zendesk_apps_support 4.44.1 → 4.45.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3b989994c7a764094c871ecf859ee10741564143e62ac95c241cf8273453be0e
-  data.tar.gz: 736b6f0d70ecb4ed696741f276e6f184845ae9a2f6609fad5d9dd09ab09df02a
+  metadata.gz: 8b8758656a8905a32b83c582ea409106a523ae0da29e2d27adab601b1b018600
+  data.tar.gz: 0b558941ca135311562c1ce19d0de5f7b601e7632aa52b3bd70034602869d5c0
 SHA512:
-  metadata.gz: b18165f0d009772dda835da472966b629db6c0ba5a3e4711a2a92724a85d55ab0e769374ece2354fabe0a0fdf2f9ce77af7193176634d2a1e7de35956950fc7c
-  data.tar.gz: 9b4885080b015d610d37d91b284a4fc1916751c14c3eeb1ae9a163e2ca9d7246d7a51724eb47993e42f7ab3de018dc8e1e37fed613b1834d2342189e8e3662cb
+  metadata.gz: ef0392d1072ac538bf2f5aa052a68b9690efa985ad97e8780457dff4cabd75d7a30322b29f7f06b6106e3e34c51e3a759835a04091b27fcd81950527b1d8afd9
+  data.tar.gz: ecc883ab33aa84393276ef0c67244ba65e876a342252b867ec2ff2eda6ac4dfb013bd9351a19247f5ad9071dd44b08a0bc704cba1c73af7d3ec781038305ceb7

data/config/locales/en.yml

@@ -175,6 +175,19 @@ en:
             invalid_cov2_trigger_conditions_structure_v2: The requirements.json file
               contains an invalid custom object trigger conditions structure. Conditions
               must be a hash with all and any arrays for trigger %{trigger_key}.
+            cov2_object_setting_placeholder_not_allowed: The requirements.json file
+              contains a placeholder in the objects array. The %{property_name} property
+              of object %{object_key} contains a placeholder %{property_value}. Placeholders
+              are not allowed in object definitions.
+            cov2_field_setting_placeholder_not_allowed: 'The requirements.json file
+              contains a placeholder in the object_fields array. The %{property_name}
+              property of field %{field_key} (object: %{object_key}) contains a placeholder
+              %{property_value}. Placeholders are not allowed in field definitions.'
+            cov2_trigger_setting_placeholder_not_allowed: 'The requirements.json file
+              contains a placeholder in the object_triggers array. The %{property_name}
+              property of trigger %{trigger_key} (object: %{object_key}) contains
+              a placeholder %{property_value}. Placeholders are not allowed in trigger
+              definitions.'
             missing_required_fields: 'Missing required fields in requirements.json:
               "%{field}" is required in "%{identifier}"'
             duplicate_requirements:
@@ -252,6 +265,8 @@ en:
                 do not match products in translations (%{translation_products})
               insecure_token_parameter_in_manifest: 'Make sure to set secure to true
                 when using keys in Settings. Learn more: %{link}'
+              secure_parameters_with_no_scopes_in_manifest: 'The scopes property is not configured for parameter(s): %{params}. 
+                This may cause token exposure vulnerabilities. Learn about: %{link}'
               password_parameter_deprecated: 'Password parameter type is deprecated
                 and will not be accepted in the future. Use Basic Access Authentication
                 instead. Learn more: %{link}.'

