fix(security): harden auth, SSRF, injection, and CORS across API routes (#3792)

* fix: prevent auth bypass via user-controlled context query param in file serve

The /api/files/serve endpoint trusted a user-supplied `context` query
parameter to skip authentication. An attacker could append
`?context=profile-pictures` to any file URL and download files without
auth. Now the public access gate checks the key prefix instead of the
query param, and `og-images/` is added to `inferContextFromKey`.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: use randomized heredoc delimiter in SSH execute-script route

Prevents accidental heredoc termination if script content contains
the delimiter string on its own line.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: escape workingDirectory in SSH execute-command route

Use escapeShellArg() with single quotes for the workingDirectory
parameter, consistent with all other SSH routes (execute-script,
create-directory, delete-file, move-rename).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: harden chat/form deployment auth (OTP brute-force, CSPRNG, HMAC tokens)

- Add brute-force protection to OTP verification with attempt tracking (CWE-307)
- Replace Math.random() with crypto.randomInt() for OTP generation (CWE-338)
- Replace unsigned Base64 auth tokens with HMAC-SHA256 signed tokens (CWE-327)
- Use shared isEmailAllowed utility in OTP route instead of inline duplicate
- Simplify Redis OTP update to single KEEPTTL call

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: harden SSRF protections and input validation across API routes

Add DNS-based SSRF validation for MCP server URLs, secure OIDC discovery
with IP-pinned fetch, strengthen OTP/chat/form input validation, sanitize
1Password vault parameters, and tighten deployment security checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* lint

* fix(file-serve): remove user-controlled context param from authenticated path

The `?context` query param was still being passed to `handleCloudProxy`
in the authenticated code path, allowing any logged-in user to spoof
context as `profile-pictures` and bypass ownership checks in
`verifyFileAccess`. Now always use `inferContextFromKey` from the
server-controlled key prefix.

* fix: handle legacy OTP format in decodeOTPValue for deploy-time compat

Add guard for OTP values without colon separator (pre-deploy format)
to avoid misparse that would lock out users with in-flight OTPs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix(mcp): distinguish DNS resolution failures from SSRF policy blocks

DNS lookup failures now throw McpDnsResolutionError (502) instead of
McpSsrfError (403), so transient DNS hiccups surface as retryable
upstream errors rather than confusing permission rejections.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: make OTP attempt counting atomic to prevent TOCTOU race

Redis path: use Lua script for atomic read-increment-conditional-delete.
DB path: use optimistic locking (UPDATE WHERE value = currentValue) with
re-read fallback on conflict. Prevents concurrent wrong guesses from
each counting as a single attempt.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: check attempt count before OTP comparison to prevent bypass

Reject OTPs that have already reached max failed attempts before
comparing the code, closing a race window where a correct guess
could bypass brute-force protection.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: validate OIDC discovered endpoints against SSRF

The discovery URL itself was SSRF-validated, but endpoint URLs returned
in the discovery document (tokenEndpoint, userInfoEndpoint, jwksEndpoint)
were stored without validation. A malicious OIDC issuer on a public IP
could return internal network URLs in the discovery response.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove duplicate OIDC endpoint SSRF validation block

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: validate OIDC discovered endpoints and pin DNS for 1Password Connect

- SSRF-validate all endpoint URLs returned by OIDC discovery documents
  before storing them (authorization, token, userinfo, jwks endpoints)
- Pin DNS resolution in 1Password Connect requests using
  secureFetchWithPinnedIP to prevent TOCTOU DNS rebinding attacks

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* lint

* fix: replace KEEPTTL with TTL+EX for Redis <6.0 compat, add DB retry loop

- Lua script now reads TTL and uses SET...EX instead of KEEPTTL
- DB optimistic locking now retries up to 3 times on conflict

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: address review feedback on OTP atomicity and 1Password fetch

