github/sim
1
0
Fork 0
mirror of https://github.com/simstudioai/sim.git synced 2026-02-11 15:14:53 -05:00
Code Issues Packages Projects Releases Wiki Activity

fix(vulns): fix various vulnerabilities and enhanced code security (#1611)

Browse Source 
* fix(vulns): fix SSRF vulnerabilities

* cleanup

* cleanup

* regen docs

* remove unused deps

* fix failing tests

* cleanup

* update deps

* regen bun lock
This commit is contained in:
Waleed
2025-10-11 22:14:31 -07:00
committed by GitHub
parent 1de6f09069
commit 8f06aec68b
100 changed files with 1865 additions and 1696 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
apps/sim/app/api/function/execute/route.test.ts
View File

@@ -67,7 +67,7 @@ describe('Function Execute API Route', () => {
})
it.concurrent('should block SSRF attacks through secure fetch wrapper', async () => {
const { validateProxyUrl } = await import('@/lib/security/url-validation')
const { validateProxyUrl } = await import('@/lib/security/input-validation')
expect(validateProxyUrl('http://169.254.169.254/latest/meta-data/').isValid).toBe(false)
expect(validateProxyUrl('http://127.0.0.1:8080/admin').isValid).toBe(false)
@@ -76,15 +76,15 @@ describe('Function Execute API Route', () => {
})
it.concurrent('should allow legitimate external URLs', async () => {
const { validateProxyUrl } = await import('@/lib/security/url-validation')
const { validateProxyUrl } = await import('@/lib/security/input-validation')
expect(validateProxyUrl('https://api.github.com/user').isValid).toBe(true)
expect(validateProxyUrl('https://httpbin.org/get').isValid).toBe(true)
expect(validateProxyUrl('http://example.com/api').isValid).toBe(true)
expect(validateProxyUrl('https://example.com/api').isValid).toBe(true)
})
it.concurrent('should block dangerous protocols', async () => {
const { validateProxyUrl } = await import('@/lib/security/url-validation')
const { validateProxyUrl } = await import('@/lib/security/input-validation')
expect(validateProxyUrl('file:///etc/passwd').isValid).toBe(false)
expect(validateProxyUrl('ftp://internal.server/files').isValid).toBe(false)

2
apps/sim/app/api/function/execute/route.ts
View File

@@ -4,7 +4,7 @@ import { env, isTruthy } from '@/lib/env'
import { executeInE2B } from '@/lib/execution/e2b'
import { CodeLanguage, DEFAULT_CODE_LANGUAGE, isValidCodeLanguage } from '@/lib/execution/languages'
import { createLogger } from '@/lib/logs/console/logger'
import { validateProxyUrl } from '@/lib/security/url-validation'
import { validateProxyUrl } from '@/lib/security/input-validation'
import { generateRequestId } from '@/lib/utils'
export const dynamic = 'force-dynamic'
export const runtime = 'nodejs'