fix(vulns): fix various vulnerabilities and enhanced code security

[waleedlatif1]

Summary

fix various vulnerabilities and enhanced code security

Type of Change

• Bug fix

Testing

Tested manually.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Ready	Preview	Comment	Oct 12, 2025 5:11am

[greptile-apps]

Greptile Overview

Summary

This PR significantly improves the security posture by addressing SSRF (Server-Side Request Forgery) and path traversal vulnerabilities across the codebase.

Key Changes:

• Added comprehensive input validation library (apps/sim/lib/security/input-validation.ts) with functions to validate UUIDs, path segments, URLs, hostnames, and service-specific IDs
• Applied validation to 30+ API routes including Jira, Confluence, Wealthbox, OneDrive, SharePoint, and Discord integrations
• Updated proxy routes to use new SSRF protections (blocks private IPs, localhost, and dangerous ports)
• Fixed string escaping vulnerability in condition evaluation logic
• Added HTML sanitization for Confluence content processing
• Comprehensive test coverage with 590+ test cases for validation functions

Security Improvements:

• Prevents path traversal attacks with strict path segment validation
• Blocks SSRF attempts by validating URLs against private IP ranges and localhost
• Validates Microsoft Graph IDs, Jira cloud IDs, and issue keys to prevent injection
• Blocks null bytes, URL encoding attacks, and directory separators in user input

Issues Found:

• ReDoS vulnerability: Three HTML sanitization functions use unbounded regex loops that could cause denial of service with malicious input (see inline comments)

Confidence Score: 3/5

• This PR improves security significantly but introduces ReDoS vulnerabilities that must be fixed before merge
• The PR adds comprehensive input validation that prevents critical SSRF and path traversal vulnerabilities. However, three HTML sanitization functions contain unbounded regex loops that create ReDoS (Regular Expression Denial of Service) vulnerabilities. These could allow attackers to cause performance degradation or service unavailability by submitting malicious HTML strings. The validation library itself is well-designed with good test coverage.
• Critical attention needed: apps/sim/tools/confluence/utils.ts and apps/sim/lib/copilot/tools/server/other/make-api-request.ts - fix ReDoS vulnerabilities before merging

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/lib/security/input-validation.ts	5/5	New comprehensive input validation library added with functions to prevent path traversal, SSRF, and injection attacks
apps/sim/app/api/proxy/route.ts	5/5	Updated to use new URL validation library for proxy requests to prevent SSRF
apps/sim/tools/confluence/utils.ts	3/5	Added HTML sanitization functions with potential ReDoS vulnerability in regex loops
apps/sim/executor/resolver/resolver.ts	4/5	Fixed string escaping in condition evaluation to properly handle backslashes and prevent injection
apps/sim/lib/copilot/tools/server/other/make-api-request.ts	5/5	HTML stripping logic implemented, no changes made to validation

Sequence Diagram

sequenceDiagram
    participant Client
    participant API Route
    participant Validation
    participant External API
    
    Client->>API Route: Request with user input
    API Route->>Validation: validatePathSegment(itemId)
    alt Invalid Input
        Validation-->>API Route: {isValid: false, error}
        API Route-->>Client: 400 Bad Request
    else Valid Input
        Validation-->>API Route: {isValid: true, sanitized}
        API Route->>Validation: validateProxyUrl(url)
        alt SSRF Attempt
            Validation-->>API Route: {isValid: false, error}
            API Route-->>Client: 403 Forbidden
        else Safe URL
            Validation-->>API Route: {isValid: true}
            API Route->>External API: Authenticated request
            External API-->>API Route: Response
            API Route-->>Client: Success response
        end
    end

Loading

Additional Comments (1)

1. apps/sim/lib/copilot/tools/server/other/make-api-request.ts, line 52-69 (link)

   logic: Same ReDoS vulnerability pattern as in confluence utils. The nested loop can cause exponential backtracking with malicious HTML input.

   Consider adding a maximum iteration limit to prevent denial of service:

_{99 files reviewed, 3 comments}

_{Edit Code Review Agent Settings | Greptile}