- Replace Redis KEEPTTL with TTL+SET EX for Redis <6.0 compatibility
- Add retry loop to DB optimistic lock path so concurrent OTP attempts
  are actually counted instead of silently dropped
- Remove unreachable fallback fetch in 1Password Connect; make
  validateConnectServerUrl return non-nullable string

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: treat Lua nil return as locked when OTP key is missing

When the Redis key is deleted/expired between getOTP and
incrementOTPAttempts, the Lua script returns nil. Handle this
as 'locked' instead of silently treating it as 'incremented'.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: handle Lua nil as locked OTP and add SSRF check to MCP env resolution

- Treat Redis Lua nil return (expired/deleted key) as 'locked' instead
  of silently treating it as a successful increment
- Add validateMcpServerSsrf to MCP service resolveConfigEnvVars so
  env-var URLs are SSRF-validated after resolution at execution time

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: narrow resolvedIP type guard instead of non-null assertion

Replace urlValidation.resolvedIP! with proper type narrowing by adding
!urlValidation.resolvedIP to the guard clause, so TypeScript can infer
the string type without a fragile assertion.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: bind auth tokens to deployment password for immediate revocation

Include a SHA-256 hash of the encrypted password in the HMAC-signed
token payload. Changing the deployment password now immediately
invalidates all existing auth cookies, restoring the pre-HMAC behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: bind auth tokens to deployment password and remove resolvedIP non-null assertion

- Include SHA-256 hash of encryptedPassword in HMAC token payload so
  changing a deployment's password immediately invalidates all sessions
- Pass encryptedPassword through setChatAuthCookie/setFormAuthCookie
  and validateAuthToken at all call sites
- Replace non-null assertion on resolvedIP with proper narrowing guard

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: update test assertions for new encryptedPassword parameter

Tests now expect the encryptedPassword arg passed to validateAuthToken
and setDeploymentAuthCookie after the password-binding change.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: format long lines in chat/form test assertions

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: pass encryptedPassword through OTP route cookie generation

Select chat.password in PUT handler DB query and pass it to
setChatAuthCookie so OTP-issued tokens include the correct
password slot for subsequent validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/auth/sso/register/route.ts

@@ -4,6 +4,10 @@ import { z } from 'zod'
 import { auth, getSession } from '@/lib/auth'
 import { hasSSOAccess } from '@/lib/billing'
 import { env } from '@/lib/core/config/env'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
 import { REDACTED_MARKER } from '@/lib/core/security/redaction'
 
 const logger = createLogger('SSORegisterRoute')
@@ -156,24 +160,66 @@ export async function POST(request: NextRequest) {
             hasJwksEndpoint: !!oidcConfig.jwksEndpoint,
           })
 
-          const discoveryResponse = await fetch(discoveryUrl, {
-            headers: { Accept: 'application/json' },
-          })
+          const urlValidation = await validateUrlWithDNS(discoveryUrl, 'OIDC discovery URL')
+          if (!urlValidation.isValid || !urlValidation.resolvedIP) {
+            logger.warn('OIDC discovery URL failed SSRF validation', {
+              discoveryUrl,
+              error: urlValidation.error,
+            })
+            return NextResponse.json(
+              { error: urlValidation.error ?? 'SSRF validation failed' },
+              { status: 400 }
+            )
+          }
+
+          const discoveryResponse = await secureFetchWithPinnedIP(
+            discoveryUrl,
+            urlValidation.resolvedIP,
+            {
+              headers: { Accept: 'application/json' },
+            }
+          )
 
           if (!discoveryResponse.ok) {
             logger.error('Failed to fetch OIDC discovery document', {
               status: discoveryResponse.status,
-              statusText: discoveryResponse.statusText,
             })
             return NextResponse.json(
               {
-                error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Status: ${discoveryResponse.status}. Provide all endpoints explicitly or verify the issuer URL.`,
+                error:
+                  'Failed to fetch OIDC discovery document. Provide all endpoints explicitly or verify the issuer URL.',
               },
               { status: 400 }
             )
           }
 
