zendesk_apps_support 4.44.0 → 4.45.0.alpha.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ab47aa0e5d6274fd6b7527a5bb09dc16c833359464c5535855940892466687e
-  data.tar.gz: 34e8962b318292e95eb5b784bddaea7a409d4fe7feb0edd010aa76021bc13d04
+  metadata.gz: 9c5272336cd53fc85e70bdf5e2440e4d34421f0e7492aaa7af17379a596b6adf
+  data.tar.gz: 8179e2e48d192c9d77894504faa6952b123e68c3cea2866c0a977e23f96132ad
 SHA512:
-  metadata.gz: 3783f916fe8f1546a9c9eba93c13e91a7bb1690f8872fb056be89fec7f48f901b491f757a7b5117d7f14bf1bcb902ae2aef58dad4c9e733462c4a4648291eb37
-  data.tar.gz: 3a075c7d184f66d49ab4fe5f569ea8196eca5ef51288fad0a36035d9de0058cea9868047cece4f0fca78351944133d05132e53a511113238c1cf2262f34a3145
+  metadata.gz: 60d6a565d4b9c6bf9245c3e6b45de34054769a78d9bcd34cd65783e9e29e8e64938c767e565b1c9ccd884a5be7b959921d747a0ec04650890852cdca90750df9
+  data.tar.gz: 542cafd76038e861abffc5b9371296a777fc77147abee9b478ef17c74bf5b48929a22a85d20f6acf817f37742553d921bdebbe414d5302241b622cce8a2da39d

data/config/locales/en.yml

@@ -175,6 +175,22 @@ en:
             invalid_cov2_trigger_conditions_structure_v2: The requirements.json file
               contains an invalid custom object trigger conditions structure. Conditions
               must be a hash with all and any arrays for trigger %{trigger_key}.
+            cov2_object_setting_placeholder_not_allowed: The requirements.json file
+              contains a placeholder in the objects array. The %{property_name} property
+              of object %{object_key} contains a placeholder %{property_value}. Placeholders
+              are not allowed in object definitions.
+            cov2_field_setting_placeholder_not_allowed: 'The requirements.json file
+              contains a placeholder in the object_fields array. The %{property_name}
+              property of field %{field_key} (object: %{object_key}) contains a placeholder
+              %{property_value}. Placeholders are not allowed in field definitions.'
+            cov2_trigger_setting_placeholder_not_allowed: 'The requirements.json file
+              contains a placeholder in the object_triggers array. The %{property_name}
+              property of trigger %{trigger_key} (object: %{object_key}) contains
+              a placeholder %{property_value}. Placeholders are not allowed in trigger
+              definitions.'
+            setting_placeholders_not_allowed_in_cov2_requirements: The requirements.json
+              file contains a setting placeholder in the custom_objects_v2 requirements.
+              Setting placeholders are not allowed in custom_objects_v2 requirements.
             missing_required_fields: 'Missing required fields in requirements.json:
               "%{field}" is required in "%{identifier}"'
             duplicate_requirements:
@@ -258,6 +274,9 @@ en:
               default_secure_or_hidden_parameter_in_manifest: Default values for secure
                 or hidden parameters are not stored securely. Be sure to review them
                 and confirm they do not contain sensitive data
+              secure_parameters_with_no_scopes_in_manifest: 'The scopes property is
+                not configured for parameter(s): %{params}. This may cause token exposure
+                vulnerabilities. Learn about: %{link}'
             stylesheet_error: 'Sass error: %{sass_error}'
             invalid_type_parameter:
               one: "%{invalid_types} is an invalid parameter type."

