fix(security): remove extraneous comments and fix failing SSRF test

waleedlatif1 · waleedlatif1 · commit e298899fcb02 · 2026-02-22T13:55:19.000-08:00
diff --git a/apps/sim/app/api/function/execute/route.test.ts b/apps/sim/app/api/function/execute/route.test.ts
@@ -211,7 +211,7 @@ describe('Function Execute API Route', () => {
 
     it.concurrent('should block SSRF attacks through secure fetch wrapper', async () => {
       expect(validateProxyUrl('http://169.254.169.254/latest/meta-data/').isValid).toBe(false)
-      expect(validateProxyUrl('http://127.0.0.1:8080/admin').isValid).toBe(false)
+      expect(validateProxyUrl('http://127.0.0.1:8080/admin').isValid).toBe(true)
       expect(validateProxyUrl('http://192.168.1.1/config').isValid).toBe(false)
       expect(validateProxyUrl('http://10.0.0.1/internal').isValid).toBe(false)
     })
diff --git a/apps/sim/lib/core/security/input-validation.server.ts b/apps/sim/lib/core/security/input-validation.server.ts
@@ -65,7 +65,8 @@ export async function validateUrlWithDNS(
   const hostname = parsedUrl.hostname
 
   try {
-    const lookupHostname = hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname
+    const lookupHostname =
+      hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname
     const { address } = await dns.lookup(lookupHostname, { verbatim: true })
 
     const hostnameLower = hostname.toLowerCase()
@@ -201,8 +202,6 @@ export async function secureFetchWithPinnedIP(
 
     const agent = isHttps ? new https.Agent(agentOptions) : new http.Agent(agentOptions)
 
-    // Remove accept-encoding since Node.js http/https doesn't auto-decompress
-    // Headers are lowercase due to Web Headers API normalization in executeToolRequest
     const { 'accept-encoding': _, ...sanitizedHeaders } = options.headers ?? {}
 
     const requestOptions: http.RequestOptions = {
@@ -212,7 +211,7 @@ export async function secureFetchWithPinnedIP(
       method: options.method || 'GET',
       headers: sanitizedHeaders,
       agent,
-      timeout: options.timeout || 300000, // Default 5 minutes
+      timeout: options.timeout || 300000,
     }
 
     const protocol = isHttps ? https : http
diff --git a/apps/sim/lib/core/security/input-validation.test.ts b/apps/sim/lib/core/security/input-validation.test.ts
@@ -916,7 +916,6 @@ describe('validateExternalUrl', () => {
       expect(result.isValid).toBe(false)
       expect(result.error).toContain('valid URL')
     })
-
   })
 
   describe('localhost and loopback addresses', () => {
diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
@@ -89,9 +89,9 @@ export function validatePathSegment(
   const pathTraversalPatterns = [
     '..',
     './',
-    '.\\.', // Windows path traversal
-    '%2e%2e', // URL encoded ..
-    '%252e%252e', // Double URL encoded ..
+    '.\\.',
+    '%2e%2e',
+    '%252e%252e',
     '..%2f',
     '..%5c',
     '%2e%2e%2f',
@@ -391,7 +391,6 @@ export function validateHostname(
 
   const lowerHostname = hostname.toLowerCase()
 
-  // Block localhost
   if (lowerHostname === 'localhost') {
     logger.warn('Hostname is localhost', { paramName })
     return {
@@ -400,7 +399,6 @@ export function validateHostname(
     }
   }
 
-  // Use ipaddr.js to check if hostname is an IP and if it's private/reserved
   if (ipaddr.isValid(lowerHostname)) {
     if (isPrivateOrReservedIP(lowerHostname)) {
       logger.warn('Hostname matches blocked IP range', {
@@ -414,7 +412,6 @@ export function validateHostname(
     }
   }
 
-  // Basic hostname format validation
   const hostnamePattern =
     /^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i
 
@@ -460,10 +457,7 @@ export function validateFileExtension(
     }
   }
 
-  // Remove leading dot if present
   const ext = extension.startsWith('.') ? extension.slice(1) : extension
-
-  // Normalize to lowercase
   const normalizedExt = ext.toLowerCase()
 
   if (!allowedExtensions.map((e) => e.toLowerCase()).includes(normalizedExt)) {
@@ -515,7 +509,6 @@ export function validateMicrosoftGraphId(
     }
   }
 
-  // Check for path traversal patterns (../)
   const pathTraversalPatterns = [
     '../',
     '..\\',
@@ -525,7 +518,7 @@ export function validateMicrosoftGraphId(
     '%2e%2e%5c',
     '%2e%2e\\',
     '..%5c',
-    '%252e%252e%252f', // double encoded
+    '%252e%252e%252f',
   ]
 
   const lowerValue = value.toLowerCase()
@@ -542,7 +535,6 @@ export function validateMicrosoftGraphId(
     }
   }
 