-          const discovery = await discoveryResponse.json()
+          const discovery = (await discoveryResponse.json()) as Record<string, unknown>
+
+          const discoveredEndpoints: Record<string, unknown> = {
+            authorization_endpoint: discovery.authorization_endpoint,
+            token_endpoint: discovery.token_endpoint,
+            userinfo_endpoint: discovery.userinfo_endpoint,
+            jwks_uri: discovery.jwks_uri,
+          }
+
+          for (const [key, value] of Object.entries(discoveredEndpoints)) {
+            if (typeof value === 'string') {
+              const endpointValidation = await validateUrlWithDNS(value, `OIDC ${key}`)
+              if (!endpointValidation.isValid) {
+                logger.warn('OIDC discovered endpoint failed SSRF validation', {
+                  endpoint: key,
+                  url: value,
+                  error: endpointValidation.error,
+                })
+                return NextResponse.json(
+                  {
+                    error: `Discovered OIDC ${key} failed security validation: ${endpointValidation.error}`,
+                  },
+                  { status: 400 }
+                )
+              }
+            }
+          }
 
           oidcConfig.authorizationEndpoint =
             oidcConfig.authorizationEndpoint || discovery.authorization_endpoint
@@ -196,7 +242,8 @@ export async function POST(request: NextRequest) {
           })
           return NextResponse.json(
             {
-              error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Please verify the issuer URL is correct or provide all endpoints explicitly.`,
+              error:
+                'Failed to fetch OIDC discovery document. Please verify the issuer URL is correct or provide all endpoints explicitly.',
             },
             { status: 400 }
           )

apps/sim/app/api/chat/[identifier]/otp/route.test.ts

@@ -10,11 +10,14 @@ const {
   mockRedisSet,
   mockRedisGet,
   mockRedisDel,
+  mockRedisTtl,
+  mockRedisEval,
   mockGetRedisClient,
   mockRedisClient,
   mockDbSelect,
   mockDbInsert,
   mockDbDelete,
+  mockDbUpdate,
   mockSendEmail,
   mockRenderOTPEmail,
   mockAddCorsHeaders,
@@ -29,15 +32,20 @@ const {
   const mockRedisSet = vi.fn()
   const mockRedisGet = vi.fn()
   const mockRedisDel = vi.fn()
+  const mockRedisTtl = vi.fn()
+  const mockRedisEval = vi.fn()
   const mockRedisClient = {
     set: mockRedisSet,
     get: mockRedisGet,
     del: mockRedisDel,
+    ttl: mockRedisTtl,
+    eval: mockRedisEval,
   }
   const mockGetRedisClient = vi.fn()
   const mockDbSelect = vi.fn()
   const mockDbInsert = vi.fn()
   const mockDbDelete = vi.fn()
+  const mockDbUpdate = vi.fn()
   const mockSendEmail = vi.fn()
   const mockRenderOTPEmail = vi.fn()
   const mockAddCorsHeaders = vi.fn()
@@ -53,11 +61,14 @@ const {
     mockRedisSet,
     mockRedisGet,
     mockRedisDel,
+    mockRedisTtl,
+    mockRedisEval,
     mockGetRedisClient,
     mockRedisClient,
     mockDbSelect,
     mockDbInsert,
     mockDbDelete,
+    mockDbUpdate,
     mockSendEmail,
     mockRenderOTPEmail,
     mockAddCorsHeaders,
@@ -80,11 +91,13 @@ vi.mock('@sim/db', () => ({
     select: mockDbSelect,
     insert: mockDbInsert,
     delete: mockDbDelete,
+    update: mockDbUpdate,
     transaction: vi.fn(async (callback: (tx: Record<string, unknown>) => unknown) => {
       return callback({
         select: mockDbSelect,
         insert: mockDbInsert,
         delete: mockDbDelete,
+        update: mockDbUpdate,
       })
     }),
   },
@@ -126,12 +139,24 @@ vi.mock('@/lib/messaging/email/mailer', () => ({
   sendEmail: mockSendEmail,
 }))
 
