search

brave / ads-ui

Self-service ads UI
Mozilla Public License 2.0
22 stars 11 forks source link

Production Release 2024-05-02 #1180

Closed tackley closed 4 months ago

tackley commented 4 months ago

Features

Fixes

Chores

github-actions[bot] commented 4 months ago

[puLL-Merge] - brave/ads-ui@1180

Here is my review of the PR:

Description

This PR adds a new search campaign creation flow, allowing advertisers to select and customize search ads for a given domain and country. The flow consists of selecting landing pages/creatives, finalizing campaign details, and generating a JSON file with the configuration to submit to Brave.

Changes ### Changes - src/components/Creatives/SearchPreview.tsx: Adds a new component to preview how a search ad will render - src/components/FullScreenProgress.tsx: Adds a new full screen loading spinner component - src/graphql-client/gql.ts, src/graphql-client/graphql.ts: Updates GraphQL schema with new search prospect related types and queries - src/user/User.tsx: Adds route for new search campaign creation page - src/user/hooks/useQueryStringParams.ts: Adds a hook to parse query string parameters - src/user/views/user/search/*: Adds multiple new components and pages for the search campaign creation flow - src/util/download.ts: Adds utility function to trigger a file download in the browser

Security Hotspots

  1. Allowing arbitrary query string parameters to be added to landing page URLs could potentially be abused if not properly validated and sanitized. The SearchOptionsSchema should have strict validation.
  2. The generated JSON file contains the full landing page URLs which may contain sensitive data. Ensure only authorized users can access the Create Search Campaign page and that the generated file is securely handled.
  3. GraphQL queries for search prospects data should be secured with proper authentication and authorization checks to prevent data leaks.
  4. When rendering the search ad previews, any HTML should be sanitized to prevent XSS vulnerabilities from malformed title/body content.

Let me know if you have any other questions! Overall the code looks well structured and follows existing patterns in the codebase. The main areas to double check are around validation, access control and data security for the new search prospects functionality.