-  // Check for control characters and null bytes
   if (/[\x00-\x1f\x7f]/.test(value) || value.includes('%00')) {
     logger.warn('Control characters in Microsoft Graph ID', { paramName })
     return {
@@ -551,16 +543,13 @@ export function validateMicrosoftGraphId(
     }
   }
 
-  // Check for newlines (which could be used for header injection)
   if (value.includes('\n') || value.includes('\r')) {
     return {
       isValid: false,
       error: `${paramName} contains invalid newline characters`,
     }
   }
 
-  // Microsoft Graph IDs can contain many characters, but not suspicious patterns
-  // We've blocked path traversal, so allow the rest
   return { isValid: true, sanitized: value }
 }
 
@@ -583,7 +572,6 @@ export function validateJiraCloudId(
   value: string | null | undefined,
   paramName = 'cloudId'
 ): ValidationResult {
-  // Jira cloud IDs are alphanumeric with hyphens (UUID-like)
   return validatePathSegment(value, {
     paramName,
     allowHyphens: true,
@@ -612,7 +600,6 @@ export function validateJiraIssueKey(
   value: string | null | undefined,
   paramName = 'issueKey'
 ): ValidationResult {
-  // Jira issue keys: letters, numbers, hyphens (PROJECT-123 format)
   return validatePathSegment(value, {
     paramName,
     allowHyphens: true,
@@ -653,7 +640,6 @@ export function validateExternalUrl(
     }
   }
 
-  // Must be a valid URL
   let parsedUrl: URL
   try {
     parsedUrl = new URL(url)
@@ -667,7 +653,8 @@ export function validateExternalUrl(
   const protocol = parsedUrl.protocol
   const hostname = parsedUrl.hostname.toLowerCase()
 
-  const cleanHostname = hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname
+  const cleanHostname =
+    hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname
 
   let isLocalhost = cleanHostname === 'localhost'
   if (ipaddr.isValid(cleanHostname)) {
@@ -677,15 +664,13 @@ export function validateExternalUrl(
     }
   }
 
-  // Require HTTPS except for localhost development
   if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost)) {
     return {
       isValid: false,
       error: `${paramName} must use https:// protocol`,
     }
   }
 
-  // Block private/reserved IPs while allowing loopback addresses for local development.
   if (!isLocalhost && ipaddr.isValid(cleanHostname)) {
     if (isPrivateOrReservedIP(cleanHostname)) {
       return {

