fix(security): credential-set invite email check + shopify authorize XSS (#4302)

2026-04-28 03:00:29 -04:00 · 2026-04-26 20:52:42 -07:00
parent 8863f1132a
commit 60652e621c
2 changed files with 20 additions and 2 deletions
--- a/apps/sim/app/api/auth/shopify/authorize/route.ts
+++ b/apps/sim/app/api/auth/shopify/authorize/route.ts
@@ -32,7 +32,9 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
    const returnUrl = request.nextUrl.searchParams.get('returnUrl')

    if (!shopDomain) {
-      const returnUrlParam = returnUrl ? encodeURIComponent(returnUrl) : ''
+      const safeReturnUrl =
+        returnUrl && isSameOrigin(returnUrl) ? encodeURIComponent(returnUrl) : ''
+      const returnUrlJsLiteral = JSON.stringify(safeReturnUrl)
      return new NextResponse(
        `<!DOCTYPE html>
 <html>
@@ -120,7 +122,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
    </div>

    <script>
-      const returnUrl = '${returnUrlParam}';
+      const returnUrl = ${returnUrlJsLiteral};
      function handleSubmit(e) {
        e.preventDefault();
        let shop = document.getElementById('shop').value.trim().toLowerCase();
--- a/apps/sim/app/api/credential-sets/invite/[token]/route.ts
+++ b/apps/sim/app/api/credential-sets/invite/[token]/route.ts
@@ -12,6 +12,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { normalizeEmail } from '@/lib/invitations/core'
 import { syncAllWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'

 const logger = createLogger('CredentialSetInviteToken')
@@ -111,6 +112,21 @@ export const POST = withRouteHandler(
        return NextResponse.json({ error: 'Invitation has expired' }, { status: 410 })
      }

+      if (invitation.email) {
+        const sessionEmail = session.user.email
+        if (!sessionEmail || normalizeEmail(sessionEmail) !== normalizeEmail(invitation.email)) {
+          logger.warn('Rejected credential set invitation accept due to email mismatch', {
+            invitationId: invitation.id,
+            credentialSetId: invitation.credentialSetId,
+            userId: session.user.id,
+          })
+          return NextResponse.json(
+            { error: 'This invitation was sent to a different email address' },
+            { status: 403 }
+          )
+        }
+      }
+
      const existingMember = await db
        .select()
        .from(credentialSetMember)