chore: Add spam checking for workflow bodies

.env.example

@@ -417,3 +417,5 @@ DIRECTORY_IDS_TO_LOG=
 # Set this when Cal.com is used to serve only one organization's booking pages
 # Read more about it in the README.md
 NEXT_PUBLIC_SINGLE_ORG_SLUG=
+
+AKISMET_API_KEY="6451247bcfcd"

packages/features/package.json

@@ -15,6 +15,7 @@
     "@tanstack/react-table": "^8.9.3",
     "@tanstack/react-virtual": "^3.10.9",
     "@vercel/functions": "^1.4.0",
+    "akismet-api": "^6.0.0",
     "framer-motion": "^10.12.8",
     "lexical": "^0.9.0",
     "react-select": "^5.7.0",

packages/features/tasker/tasker.ts

@@ -18,6 +18,7 @@ type TaskPayloads = {
     typeof import("./tasks/translateEventTypeData").ZTranslateEventDataPayloadSchema
   >;
   createCRMEvent: z.infer<typeof import("./tasks/crm/schema").createCRMEventSchema>;
+  scanWorkflowBody: z.infer<typeof import("./tasks/scanWorkflowBody").scanWorkflowBodySchema>;
 };
 export type TaskTypes = keyof TaskPayloads;
 export type TaskHandler = (payload: string) => Promise<void>;

packages/features/tasker/tasks/index.ts

@@ -20,6 +20,7 @@ const tasks: Record<TaskTypes, () => Promise<TaskHandler>> = {
   translateEventTypeData: () =>
     import("./translateEventTypeData").then((module) => module.translateEventTypeData),
   createCRMEvent: () => import("./crm/createCRMEvent").then((module) => module.createCRMEvent),
+  scanWorkflowBody: () => import("./scanWorkflowBody").then((module) => module.scanWorkflowBody),
 };
 
 export default tasks;

packages/features/tasker/tasks/scanWorkflowBody.ts

@@ -0,0 +1,53 @@
+import { AkismetClient } from "akismet-api";
+import type { Comment } from "akismet-api";
+import z from "zod";
+
+import { lockUser } from "@calcom/lib/autoLock";
+import { WEBAPP_URL } from "@calcom/lib/constants";
+import logger from "@calcom/lib/logger";
+import prisma from "@calcom/prisma";
+
+export const scanWorkflowBodySchema = z.object({
+  userId: z.number(),
+  workflowStepId: z.number(),
+});
+
+const log = logger.getSubLogger({ prefix: ["[tasker] scanWorkflowBody"] });
+
+export async function scanWorkflowBody(payload: string) {
+  if (!process.env.AKISMET_API_KEY) {
+    log.warn("AKISMET_API_KEY not set, skipping scan");
+    return;
+  }
+
+  const { workflowStepId, userId } = scanWorkflowBodySchema.parse(JSON.parse(payload));
+
+  const workflowStep = await prisma.workflowStep.findUnique({
+    where: {
+      id: workflowStepId,
+    },
+  });
+
+  if (!workflowStep?.reminderBody) return;
+
+  const client = new AkismetClient({ key: process.env.AKISMET_API_KEY, blog: WEBAPP_URL });
+
+  const comment: Comment = {
+    user_ip: "127.0.0.1",
+    content: workflowStep.reminderBody,
+  };
+
+  const isSpam = await client.checkSpam(comment);
+
+  if (isSpam) {
+    log.warn(`Workflow step ${workflowStepId} is spam with body ${workflowStep.reminderBody}`);
+
+    await prisma.workflowStep.delete({
+      where: {
+        id: workflowStepId,
+      },
+    });
+
+    await lockUser("userId", userId.toString());
+  }
+}

packages/lib/autoLock.ts

@@ -69,7 +69,7 @@ export async function handleAutoLock({
   return false;
 }
 
-async function lockUser(identifierType: string, identifier: string) {
+export async function lockUser(identifierType: string, identifier: string) {
   if (!identifier) {
     return;
   }

packages/trpc/server/routers/viewer/workflows/update.handler.ts

@@ -24,6 +24,7 @@ import {
   removeSmsReminderFieldForEventTypes,
   isStepEdited,
   getEmailTemplateText,
+  scheduleWorkflowBodyScan,
 } from "./util";
 
 type UpdateOptions = {
@@ -398,6 +399,13 @@ export const updateHandler = async ({ ctx, input }: UpdateOptions) => {
         },
       });
 