Original file line number	Diff line number	Diff line change
`@@ -89,9 +89,9 @@ export function validatePathSegment(`
`89`	`89`	`const pathTraversalPatterns = [`
`90`	`90`	`'..',`
`91`	`91`	`'./',`
`92`		`- '.\\.', // Windows path traversal`
`93`		`- '%2e%2e', // URL encoded ..`
`94`		`- '%252e%252e', // Double URL encoded ..`
	`92`	`+ '.\\.',`
	`93`	`+ '%2e%2e',`
	`94`	`+ '%252e%252e',`
`95`	`95`	`'..%2f',`
`96`	`96`	`'..%5c',`
`97`	`97`	`'%2e%2e%2f',`
`@@ -391,7 +391,6 @@ export function validateHostname(`
`391`	`391`
`392`	`392`	`const lowerHostname = hostname.toLowerCase()`
`393`	`393`
`394`		`- // Block localhost`
`395`	`394`	`if (lowerHostname === 'localhost') {`
`396`	`395`	`logger.warn('Hostname is localhost', { paramName })`
`397`	`396`	`return {`
`@@ -400,7 +399,6 @@ export function validateHostname(`
`400`	`399`	`}`
`401`	`400`	`}`
`402`	`401`
`403`		`- // Use ipaddr.js to check if hostname is an IP and if it's private/reserved`
`404`	`402`	`if (ipaddr.isValid(lowerHostname)) {`
`405`	`403`	`if (isPrivateOrReservedIP(lowerHostname)) {`
`406`	`404`	`logger.warn('Hostname matches blocked IP range', {`
`@@ -414,7 +412,6 @@ export function validateHostname(`
`414`	`412`	`}`
`415`	`413`	`}`
`416`	`414`
`417`		`- // Basic hostname format validation`
`418`	`415`	`const hostnamePattern =`
`419`	`416`	`/^[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?(\.[a-z0-9]([a-z0-9-]{0,61}[a-z0-9])?)*$/i`
`420`	`417`
`@@ -460,10 +457,7 @@ export function validateFileExtension(`
`460`	`457`	`}`
`461`	`458`	`}`
`462`	`459`
`463`		`- // Remove leading dot if present`
`464`	`460`	`const ext = extension.startsWith('.') ? extension.slice(1) : extension`
`465`		`-`
`466`		`- // Normalize to lowercase`
`467`	`461`	`const normalizedExt = ext.toLowerCase()`
`468`	`462`
`469`	`463`	`if (!allowedExtensions.map((e) => e.toLowerCase()).includes(normalizedExt)) {`
`@@ -515,7 +509,6 @@ export function validateMicrosoftGraphId(`
`515`	`509`	`}`
`516`	`510`	`}`
`517`	`511`
`518`		`- // Check for path traversal patterns (../)`
`519`	`512`	`const pathTraversalPatterns = [`
`520`	`513`	`'../',`
`521`	`514`	`'..\\',`
`@@ -525,7 +518,7 @@ export function validateMicrosoftGraphId(`
`525`	`518`	`'%2e%2e%5c',`
`526`	`519`	`'%2e%2e\\',`
`527`	`520`	`'..%5c',`
`528`		`- '%252e%252e%252f', // double encoded`
	`521`	`+ '%252e%252e%252f',`
`529`	`522`	`]`
`530`	`523`
`531`	`524`	`const lowerValue = value.toLowerCase()`
`@@ -542,7 +535,6 @@ export function validateMicrosoftGraphId(`
`542`	`535`	`}`
`543`	`536`	`}`
`544`	`537`
`545`		`- // Check for control characters and null bytes`
`546`	`538`	`if (/[\x00-\x1f\x7f]/.test(value) \|\| value.includes('%00')) {`
`547`	`539`	`logger.warn('Control characters in Microsoft Graph ID', { paramName })`
`548`	`540`	`return {`
`@@ -551,16 +543,13 @@ export function validateMicrosoftGraphId(`
`551`	`543`	`}`
`552`	`544`	`}`
`553`	`545`
`554`		`- // Check for newlines (which could be used for header injection)`
`555`	`546`	`if (value.includes('\n') \|\| value.includes('\r')) {`
`556`	`547`	`return {`
`557`	`548`	`isValid: false,`
`558`	`549`	error: `${paramName} contains invalid newline characters`,
`559`	`550`	`}`
`560`	`551`	`}`
`561`	`552`
`562`		`- // Microsoft Graph IDs can contain many characters, but not suspicious patterns`
`563`		`- // We've blocked path traversal, so allow the rest`
`564`	`553`	`return { isValid: true, sanitized: value }`
`565`	`554`	`}`
`566`	`555`
`@@ -583,7 +572,6 @@ export function validateJiraCloudId(`
`583`	`572`	`value: string \| null \| undefined,`
`584`	`573`	`paramName = 'cloudId'`
`585`	`574`	`): ValidationResult {`
`586`		`- // Jira cloud IDs are alphanumeric with hyphens (UUID-like)`
`587`	`575`	`return validatePathSegment(value, {`
`588`	`576`	`paramName,`
`589`	`577`	`allowHyphens: true,`
`@@ -612,7 +600,6 @@ export function validateJiraIssueKey(`
`612`	`600`	`value: string \| null \| undefined,`
`613`	`601`	`paramName = 'issueKey'`
`614`	`602`	`): ValidationResult {`
`615`		`- // Jira issue keys: letters, numbers, hyphens (PROJECT-123 format)`
`616`	`603`	`return validatePathSegment(value, {`
`617`	`604`	`paramName,`
`618`	`605`	`allowHyphens: true,`
`@@ -653,7 +640,6 @@ export function validateExternalUrl(`
`653`	`640`	`}`
`654`	`641`	`}`
`655`	`642`
`656`		`- // Must be a valid URL`
`657`	`643`	`let parsedUrl: URL`
`658`	`644`	`try {`
`659`	`645`	`parsedUrl = new URL(url)`
`@@ -667,7 +653,8 @@ export function validateExternalUrl(`
`667`	`653`	`const protocol = parsedUrl.protocol`
`668`	`654`	`const hostname = parsedUrl.hostname.toLowerCase()`
`669`	`655`
`670`		`- const cleanHostname = hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname`
	`656`	`+ const cleanHostname =`
	`657`	`+ hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname`
`671`	`658`
`672`	`659`	`let isLocalhost = cleanHostname === 'localhost'`
`673`	`660`	`if (ipaddr.isValid(cleanHostname)) {`
`@@ -677,15 +664,13 @@ export function validateExternalUrl(`
`677`	`664`	`}`
`678`	`665`	`}`
`679`	`666`
`680`		`- // Require HTTPS except for localhost development`
`681`	`667`	`if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost)) {`
`682`	`668`	`return {`
`683`	`669`	`isValid: false,`
`684`	`670`	error: `${paramName} must use https:// protocol`,
`685`	`671`	`}`
`686`	`672`	`}`
`687`	`673`
`688`		`- // Block private/reserved IPs while allowing loopback addresses for local development.`
`689`	`674`	`if (!isLocalhost && ipaddr.isValid(cleanHostname)) {`
`690`	`675`	`if (isPrivateOrReservedIP(cleanHostname)) {`
`691`	`676`	`return {`