, explicitly-mapped safeApp payload dictionary.

Why it matters:
Previously, the backend used a "deny-list" approach using object destructuring, which would silently expose any newly developed internal codebase flags or secret AppMeta variables straight to the frontend HTTP response payload. By switching to a rigorous "allow-list", we guarantee that only explicitly authorized, public-safe properties are ever returned out of the API.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• Security fix / Refactor
• New feature (non-breaking change which adds functionality)

How to test

1. Ensure the app builds locally without type errors.
2. Hit the getConnectedApps query (e.g. from the App Store or user settings page).
3. Validate that the network payload correctly renders the apps but strictly bounds the payload keys to only expected frontend configuration fields.

[github-actions]

Welcome to Cal.diy, @arpittkhandelwal! Thanks for opening this pull request.

A few things to keep in mind:

• This is Cal.diy, not Cal.com. Cal.diy is a community-driven, fully open-source fork of Cal.com licensed under MIT. Your changes here will be part of Cal.diy — they will not be deployed to the Cal.com production app.
• Please review our Contributing Guidelines if you haven't already.
• Make sure your PR title follows the Conventional Commits format.

A maintainer will review your PR soon. Thanks for contributing!

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "PR Title fix: prevent data leak in getConnectedApps by explicitly picking safe fields". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 646956a1-61f1-440c-bca4-533b648e7d32

📥 Commits

Reviewing files that changed from the base of the PR and between c856fa3 and 5b6d88b.

📒 Files selected for processing (1)

• packages/app-store/_utils/getConnectedApps.ts

---

📝 Walkthrough

Walkthrough

The file packages/app-store/_utils/getConnectedApps.ts was refactored to construct a safeApp object with an explicit set of frontend-facing fields (excluding credentials/credential), and all per-app logic now references safeApp. The function’s return value spreads safeApp instead of the original app, so only the explicitly enumerated properties plus computed fields are included in the returned payload.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly describes the main change: preventing data leak by explicitly picking safe fields using an allow-list approach.
Description check	✅ Passed	The description clearly explains the security vulnerability, the fix applied (replacing deny-list with allow-list), and testing instructions aligned with the changeset.
Linked Issues check	✅ Passed	The PR successfully addresses all objectives from issue #28923: eliminates deny-list pattern, introduces strict allow-list for safe fields, removes ...app spread operator, and ensures only explicitly defined properties are returned.
Out of Scope Changes check	✅ Passed	All changes in the PR are directly scoped to the security fix objective: refactoring getConnectedApps to use an explicit allow-list approach without introducing unrelated modifications.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/app-store/_utils/getConnectedApps.ts`:
- Around line 150-179: The safeApp object in getConnectedApps is untyped, which
can silently diverge from AppFrontendPayload/ConnectedApps; add an explicit type
annotation for safeApp (e.g., a Pick of AppFrontendPayload listing the allowed
keys) plus the extra fields (enabled: boolean and locationOption typed from
rawApp.locationOption) so the compiler enforces the allow-list and prevents
accidental inclusion of sensitive fields (reference symbols: safeApp,
getConnectedApps, AppFrontendPayload, ConnectedApps, App).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6211c491-c756-4f1d-bf49-fcb8539679a0

📥 Commits

Reviewing files that changed from the base of the PR and between 9efd0e6 and c856fa3.

📒 Files selected for processing (1)

• packages/app-store/_utils/getConnectedApps.ts

[github-actions]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.

[arpittkhandelwal]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.

I am active I am waiting for someone to review this pr

[github-actions]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Arpit Khandelwal seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[github-actions]

This PR has been marked as stale due to inactivity. If you're still working on it or need any help, please let us know or update the PR to keep it active.