From c621c410d03c214531025e33ee055b582ed6f33c Mon Sep 17 00:00:00 2001
From: Caden Buckhalt <halaeb@gmail.com>
Date: Thu, 29 Feb 2024 12:13:39 -0800
Subject: [PATCH 1/5] fix: security issues with programatic download

adds fetch and blob so that the browser can explicitly fetch the file before download
---
 .../_components/ExportInterviewsDialog.tsx    |  2 +-
 hooks/useDownload.ts                          | 27 +++++++++++++------
 2 files changed, 20 insertions(+), 9 deletions(-)

diff --git a/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx b/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
index 25586cf0..e4e92dfe 100644
--- a/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
+++ b/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
@@ -75,7 +75,7 @@ export const ExportInterviewsDialog = ({
       }
 
       // Download the zip file
-      download(result.data.url, result.data.name);
+      await download(result.data.url, result.data.name);
     } catch (error) {
       toast({
         icon: <XCircle />,
diff --git a/hooks/useDownload.ts b/hooks/useDownload.ts
index 73d04fc8..e823412e 100644
--- a/hooks/useDownload.ts
+++ b/hooks/useDownload.ts
@@ -1,14 +1,25 @@
 import { useCallback } from 'react';
 
 export const useDownload = () => {
-  const download = useCallback((url: string, nameWithExtension: string) => {
-    const link = document.createElement('a');
-    link.href = url;
-    link.download = nameWithExtension;
-    document.body.appendChild(link);
-    link.click();
-    document.body.removeChild(link);
-  }, []);
+  const download = useCallback(
+    async (url: string, nameWithExtension: string) => {
+      try {
+        const response = await fetch(url);
+        const blob = await response.blob();
+        const blobUrl = URL.createObjectURL(blob);
+        const link = document.createElement('a');
+        link.href = blobUrl;
+        link.download = nameWithExtension;
+        document.body.appendChild(link);
+        link.click();
+        URL.revokeObjectURL(blobUrl);
+        document.body.removeChild(link);
+      } catch (error) {
+        throw new Error('Failed to download file');
+      }
+    },
+    [],
+  );
 
   return download;
 };

From 0c7c15b5c0e73184b1152bea8e5e59ccce764ec0 Mon Sep 17 00:00:00 2001
From: Caden Buckhalt <halaeb@gmail.com>
Date: Thu, 29 Feb 2024 13:14:01 -0800
Subject: [PATCH 2/5] Revert "fix: security issues with programatic download"

This reverts commit c621c410d03c214531025e33ee055b582ed6f33c.
---
 .../_components/ExportInterviewsDialog.tsx    |  2 +-
 hooks/useDownload.ts                          | 27 ++++++-------------
 2 files changed, 9 insertions(+), 20 deletions(-)

diff --git a/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx b/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
index e4e92dfe..25586cf0 100644
--- a/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
+++ b/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
@@ -75,7 +75,7 @@ export const ExportInterviewsDialog = ({
       }
 
       // Download the zip file
-      await download(result.data.url, result.data.name);
+      download(result.data.url, result.data.name);
     } catch (error) {
       toast({
         icon: <XCircle />,
diff --git a/hooks/useDownload.ts b/hooks/useDownload.ts
index e823412e..73d04fc8 100644
--- a/hooks/useDownload.ts
+++ b/hooks/useDownload.ts
@@ -1,25 +1,14 @@
 import { useCallback } from 'react';
 
 export const useDownload = () => {
-  const download = useCallback(
-    async (url: string, nameWithExtension: string) => {
-      try {
-        const response = await fetch(url);
-        const blob = await response.blob();
-        const blobUrl = URL.createObjectURL(blob);
-        const link = document.createElement('a');
-        link.href = blobUrl;
-        link.download = nameWithExtension;
-        document.body.appendChild(link);
-        link.click();
-        URL.revokeObjectURL(blobUrl);
-        document.body.removeChild(link);
-      } catch (error) {
-        throw new Error('Failed to download file');
-      }
-    },
-    [],
-  );
+  const download = useCallback((url: string, nameWithExtension: string) => {
+    const link = document.createElement('a');
+    link.href = url;
+    link.download = nameWithExtension;
+    document.body.appendChild(link);
+    link.click();
+    document.body.removeChild(link);
+  }, []);
 
   return download;
 };

From 0498592f4199976525dbce334bac4b444e6fd131 Mon Sep 17 00:00:00 2001
From: Caden Buckhalt <halaeb@gmail.com>
Date: Thu, 29 Feb 2024 13:19:36 -0800
Subject: [PATCH 3/5] fix: export errors

need to use blob within exportinterviews like other exports
---
 .../interviews/_components/ExportInterviewsDialog.tsx  | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx b/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
index 25586cf0..81708100 100644
--- a/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
+++ b/app/(dashboard)/dashboard/interviews/_components/ExportInterviewsDialog.tsx
@@ -74,8 +74,16 @@ export const ExportInterviewsDialog = ({
         throw new Error(e.message);
       }
 
+      const response = await fetch(result.data.url);
+      const blob = await response.blob();
+
+      // create a download link
+      const url = URL.createObjectURL(blob);
+
       // Download the zip file
-      download(result.data.url, result.data.name);
+      download(url, result.data.name);
+      // clean up the URL object
+      URL.revokeObjectURL(url);
     } catch (error) {
       toast({
         icon: <XCircle />,

From fd1893f54e4ad13207323796b72e1412023cc953 Mon Sep 17 00:00:00 2001
From: Caden Buckhalt <halaeb@gmail.com>
Date: Thu, 29 Feb 2024 13:35:12 -0800
Subject: [PATCH 4/5] fix: access control checks errors

when stack is too big it exceeds file size for endpoint
---
 components/ErrorReportNotifier.tsx | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/components/ErrorReportNotifier.tsx b/components/ErrorReportNotifier.tsx
index 5a862599..6c9e88b9 100644
--- a/components/ErrorReportNotifier.tsx
+++ b/components/ErrorReportNotifier.tsx
@@ -67,6 +67,11 @@ export default function ErrorReportNotifier({ error }: { error: Error }) {
     if (initialized.current) return;
     setState('loading');
 
+    // limit size of error.stack
+    if (error.stack && error.stack.length > 500) {
+      error.stack = error.stack.substring(0, 500);
+    }
+
     trackEvent({
       type: 'Error',
       name: error.name,

From 223f18163769f6c94dc4d48a9c5f92bf62a30090 Mon Sep 17 00:00:00 2001
From: Caden Buckhalt <halaeb@gmail.com>
Date: Fri, 1 Mar 2024 07:21:07 -0800
Subject: [PATCH 5/5] Revert "fix: access control checks errors"

This reverts commit fd1893f54e4ad13207323796b72e1412023cc953.
---
 components/ErrorReportNotifier.tsx | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/components/ErrorReportNotifier.tsx b/components/ErrorReportNotifier.tsx
index 6c9e88b9..5a862599 100644
--- a/components/ErrorReportNotifier.tsx
+++ b/components/ErrorReportNotifier.tsx
@@ -67,11 +67,6 @@ export default function ErrorReportNotifier({ error }: { error: Error }) {
     if (initialized.current) return;
     setState('loading');
 
-    // limit size of error.stack
-    if (error.stack && error.stack.length > 500) {
-      error.stack = error.stack.substring(0, 500);
-    }
-
     trackEvent({
       type: 'Error',
       name: error.name,