Fix auth bypass, SSRF, and wrong size limit comment

- Add 'patch' to workspace_file WRITE_ACTIONS — patch operation was
  missing, letting read-only users modify file content
- Add download_to_workspace_file to WRITE_ACTIONS with '*' wildcard —
  tool was completely ungated, letting read-only users write workspace files
- Update isActionAllowed to handle '*' (always-write tools) and undefined
  action (tools with no operation/action field)
- Block private/internal URLs in download_to_workspace_file to prevent
  SSRF against RFC 1918 ranges, loopback, and cloud metadata endpoints
- Fix file-reader.ts image size limit comment and error message (was 20MB,
  actual constant is 5MB)

Author: waleedlatif1

apps/sim/lib/copilot/tools/server/files/download-to-workspace-file.ts

@@ -30,6 +30,26 @@ const DownloadToWorkspaceFileResultSchema = z.object({
 type DownloadToWorkspaceFileArgs = z.infer<typeof DownloadToWorkspaceFileArgsSchema>
 type DownloadToWorkspaceFileResult = z.infer<typeof DownloadToWorkspaceFileResultSchema>
 
+function isPrivateUrl(url: string): boolean {
+  try {
+    const { hostname, protocol } = new URL(url)
+    if (protocol !== 'https:' && protocol !== 'http:') return true
+    if (hostname === 'localhost' || hostname === '::1') return true
+    const ipv4 = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/)
+    if (ipv4) {
+      const [a, b] = [Number(ipv4[1]), Number(ipv4[2])]
+      // Loopback, RFC 1918, link-local (including cloud metadata 169.254.169.254)
+      if (a === 127 || a === 10 || a === 0) return true
+      if (a === 172 && b >= 16 && b <= 31) return true
+      if (a === 192 && b === 168) return true
+      if (a === 169 && b === 254) return true
+    }
+    return false
+  } catch {
+    return true
+  }
+}
+
 function sanitizeFileName(fileName: string): string {
   return fileName.replace(/[\\/:*?"<>|\u0000-\u001f]+/g, '_').trim()
 }
@@ -134,6 +154,13 @@ export const downloadToWorkspaceFileServerTool: BaseServerTool<
     try {
       assertServerToolNotAborted(context)
 
+      if (isPrivateUrl(params.url)) {
+        return {
+          success: false,
+          message: 'Downloading from private or internal URLs is not allowed',
+        }
+      }
+
       const response = await fetch(params.url, {
         redirect: 'follow',
         signal: context.abortSignal,

apps/sim/lib/copilot/tools/server/router.ts

@@ -64,17 +64,29 @@ const WRITE_ACTIONS: Record<string, string[]> = {
   manage_mcp_tool: ['add', 'edit', 'delete'],
   manage_skill: ['add', 'edit', 'delete'],
   manage_credential: ['rename', 'delete'],
-  workspace_file: ['write', 'update', 'delete', 'rename'],
+  workspace_file: ['write', 'update', 'delete', 'rename', 'patch'],
+  download_to_workspace_file: ['*'],
   generate_visualization: ['generate'],
   generate_image: ['generate'],
 }
 
-function isActionAllowed(toolName: string, action: string, userPermission: string): boolean {
-  const writeActions = WRITE_ACTIONS[toolName]
-  if (!writeActions || !writeActions.includes(action)) return true
+function isWritePermission(userPermission: string): boolean {
   return userPermission === 'write' || userPermission === 'admin'
 }
 
+function isActionAllowed(
+  toolName: string,
+  action: string | undefined,
+  userPermission: string
+): boolean {
+  const writeActions = WRITE_ACTIONS[toolName]
+  if (!writeActions) return true
+  // '*' means the tool is always a write operation regardless of action field
+  if (writeActions.includes('*')) return isWritePermission(userPermission)
+  if (action && writeActions.includes(action)) return isWritePermission(userPermission)
+  return true
+}
+
 /** Registry of all server tools. Tools self-declare their validation schemas. */
 const serverToolRegistry: Record<string, BaseServerTool> = {
   [getBlocksMetadataServerTool.name]: getBlocksMetadataServerTool,
@@ -115,10 +127,11 @@ export async function routeExecution(
   // Action-level permission enforcement for mixed read/write tools
   if (context?.userPermission && WRITE_ACTIONS[toolName]) {
     const p = payload as Record<string, unknown>
-    const action = (p?.operation ?? p?.action) as string
-    if (action && !isActionAllowed(toolName, action, context.userPermission)) {
+    const action = (p?.operation ?? p?.action) as string | undefined
+    if (!isActionAllowed(toolName, action, context.userPermission)) {
+      const actionLabel = action ? `'${action}' on ` : ''
       throw new Error(
-        `Permission denied: '${action}' on ${toolName} requires write access. You have '${context.userPermission}' permission.`
+        `Permission denied: ${actionLabel}${toolName} requires write access. You have '${context.userPermission}' permission.`
       )
     }
   }

apps/sim/lib/copilot/vfs/file-reader.ts

@@ -6,7 +6,7 @@ import { isImageFileType } from '@/lib/uploads/utils/file-utils'
 const logger = createLogger('FileReader')
 
 const MAX_TEXT_READ_BYTES = 5 * 1024 * 1024 // 5 MB
-const MAX_IMAGE_READ_BYTES = 5 * 1024 * 1024 // 20 MB
+const MAX_IMAGE_READ_BYTES = 5 * 1024 * 1024 // 5 MB
 
 const TEXT_TYPES = new Set([
   'text/plain',
@@ -54,7 +54,7 @@ export async function readFileRecord(record: WorkspaceFileRecord): Promise<FileR
     if (isImageFileType(record.type)) {
       if (record.size > MAX_IMAGE_READ_BYTES) {
         return {
-          content: `[Image too large: ${record.name} (${(record.size / 1024 / 1024).toFixed(1)}MB, limit 20MB)]`,
+          content: `[Image too large: ${record.name} (${(record.size / 1024 / 1024).toFixed(1)}MB, limit 5MB)]`,
           totalLines: 1,
         }
       }