fix: address SSRF and token-leakage security vulnerabilities

- Azure TTS SSRF: validate region against /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/
  in both the contract (tts.ts) and runtime guard in synthesizeWithAzure,
  preventing user-supplied region from redirecting requests to arbitrary hosts
- HubSpot token in logs: remove fullResponse from logger.info call;
  log only non-sensitive metadata (hub_id, hub_domain, user_id) instead
  of the full introspection response which included the access token
- Wealthbox account takeover: replace hardcoded email with per-user identity
  by fetching /v1/users/me; fall back to token-derived stable identifier
  so distinct Wealthbox users no longer share the same email address
- Shopify SSRF: apply shopifyShopDomainSchema (.myshopify.com allowlist)
  to shopDomain from cookie before using it to build the fetch URL

Author: waleedlatif1

apps/sim/app/api/auth/oauth2/shopify/store/route.ts

@@ -3,7 +3,10 @@ import { account } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
-import { shopifyStoreCookieSchema } from '@/lib/api/contracts/oauth-connections'
+import {
+  shopifyShopDomainSchema,
+  shopifyStoreCookieSchema,
+} from '@/lib/api/contracts/oauth-connections'
 import { getSession } from '@/lib/auth'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { isSameOrigin } from '@/lib/core/utils/validation'
@@ -38,6 +41,11 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     }
     const { accessToken, shopDomain, scope, returnUrl } = parsedCookies.data
 
+    if (!shopifyShopDomainSchema.safeParse(shopDomain).success) {
+      logger.error('Invalid shop domain format in cookie', { shopDomain })
+      return NextResponse.redirect(`${baseUrl}/workspace?error=shopify_invalid_domain`)
+    }
+
     const shopResponse = await fetch(`https://${shopDomain}/admin/api/2024-10/shop.json`, {
       headers: {
         'X-Shopify-Access-Token': accessToken,

apps/sim/app/api/tools/tts/unified/route.ts

@@ -659,6 +659,13 @@ async function synthesizeWithAzure(
     throw new Error('text and apiKey are required for Azure TTS')
   }
 
+  const AZURE_REGION_RE = /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/
+  if (!AZURE_REGION_RE.test(region)) {
+    throw new Error(
+      'Invalid Azure region: must match /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/ (e.g. eastus, westeurope)'
+    )
+  }
+
   let ssml = `<speak version='1.0' xml:lang='en-US' xmlns="http://www.w3.org/2001/10/synthesis" xmlns:mstts="https://www.w3.org/2001/mstts"><voice name='${voiceId}'>`
 
   if (style) {

apps/sim/lib/api/contracts/tools/media/tts.ts

@@ -54,7 +54,13 @@ export const ttsUnifiedToolBodySchema = z
     volumeGainDb: z.coerce.number().optional(),
     sampleRateHertz: z.coerce.number().optional(),
     effectsProfileId: z.array(z.string()).optional(),
-    region: z.string().optional(),
+    region: z
+      .string()
+      .regex(
+        /^[a-z][a-z0-9-]{1,30}[a-z0-9]$/,
+        'region must be a valid Azure region identifier (e.g. eastus, westeurope)'
+      )
+      .optional(),
     rate: z.string().optional(),
     styleDegree: z.coerce.number().optional(),
     role: z.string().optional(),

apps/sim/lib/auth/auth.ts

@@ -1615,17 +1615,51 @@ export const auth = betterAuth({
           scopes: getCanonicalScopesForProvider('wealthbox'),
           responseType: 'code',
           redirectURI: `${getBaseUrl()}/api/auth/oauth2/callback/wealthbox`,
-          getUserInfo: async (_tokens) => {
+          getUserInfo: async (tokens) => {
             try {
-              logger.info('Creating Wealthbox user profile from token data')
+              logger.info('Fetching Wealthbox user profile')
+
+              const response = await fetch('https://api.crmworkspace.com/v1/users/me', {
+                headers: {
+                  ACCESS_TOKEN: tokens.accessToken,
+                },
+              })
 
-              const uniqueId = 'wealthbox-user'
               const now = new Date()
 
+              if (response.ok) {
+                const data = await response.json()
+                const userId = data.id?.toString()
+                const email =
+                  data.email && typeof data.email === 'string'
+                    ? data.email
+                    : `wealthbox-${userId}@wealthbox.user`
+                const name = data.name || data.full_name || data.username || 'Wealthbox User'
+
+                return {
+                  id: `wealthbox-${userId}-${generateId()}`,
+                  name,
+                  email,
+                  emailVerified: false,
+                  createdAt: now,
+                  updatedAt: now,
+                }
+              }
+
+              // Fallback: derive a stable per-token identifier from the access token
+              // so that each Wealthbox user gets a unique account rather than all
+              // sharing the same hardcoded email.
+              logger.warn(
+                'Wealthbox user info fetch failed, falling back to token-derived identity',
+                {
+                  status: response.status,
+                }
+              )
+              const tokenHash = Buffer.from(tokens.accessToken).toString('base64').slice(0, 24)
               return {
-                id: `${uniqueId}-${generateId()}`,
+                id: `wealthbox-${tokenHash}-${generateId()}`,
                 name: 'Wealthbox User',
-                email: `${uniqueId}@wealthbox.user`,
+                email: `wealthbox-${tokenHash}@wealthbox.user`,
                 emailVerified: false,
                 createdAt: now,
                 updatedAt: now,
@@ -1730,11 +1764,12 @@ export const auth = betterAuth({
               }
 
               logger.info('HubSpot token metadata response:', {
+                hubId: data.hub_id,
+                hubDomain: data.hub_domain,
+                userId: data.user_id,
                 hasScopes: !!data.scopes,
                 scopesType: typeof data.scopes,
                 scopesIsArray: Array.isArray(data.scopes),
-                scopesValue: data.scopes,
-                fullResponse: data,
               })
 
               return {