data/config/locales/translations/zendesk_apps_support.yml

@@ -310,6 +310,21 @@ parts:
       title: 'App builder job: requirements file contains invalid custom object trigger conditions structure. Conditions must be an object (a set of key-value pairs, like { "all": [], "any": [] } in JSON) with "all" and "any" arrays as keys. Do not translate "requirements.json". Do not translate "all" and "any" as it is part of schema.'
       value: 'The requirements.json file contains an invalid custom object trigger conditions structure. Conditions must be a hash with all and any arrays for trigger %{trigger_key}.'
       screenshot: "https://drive.google.com/file/d/1q9S42EyNDE1GPk8A32LT0n2ZQiBpuCEW/view?usp=sharing"
+  - translation:
+      key: "txt.apps.admin.error.app_build.cov2_object_setting_placeholder_not_allowed"
+      title: 'App builder job: requirements file contains placeholder in custom objects v2 object property. Placeholders are not allowed in object definitions. Leave requirements.json as is (do not translate). Do not translate "objects" as it is part of schema.'
+      value: 'The requirements.json file contains a placeholder in the objects array. The %{property_name} property of object %{object_key} contains a placeholder %{property_value}. Placeholders are not allowed in object definitions.'
+      screenshot: "https://drive.google.com/file/d/1UYrBruLjZ27WoQ40sWXqd07DNwtblg2W/view?usp=sharing"
+  - translation:
+      key: "txt.apps.admin.error.app_build.cov2_field_setting_placeholder_not_allowed"
+      title: 'App builder job: requirements file contains placeholder in custom objects v2 field property. Placeholders are not allowed in field definitions. Leave requirements.json as is (do not translate). Do not translate "object_fields" as it is part of schema.'
+      value: 'The requirements.json file contains a placeholder in the object_fields array. The %{property_name} property of field %{field_key} (object: %{object_key}) contains a placeholder %{property_value}. Placeholders are not allowed in field definitions.'
+      screenshot: "https://drive.google.com/file/d/1Bprc1VNv8kmzgbNeQn-noU0ItSci2obm/view?usp=sharing"
+  - translation:
+      key: "txt.apps.admin.error.app_build.cov2_trigger_setting_placeholder_not_allowed"
+      title: 'App builder job: requirements file contains placeholder in custom objects v2 trigger identifier. Placeholders are not allowed in trigger identifiers. Leave requirements.json as is (do not translate). Do not translate "object_triggers" as it is part of schema.'
+      value: 'The requirements.json file contains a placeholder in the object_triggers array. The %{property_name} property of trigger %{trigger_key} (object: %{object_key}) contains a placeholder %{property_value}. Placeholders are not allowed in trigger definitions.'
+      screenshot: "https://drive.google.com/file/d/1FwnzKj9srIDTxtk-WryA3xHTXGD7uS-W/view?usp=sharing"
   - translation:
       key: "txt.apps.admin.error.app_build.missing_required_fields"
       title: "App builder job: required key missing in requirements, e.g. \"title\" is required in \"my_custom_email_target\""
@@ -649,3 +664,9 @@ parts:
       key: "txt.apps.admin.error.app_build.field_contains_invalid_keys"
       title: "App builder job: Error for invalid field keys. Placeholder %{field} shows parameter fields like \"parameter[name='param'].scopes\" provided in the supplied manifest file, %{keys} shows the invalid keys found within the field."
       value: "%{field} contains invalid keys: %{keys}."
+  - translation:
+      key: "txt.apps.admin.error.app_build.translation.secure_parameters_with_no_scopes_in_manifest"
+      title: "Validation message to indicate missing scopes field in manifest's secure parameter.
+        Do not translate 'scopes'. %{params} refers to secure parameters with no scopes configured.
+        Scopes in manifest refers to https://developer.zendesk.com/documentation/apps/getting-started/setting-up-new-apps/#scopes"
+      value: "The scopes property is not configured for parameter(s): %{params}. This may cause token exposure vulnerabilities. Learn about: %{link}"

data/lib/zendesk_apps_support/package.rb

@@ -48,7 +48,10 @@ module ZendeskAppsSupport
         errors << Validations::Requirements.call(self, validate_custom_objects_v2:)
 
         # only adds warnings
-        Validations::SecureSettings.call(self)
+        Validations::SecureSettings.call(
+          self,
+          validate_scopes_for_secure_parameter: validate_scopes_for_secure_parameter
+        )
         Validations::Requests.call(self)
 
         unless manifest.requirements_only? || manifest.marketing_only? || manifest.iframe_only?

data/lib/zendesk_apps_support/validations/secure_settings.rb

@@ -7,7 +7,7 @@ module ZendeskAppsSupport
       SECURABLE_KEYWORDS_REGEXP = Regexp.new(SECURABLE_KEYWORDS.join('|'), Regexp::IGNORECASE)
 
       class << self
-        def call(package)
+        def call(package, validate_scopes_for_secure_parameter: false)
           manifest_params = package.manifest.parameters
 
           insecure_params_found = manifest_params.any? { |param| insecure_param?(param) }
@@ -15,6 +15,11 @@ module ZendeskAppsSupport
 
           secure_or_hidden_default_param_found = manifest_params.any? { |param| secure_or_hidden_default_param?(param) }
           package.warnings << hidden_default_parameter_warning if secure_or_hidden_default_param_found
+
+          if validate_scopes_for_secure_parameter
+            unscoped_secure_param_names = manifest_params.filter_map { |param| name_if_secure_unscoped(param) }
+            package.warnings << no_scopes_warning(unscoped_secure_param_names) if unscoped_secure_param_names.any?
+          end
         end
 
         private
@@ -43,6 +48,18 @@ module ZendeskAppsSupport
             link: 'https://developer.zendesk.com/apps/docs/developer-guide/using_sdk#using-secure-settings'
           )
         end
+
+        def name_if_secure_unscoped(param)
+          param.name if param.secure && !param.scopes&.any?
+        end
+
+        def no_scopes_warning(param_names)
+          I18n.t(
+            'txt.apps.admin.error.app_build.translation.secure_parameters_with_no_scopes_in_manifest',
+            params: param_names.join(I18n.t('txt.apps.admin.error.app_build.listing_comma')),
+            link: 'https://developer.zendesk.com/documentation/apps/getting-started/setting-up-new-apps/#scopes'
+          )
+        end
       end
     end
   end

data/lib/zendesk_apps_support/version.rb

@@ -1,3 +1,3 @@
 module ZendeskAppsSupport
-  VERSION = "4.44.1"
+  VERSION = "4.45.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zendesk_apps_support
 version: !ruby/object:Gem::Version
-  version: 4.44.1
+  version: 4.45.0
 platform: ruby
 authors:
 - James A. Rosen
@@ -11,7 +11,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2025-11-21 00:00:00.000000000 Z
+date: 2025-12-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: i18n