-vi.mock('@/components/emails/render-email', () => ({
+vi.mock('@/components/emails', () => ({
   renderOTPEmail: mockRenderOTPEmail,
 }))
 
-vi.mock('@/app/api/chat/utils', () => ({
+vi.mock('@/lib/core/security/deployment', () => ({
   addCorsHeaders: mockAddCorsHeaders,
+  isEmailAllowed: (email: string, allowedEmails: string[]) => {
+    if (allowedEmails.includes(email)) return true
+    const atIndex = email.indexOf('@')
+    if (atIndex > 0) {
+      const domain = email.substring(atIndex + 1)
+      if (domain && allowedEmails.some((allowed: string) => allowed === `@${domain}`)) return true
+    }
+    return false
+  },
+}))
+
+vi.mock('@/app/api/chat/utils', () => ({
   setChatAuthCookie: mockSetChatAuthCookie,
 }))
 
@@ -209,6 +234,7 @@ describe('Chat OTP API Route', () => {
     mockRedisSet.mockResolvedValue('OK')
     mockRedisGet.mockResolvedValue(null)
     mockRedisDel.mockResolvedValue(1)
+    mockRedisTtl.mockResolvedValue(600)
 
     const createDbChain = (result: unknown) => ({
       from: vi.fn().mockReturnValue({
@@ -225,6 +251,11 @@ describe('Chat OTP API Route', () => {
     mockDbDelete.mockImplementation(() => ({
       where: vi.fn().mockResolvedValue(undefined),
     }))
+    mockDbUpdate.mockImplementation(() => ({
+      set: vi.fn().mockReturnValue({
+        where: vi.fn().mockResolvedValue(undefined),
+      }),
+    }))
 
     mockGetStorageMethod.mockReturnValue('redis')
 
@@ -349,7 +380,7 @@ describe('Chat OTP API Route', () => {
   describe('PUT - Verify OTP (Redis path)', () => {
     beforeEach(() => {
       mockGetStorageMethod.mockReturnValue('redis')
-      mockRedisGet.mockResolvedValue(mockOTP)
+      mockRedisGet.mockResolvedValue(`${mockOTP}:0`)
     })
 
     it('should retrieve OTP from Redis and verify successfully', async () => {
@@ -374,9 +405,7 @@ describe('Chat OTP API Route', () => {
       await PUT(request, { params: Promise.resolve({ identifier: mockIdentifier }) })
 
       expect(mockRedisGet).toHaveBeenCalledWith(`otp:${mockEmail}:${mockChatId}`)
-
       expect(mockRedisDel).toHaveBeenCalledWith(`otp:${mockEmail}:${mockChatId}`)
-
       expect(mockDbSelect).toHaveBeenCalledTimes(1)
     })
   })
@@ -405,7 +434,7 @@ describe('Chat OTP API Route', () => {
               }
               return Promise.resolve([
                 {
-                  value: mockOTP,
+                  value: `${mockOTP}:0`,
                   expiresAt: new Date(Date.now() + 10 * 60 * 1000),
                 },
               ])
@@ -475,7 +504,7 @@ describe('Chat OTP API Route', () => {
     })
 
     it('should delete OTP from Redis after verification', async () => {
-      mockRedisGet.mockResolvedValue(mockOTP)
+      mockRedisGet.mockResolvedValue(`${mockOTP}:0`)
 
       mockDbSelect.mockImplementationOnce(() => ({
         from: vi.fn().mockReturnValue({
@@ -519,7 +548,7 @@ describe('Chat OTP API Route', () => {
                 return Promise.resolve([{ id: mockChatId, authType: 'email' }])
               }
               return Promise.resolve([
-                { value: mockOTP, expiresAt: new Date(Date.now() + 10 * 60 * 1000) },
+                { value: `${mockOTP}:0`, expiresAt: new Date(Date.now() + 10 * 60 * 1000) },
               ])
             }),
           }),
@@ -543,6 +572,97 @@ describe('Chat OTP API Route', () => {
     })
   })
 