+      await scheduleWorkflowBodyScan({
+        workflowStepId: oldStep.id,
+        userId: ctx.user.id,
+        newStepBody: newStep?.reminderBody,
+        oldStepBody: oldStep?.reminderBody,
+      });
+
       // cancel all notifications of edited step
       await WorkflowRepository.deleteAllWorkflowReminders(remindersFromStep);
 
@@ -466,6 +474,16 @@ export const updateHandler = async ({ ctx, input }: UpdateOptions) => {
       )
     );
 
+    await Promise.all(
+      createdSteps.map((step) =>
+        scheduleWorkflowBodyScan({
+          workflowStepId: step.id,
+          userId: ctx.user.id,
+          newStepBody: step.reminderBody,
+        })
+      )
+    );
+
     // schedule notification for new step
     await scheduleWorkflowNotifications(
       activeOn,

packages/trpc/server/routers/viewer/workflows/util.ts

@@ -15,7 +15,8 @@ import {
   getSmsReminderNumberSource,
 } from "@calcom/features/bookings/lib/getBookingFields";
 import { removeBookingField, upsertBookingField } from "@calcom/features/eventtypes/lib/bookingFieldsManager";
-import { SENDER_ID, SENDER_NAME } from "@calcom/lib/constants";
+import tasker from "@calcom/features/tasker";
+import { IS_SELF_HOSTED, SENDER_ID, SENDER_NAME } from "@calcom/lib/constants";
 import { getBookerBaseUrl } from "@calcom/lib/getBookerUrl/server";
 import getOrgIdFromMemberOrTeamId from "@calcom/lib/getOrgIdFromMemberOrTeamId";
 import { getTeamIdFromEventType } from "@calcom/lib/getTeamIdFromEventType";
@@ -876,3 +877,26 @@ export function getEmailTemplateText(
 
   return { emailBody, emailSubject };
 }
+
+export async function scheduleWorkflowBodyScan({
+  workflowStepId,
+  userId,
+  newStepBody,
+  oldStepBody,
+}: {
+  workflowStepId: number;
+  userId: number;
+  newStepBody?: string | null;
+  oldStepBody?: string | null;
+}) {
+  // Don't scan workflows for self hosters
+  if (IS_SELF_HOSTED || !process.env.AKISMET_API_KEY) return;
+
+  // If there is no body to scan then return
+  if (!newStepBody) return;
+
+  // If there is no change in body then return
+  if (newStepBody === oldStepBody) return;
+
+  await tasker.create("scanWorkflowBody", { workflowStepId, userId });
+}

turbo.json

@@ -239,6 +239,7 @@
     "AB_TEST_BUCKET_PROBABILITY",
     "ALLOWED_HOSTNAMES",
     "ANALYZE",
+    "AKISMET_API_KEY",
     "API_KEY_PREFIX",
     "APP_ROUTER_APPS_CATEGORIES_CATEGORY_ENABLED",
     "APP_ROUTER_APPS_CATEGORIES_ENABLED",

yarn.lock

@@ -4156,6 +4156,7 @@ __metadata:
     "@testing-library/react-hooks": ^8.0.1
     "@types/web-push": ^3.6.3
     "@vercel/functions": ^1.4.0
+    akismet-api: ^6.0.0
     framer-motion: ^10.12.8
     lexical: ^0.9.0
     react-select: ^5.7.0
@@ -18302,6 +18303,16 @@ __metadata:
   languageName: node
   linkType: hard
 
+"akismet-api@npm:^6.0.0":
+  version: 6.0.0
+  resolution: "akismet-api@npm:6.0.0"
+  dependencies:
+    bluebird: ^3.1.1
+    superagent: ^8.0.0
+  checksum: f93a9eb11e83e63b8ab2217ee3122bac69a911d6b02d2f7158a8f1c4a8c262a6e52a7461a3b7afeab6930e601df95121aff2f7c90015ea69b0ac65090586e6e7
+  languageName: node
+  linkType: hard
+
 "ansi-align@npm:^3.0.1":
   version: 3.0.1
   resolution: "ansi-align@npm:3.0.1"
@@ -19668,7 +19679,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"bluebird@npm:^3.7.2":
+"bluebird@npm:^3.1.1, bluebird@npm:^3.7.2":
   version: 3.7.2
   resolution: "bluebird@npm:3.7.2"
   checksum: 869417503c722e7dc54ca46715f70e15f4d9c602a423a02c825570862d12935be59ed9c7ba34a9b31f186c017c23cac6b54e35446f8353059c101da73eac22ef
@@ -41437,7 +41448,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"superagent@npm:^8.1.2":
+"superagent@npm:^8.0.0, superagent@npm:^8.1.2":
   version: 8.1.2
   resolution: "superagent@npm:8.1.2"
   dependencies: