mirror of
https://github.com/simstudioai/sim.git
synced 2026-04-06 03:00:16 -04:00
ff2a1527ab
* fix(security): add SSRF protection to database tools and webhook delivery * fix(security): address review comments on SSRF PR - Remove Promise.race timeout pattern to avoid unhandled rejections (http.request timeout is sufficient for webhook delivery) - Use safeCompare in verifyCronAuth instead of inline HMAC logic - Strip IPv6 brackets before validateDatabaseHost in Redis route * fix(security): allow HTTP webhooks and fix misleading MCP error docs - Add allowHttp option to validateExternalUrl, validateUrlWithDNS, and secureFetchWithValidation to support HTTP webhook URLs - Pass allowHttp: true for webhook delivery and test endpoints - Fix misleading JSDoc on createMcpErrorResponse (doesn't log errors) - Mark unused error param with underscore prefix * fix(security): forward allowHttp option through redirect validation Pass allowHttp to validateUrlWithDNS in the redirect handler of secureFetchWithPinnedIP so HTTP-to-HTTP redirects work when allowHttp is enabled for webhook delivery. * fix(security): block localhost when allowHttp is enabled When allowHttp is true (user-supplied webhook URLs), explicitly block localhost/loopback in both validateExternalUrl and validateUrlWithDNS to prevent SSRF against internal services. * fix(security): always strip multi-line content in sanitizeConnectionError Take the first line of the error message regardless of length to prevent leaking sensitive data from multi-line error messages.
100 lines
3.2 KiB
TypeScript
100 lines
3.2 KiB
TypeScript
import { randomUUID } from 'crypto'
|
|
import { createLogger } from '@sim/logger'
|
|
import { type NextRequest, NextResponse } from 'next/server'
|
|
import { z } from 'zod'
|
|
import { checkInternalAuth } from '@/lib/auth/hybrid'
|
|
import { createPostgresConnection, executeInsert } from '@/app/api/tools/postgresql/utils'
|
|
|
|
const logger = createLogger('PostgreSQLInsertAPI')
|
|
|
|
const InsertSchema = z.object({
|
|
host: z.string().min(1, 'Host is required'),
|
|
port: z.coerce.number().int().positive('Port must be a positive integer'),
|
|
database: z.string().min(1, 'Database name is required'),
|
|
username: z.string().min(1, 'Username is required'),
|
|
password: z.string().min(1, 'Password is required'),
|
|
ssl: z.enum(['disabled', 'required', 'preferred']).default('preferred'),
|
|
table: z.string().min(1, 'Table name is required'),
|
|
data: z.union([
|
|
z
|
|
.record(z.unknown())
|
|
.refine((obj) => Object.keys(obj).length > 0, 'Data object cannot be empty'),
|
|
z
|
|
.string()
|
|
.min(1)
|
|
.transform((str) => {
|
|
try {
|
|
const parsed = JSON.parse(str)
|
|
if (typeof parsed !== 'object' || parsed === null || Array.isArray(parsed)) {
|
|
throw new Error('Data must be a JSON object')
|
|
}
|
|
return parsed
|
|
} catch (e) {
|
|
const errorMsg = e instanceof Error ? e.message : 'Unknown error'
|
|
throw new Error(
|
|
`Invalid JSON format in data field: ${errorMsg}. Received: ${str.substring(0, 100)}...`
|
|
)
|
|
}
|
|
}),
|
|
]),
|
|
})
|
|
|
|
export async function POST(request: NextRequest) {
|
|
const requestId = randomUUID().slice(0, 8)
|
|
|
|
try {
|
|
const auth = await checkInternalAuth(request)
|
|
if (!auth.success || !auth.userId) {
|
|
logger.warn(`[${requestId}] Unauthorized PostgreSQL insert attempt`)
|
|
return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
|
|
}
|
|
|
|
const body = await request.json()
|
|
|
|
const params = InsertSchema.parse(body)
|
|
|
|
logger.info(
|
|
`[${requestId}] Inserting data into ${params.table} on ${params.host}:${params.port}/${params.database}`
|
|
)
|
|
|
|
const sql = await createPostgresConnection({
|
|
host: params.host,
|
|
port: params.port,
|
|
database: params.database,
|
|
username: params.username,
|
|
password: params.password,
|
|
ssl: params.ssl,
|
|
})
|
|
|
|
try {
|
|
const result = await executeInsert(sql, params.table, params.data)
|
|
|
|
logger.info(`[${requestId}] Insert executed successfully, ${result.rowCount} row(s) inserted`)
|
|
|
|
return NextResponse.json({
|
|
message: `Data inserted successfully. ${result.rowCount} row(s) affected.`,
|
|
rows: result.rows,
|
|
rowCount: result.rowCount,
|
|
})
|
|
} finally {
|
|
await sql.end()
|
|
}
|
|
} catch (error) {
|
|
if (error instanceof z.ZodError) {
|
|
logger.warn(`[${requestId}] Invalid request data`, { errors: error.errors })
|
|
return NextResponse.json(
|
|
{ error: 'Invalid request data', details: error.errors },
|
|
{ status: 400 }
|
|
)
|
|
}
|
|
|
|
const errorMessage = error instanceof Error ? error.message : 'Unknown error occurred'
|
|
logger.error(`[${requestId}] PostgreSQL insert failed:`, error)
|
|
|
|
return NextResponse.json(
|
|
{ error: `PostgreSQL insert failed: ${errorMessage}` },
|
|
{ status: 500 }
|
|
)
|
|
}
|
|
}
|