data/config/locales/translations/zendesk_apps_support.yml

@@ -310,6 +310,29 @@ parts:
       title: 'App builder job: requirements file contains invalid custom object trigger conditions structure. Conditions must be an object (a set of key-value pairs, like { "all": [], "any": [] } in JSON) with "all" and "any" arrays as keys. Do not translate "requirements.json". Do not translate "all" and "any" as it is part of schema.'
       value: 'The requirements.json file contains an invalid custom object trigger conditions structure. Conditions must be a hash with all and any arrays for trigger %{trigger_key}.'
       screenshot: "https://drive.google.com/file/d/1q9S42EyNDE1GPk8A32LT0n2ZQiBpuCEW/view?usp=sharing"
+  - translation:
+      key: "txt.apps.admin.error.app_build.cov2_object_setting_placeholder_not_allowed"
+      title: 'App builder job: requirements file contains placeholder in custom objects v2 object property. Placeholders are not allowed in object definitions. Leave requirements.json as is (do not translate). Do not translate "objects" as it is part of schema.'
+      value: 'The requirements.json file contains a placeholder in the objects array. The %{property_name} property of object %{object_key} contains a placeholder %{property_value}. Placeholders are not allowed in object definitions.'
+      screenshot: "https://drive.google.com/file/d/1UYrBruLjZ27WoQ40sWXqd07DNwtblg2W/view?usp=sharing"
+      obsolete: "2026-02-05"
+  - translation:
+      key: "txt.apps.admin.error.app_build.cov2_field_setting_placeholder_not_allowed"
+      title: 'App builder job: requirements file contains placeholder in custom objects v2 field property. Placeholders are not allowed in field definitions. Leave requirements.json as is (do not translate). Do not translate "object_fields" as it is part of schema.'
+      value: 'The requirements.json file contains a placeholder in the object_fields array. The %{property_name} property of field %{field_key} (object: %{object_key}) contains a placeholder %{property_value}. Placeholders are not allowed in field definitions.'
+      screenshot: "https://drive.google.com/file/d/1Bprc1VNv8kmzgbNeQn-noU0ItSci2obm/view?usp=sharing"
+      obsolete: "2026-02-05"
+  - translation:
+      key: "txt.apps.admin.error.app_build.cov2_trigger_setting_placeholder_not_allowed"
+      title: 'App builder job: requirements file contains placeholder in custom objects v2 trigger identifier. Placeholders are not allowed in trigger identifiers. Leave requirements.json as is (do not translate). Do not translate "object_triggers" as it is part of schema.'
+      value: 'The requirements.json file contains a placeholder in the object_triggers array. The %{property_name} property of trigger %{trigger_key} (object: %{object_key}) contains a placeholder %{property_value}. Placeholders are not allowed in trigger definitions.'
+      screenshot: "https://drive.google.com/file/d/1FwnzKj9srIDTxtk-WryA3xHTXGD7uS-W/view?usp=sharing"
+      obsolete: "2026-02-05"
+  - translation:
+      key: "txt.apps.admin.error.app_build.setting_placeholders_not_allowed_in_cov2_requirements"
+      title: 'App builder job: requirements file contains placeholder in custom objects v2 requirements. Placeholders are not allowed in custom objects v2 definitions. Leave requirements.json, custom_objects_v2 as is (do not translate)'
+      value: 'The requirements.json file contains a setting placeholder in the custom_objects_v2 requirements. Setting placeholders are not allowed in custom_objects_v2 requirements.'
+      screenshot: "https://drive.google.com/file/d/18Q9bTUO3gaSg2O0wZzn0OehE5SqmR49e/view?usp=sharing"
   - translation:
       key: "txt.apps.admin.error.app_build.missing_required_fields"
       title: "App builder job: required key missing in requirements, e.g. \"title\" is required in \"my_custom_email_target\""
@@ -649,3 +672,9 @@ parts:
       key: "txt.apps.admin.error.app_build.field_contains_invalid_keys"
       title: "App builder job: Error for invalid field keys. Placeholder %{field} shows parameter fields like \"parameter[name='param'].scopes\" provided in the supplied manifest file, %{keys} shows the invalid keys found within the field."
       value: "%{field} contains invalid keys: %{keys}."
+  - translation:
+      key: "txt.apps.admin.error.app_build.translation.secure_parameters_with_no_scopes_in_manifest"
+      title: "Validation message to indicate missing scopes field in manifest's secure parameter.
+        Do not translate 'scopes'. %{params} refers to secure parameters with no scopes configured.
+        Scopes in manifest refers to https://developer.zendesk.com/documentation/apps/getting-started/setting-up-new-apps/#scopes"
+      value: "The scopes property is not configured for parameter(s): %{params}. This may cause token exposure vulnerabilities. Learn about: %{link}"

data/lib/zendesk_apps_support/package.rb

@@ -48,7 +48,10 @@ module ZendeskAppsSupport
         errors << Validations::Requirements.call(self, validate_custom_objects_v2:)
 
         # only adds warnings
-        Validations::SecureSettings.call(self)
+        Validations::SecureSettings.call(
+          self,
+          validate_scopes_for_secure_parameter: validate_scopes_for_secure_parameter
+        )
         Validations::Requests.call(self)
 
         unless manifest.requirements_only? || manifest.marketing_only? || manifest.iframe_only?

data/lib/zendesk_apps_support/validations/custom_objects_v2/custom_objects_v2.rb

@@ -12,11 +12,15 @@ module ZendeskAppsSupport
         include Constants
         include ValidationHelpers
 
+        SETTING_PLACEHOLDER_REGEXP = /\{\{\s*setting\.([\w.-]+)\s*\}\}/
+
         def call(requirements)
           structural_errors = validate_overall_requirements_structure(requirements)
           return structural_errors if structural_errors.any?
 
