fix(tools): add validation for ids in tool routes (#2371)

2026-01-08 22:48:14 -05:00 · 2025-12-13 19:40:33 -08:00
parent 7443e28054
commit 431f206930
4 changed files with 27 additions and 6 deletions
--- a/apps/sim/app/api/proxy/tts/unified/route.ts
+++ b/apps/sim/app/api/proxy/tts/unified/route.ts
@@ -1,6 +1,7 @@
 import type { NextRequest } from 'next/server'
 import { NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { createLogger } from '@/lib/logs/console/logger'
 import { StorageService } from '@/lib/uploads'
@@ -147,6 +148,10 @@ export async function POST(request: NextRequest) {
            { status: 400 }
          )
        }
+        const voiceIdValidation = validateAlphanumericId(body.voiceId, 'voiceId')
+        if (!voiceIdValidation.isValid) {
+          return NextResponse.json({ error: voiceIdValidation.error }, { status: 400 })
+        }
        const result = await synthesizeWithElevenLabs({
          text,
          apiKey,
--- a/apps/sim/app/api/tools/discord/send-message/route.ts
+++ b/apps/sim/app/api/tools/discord/send-message/route.ts
@@ -1,6 +1,7 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateNumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { processFilesToUserFiles } from '@/lib/uploads/utils/file-utils'
@@ -41,6 +42,17 @@ export async function POST(request: NextRequest) {
    const body = await request.json()
    const validatedData = DiscordSendMessageSchema.parse(body)

+    const channelIdValidation = validateNumericId(validatedData.channelId, 'channelId')
+    if (!channelIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid channelId format`, {
+        error: channelIdValidation.error,
+      })
+      return NextResponse.json(
+        { success: false, error: channelIdValidation.error },
+        { status: 400 }
+      )
+    }
+
    logger.info(`[${requestId}] Sending Discord message`, {
      channelId: validatedData.channelId,
      hasFiles: !!(validatedData.files && validatedData.files.length > 0),
--- a/apps/sim/app/api/tools/webflow/collections/route.ts
+++ b/apps/sim/app/api/tools/webflow/collections/route.ts
@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -19,9 +20,10 @@ export async function POST(request: Request) {
      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
    }

-    if (!siteId) {
-      logger.error('Missing siteId in request')
-      return NextResponse.json({ error: 'Site ID is required' }, { status: 400 })
+    const siteIdValidation = validateAlphanumericId(siteId, 'siteId')
+    if (!siteIdValidation.isValid) {
+      logger.error('Invalid siteId', { error: siteIdValidation.error })
+      return NextResponse.json({ error: siteIdValidation.error }, { status: 400 })
    }

    const authz = await authorizeCredentialUse(request as any, {
--- a/apps/sim/app/api/tools/webflow/items/route.ts
+++ b/apps/sim/app/api/tools/webflow/items/route.ts
@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -19,9 +20,10 @@ export async function POST(request: Request) {
      return NextResponse.json({ error: 'Credential is required' }, { status: 400 })
    }

-    if (!collectionId) {
-      logger.error('Missing collectionId in request')
-      return NextResponse.json({ error: 'Collection ID is required' }, { status: 400 })
+    const collectionIdValidation = validateAlphanumericId(collectionId, 'collectionId')
+    if (!collectionIdValidation.isValid) {
+      logger.error('Invalid collectionId', { error: collectionIdValidation.error })
+      return NextResponse.json({ error: collectionIdValidation.error }, { status: 400 })
    }

    const authz = await authorizeCredentialUse(request as any, {