+  describe('Brute-force protection', () => {
+    beforeEach(() => {
+      mockGetStorageMethod.mockReturnValue('redis')
+    })
+
+    it('should atomically increment attempts on wrong OTP', async () => {
+      mockRedisGet.mockResolvedValue('654321:0')
+      mockRedisEval.mockResolvedValue('654321:1')
+
+      mockDbSelect.mockImplementationOnce(() => ({
+        from: vi.fn().mockReturnValue({
+          where: vi.fn().mockReturnValue({
+            limit: vi.fn().mockResolvedValue([{ id: mockChatId, authType: 'email' }]),
+          }),
+        }),
+      }))
+
+      const request = new NextRequest('http://localhost:3000/api/chat/test/otp', {
+        method: 'PUT',
+        body: JSON.stringify({ email: mockEmail, otp: 'wrong1' }),
+      })
+
+      await PUT(request, { params: Promise.resolve({ identifier: mockIdentifier }) })
+
+      expect(mockRedisEval).toHaveBeenCalledWith(
+        expect.any(String),
+        1,
+        `otp:${mockEmail}:${mockChatId}`,
+        5
+      )
+      expect(mockCreateErrorResponse).toHaveBeenCalledWith('Invalid verification code', 400)
+    })
+
+    it('should invalidate OTP and return 429 after max failed attempts', async () => {
+      mockRedisGet.mockResolvedValue('654321:4')
+      mockRedisEval.mockResolvedValue('LOCKED')
+
+      mockDbSelect.mockImplementationOnce(() => ({
+        from: vi.fn().mockReturnValue({
+          where: vi.fn().mockReturnValue({
+            limit: vi.fn().mockResolvedValue([{ id: mockChatId, authType: 'email' }]),
+          }),
+        }),
+      }))
+
+      const request = new NextRequest('http://localhost:3000/api/chat/test/otp', {
+        method: 'PUT',
+        body: JSON.stringify({ email: mockEmail, otp: 'wrong5' }),
+      })
+
+      await PUT(request, { params: Promise.resolve({ identifier: mockIdentifier }) })
+
+      expect(mockRedisEval).toHaveBeenCalled()
+      expect(mockCreateErrorResponse).toHaveBeenCalledWith(
+        'Too many failed attempts. Please request a new code.',
+        429
+      )
+    })
+
+    it('should store OTP with zero attempts on generation', async () => {
+      mockDbSelect.mockImplementationOnce(() => ({
+        from: vi.fn().mockReturnValue({
+          where: vi.fn().mockReturnValue({
+            limit: vi.fn().mockResolvedValue([
+              {
+                id: mockChatId,
+                authType: 'email',
+                allowedEmails: [mockEmail],
+                title: 'Test Chat',
+              },
+            ]),
+          }),
+        }),
+      }))
+
+      const request = new NextRequest('http://localhost:3000/api/chat/test/otp', {
+        method: 'POST',
+        body: JSON.stringify({ email: mockEmail }),
+      })
+
+      await POST(request, { params: Promise.resolve({ identifier: mockIdentifier }) })
+
+      expect(mockRedisSet).toHaveBeenCalledWith(
+        `otp:${mockEmail}:${mockChatId}`,
+        expect.stringMatching(/^\d{6}:0$/),
+        'EX',
+        900
+      )
+    })
+  })
+
   describe('Behavior consistency between Redis and Database', () => {
     it('should have same behavior for missing OTP in both storage methods', async () => {
       mockGetStorageMethod.mockReturnValue('redis')