-          payload_size_errors = validate_payload_size(requirements)
+          requirements_json = requirements.to_json
+
+          payload_size_errors = validate_payload_size(requirements_json)
           return payload_size_errors if payload_size_errors.any?
 
           limits_and_schema_errors = [
@@ -26,18 +30,27 @@ module ZendeskAppsSupport
 
           return limits_and_schema_errors if limits_and_schema_errors.any?
 
+          setting_placeholder_errors = validate_setting_placeholders(requirements_json)
+          return setting_placeholder_errors if setting_placeholder_errors.any?
+
           validate_object_references(requirements)
         end
 
         private
 
-        def validate_payload_size(requirements)
-          payload_size = requirements.to_json.bytesize
+        def validate_payload_size(requirements_json)
+          payload_size = requirements_json.bytesize
           return [] if payload_size <= MAX_PAYLOAD_SIZE_BYTES
 
           [ValidationError.new(:excessive_cov2_payload_size)]
         end
 
+        def validate_setting_placeholders(requirements_json)
+          return [] unless requirements_json.match?(SETTING_PLACEHOLDER_REGEXP)
+
+          [ValidationError.new(:setting_placeholders_not_allowed_in_cov2_requirements)]
+        end
+
         def validate_overall_requirements_structure(requirements)
           errors = validate_structural_requirements(requirements)
           return errors unless errors.empty?

data/lib/zendesk_apps_support/validations/manifest.rb

@@ -11,7 +11,7 @@ module ZendeskAppsSupport
       OAUTH_REQUIRED_FIELDS = %w[client_id client_secret authorize_uri access_token_uri].freeze
       PARAMETER_TYPES = ZendeskAppsSupport::Manifest::Parameter::TYPES
       OAUTH_MANIFEST_LINK = 'https://developer.zendesk.com/apps/docs/developer-guide/manifest#oauth'
-      SECURE_PARAM_SCOPES = %w[header body url_host url_path jwt_secret_key jwt_claim basic_auth_username basic_auth_password].freeze
+      SECURE_PARAM_SCOPES = %w[header body url jwt_secret_key jwt_claim basic_auth_username basic_auth_password].freeze
 
       class << self
         def call(package, error_on_password_parameter: false, validate_scopes_for_secure_parameter: false)

data/lib/zendesk_apps_support/validations/secure_settings.rb

@@ -7,7 +7,7 @@ module ZendeskAppsSupport
       SECURABLE_KEYWORDS_REGEXP = Regexp.new(SECURABLE_KEYWORDS.join('|'), Regexp::IGNORECASE)
 
       class << self
-        def call(package)
+        def call(package, validate_scopes_for_secure_parameter: false)
           manifest_params = package.manifest.parameters
 
           insecure_params_found = manifest_params.any? { |param| insecure_param?(param) }
@@ -15,6 +15,11 @@ module ZendeskAppsSupport
 
           secure_or_hidden_default_param_found = manifest_params.any? { |param| secure_or_hidden_default_param?(param) }
           package.warnings << hidden_default_parameter_warning if secure_or_hidden_default_param_found
+
+          if validate_scopes_for_secure_parameter
+            unscoped_secure_param_names = manifest_params.filter_map { |param| name_if_secure_unscoped(param) }
+            package.warnings << no_scopes_warning(unscoped_secure_param_names) if unscoped_secure_param_names.any?
+          end
         end
 
         private
@@ -43,6 +48,18 @@ module ZendeskAppsSupport
             link: 'https://developer.zendesk.com/apps/docs/developer-guide/using_sdk#using-secure-settings'
           )
         end
+
+        def name_if_secure_unscoped(param)
+          param.name if param.secure && !param.scopes&.any?
+        end
+
+        def no_scopes_warning(param_names)
+          I18n.t(
+            'txt.apps.admin.error.app_build.translation.secure_parameters_with_no_scopes_in_manifest',
+            params: param_names.join(I18n.t('txt.apps.admin.error.app_build.listing_comma')),
+            link: 'https://developer.zendesk.com/documentation/apps/getting-started/setting-up-new-apps/#scopes'
+          )
+        end
       end
     end
   end

data/lib/zendesk_apps_support/version.rb

@@ -1,3 +1,3 @@
 module ZendeskAppsSupport
-  VERSION = "4.44.0"
+  VERSION = "4.45.0.alpha.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zendesk_apps_support
 version: !ruby/object:Gem::Version
-  version: 4.44.0
+  version: 4.45.0.alpha.0
 platform: ruby
 authors:
 - James A. Rosen
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-11-06 00:00:00.000000000 Z
+date: 2025-12-08 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n