separate server and client logic

Author: icecrasher321

apps/sim/app/api/a2a/serve/[agentId]/route.ts

@@ -16,7 +16,7 @@ import {
 import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { getBrandConfig } from '@/lib/branding/branding'
 import { acquireLock, getRedisClient, releaseLock } from '@/lib/core/config/redis'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { SSE_HEADERS } from '@/lib/core/utils/sse'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { markExecutionCancelled } from '@/lib/execution/cancellation'
@@ -1119,7 +1119,7 @@ async function handlePushNotificationSet(
     )
   }
 
-  const urlValidation = validateExternalUrl(
+  const urlValidation = await validateUrlWithDNS(
     params.pushNotificationConfig.url,
     'Push notification URL'
   )

apps/sim/app/api/files/parse/route.ts

@@ -6,7 +6,10 @@ import { createLogger } from '@sim/logger'
 import binaryExtensionsList from 'binary-extensions'
 import { type NextRequest, NextResponse } from 'next/server'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { secureFetchWithPinnedIP, validateUrlWithDNS } from '@/lib/core/security/input-validation'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
 import { sanitizeUrlForLog } from '@/lib/core/utils/logging'
 import { isSupportedFileType, parseFile } from '@/lib/file-parsers'
 import { isUsingCloudStorage, type StorageContext, StorageService } from '@/lib/uploads'
@@ -20,6 +23,7 @@ import {
   getMimeTypeFromExtension,
   getViewerUrl,
   inferContextFromKey,
+  isInternalFileUrl,
 } from '@/lib/uploads/utils/file-utils'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
@@ -216,7 +220,7 @@ async function parseFileSingle(
     }
   }
 
-  if (filePath.includes('/api/files/serve/')) {
+  if (isInternalFileUrl(filePath)) {
     return handleCloudFile(filePath, fileType, undefined, userId, executionContext)
   }
 
@@ -247,7 +251,7 @@ function validateFilePath(filePath: string): { isValid: boolean; error?: string
     return { isValid: false, error: 'Invalid path: tilde character not allowed' }
   }
 
-  if (filePath.startsWith('/') && !filePath.startsWith('/api/files/serve/')) {
+  if (filePath.startsWith('/') && !isInternalFileUrl(filePath)) {
     return { isValid: false, error: 'Path outside allowed directory' }
   }
 
@@ -368,7 +372,7 @@ async function handleExternalUrl(
       throw new Error(`File too large: ${buffer.length} bytes (max: ${MAX_DOWNLOAD_SIZE_BYTES})`)
     }
 
-    logger.info(`Downloaded file from URL: ${sanitizeUrlForLog(url)}, size: ${buffer.length} bytes`)
+    logger.info(`Downloaded file from URL: ${url}, size: ${buffer.length} bytes`)
 
     let userFile: UserFile | undefined
     const mimeType = response.headers.get('content-type') || getMimeTypeFromExtension(extension)

apps/sim/app/api/tools/a2a/send-message/route.ts

@@ -4,6 +4,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient, extractTextContent, isTerminalState } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -95,6 +96,14 @@ export async function POST(request: NextRequest) {
     if (validatedData.files && validatedData.files.length > 0) {
       for (const file of validatedData.files) {
         if (file.type === 'url') {
+          const urlValidation = await validateUrlWithDNS(file.data, 'fileUrl')
+          if (!urlValidation.isValid) {
+            return NextResponse.json(
+              { success: false, error: urlValidation.error },
+              { status: 400 }
+            )
+          }
+
           const filePart: FilePart = {
             kind: 'file',
             file: {

apps/sim/app/api/tools/a2a/set-push-notification/route.ts

@@ -3,7 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { createA2AClient } from '@/lib/a2a/utils'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
-import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import { generateRequestId } from '@/lib/core/utils/request'
 
 export const dynamic = 'force-dynamic'
@@ -40,7 +40,7 @@ export async function POST(request: NextRequest) {
     const body = await request.json()
     const validatedData = A2ASetPushNotificationSchema.parse(body)
 
-    const urlValidation = validateExternalUrl(validatedData.webhookUrl, 'Webhook URL')
+    const urlValidation = await validateUrlWithDNS(validatedData.webhookUrl, 'Webhook URL')
     if (!urlValidation.isValid) {
       logger.warn(`[${requestId}] Invalid webhook URL`, { error: urlValidation.error })
       return NextResponse.json(

apps/sim/app/api/tools/github/latest-commit/route.ts

@@ -0,0 +1,168 @@
+import { createLogger } from '@sim/logger'
+import { type NextRequest, NextResponse } from 'next/server'
+import { z } from 'zod'
+import { checkInternalAuth } from '@/lib/auth/hybrid'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
+import { generateRequestId } from '@/lib/core/utils/request'
+
+export const dynamic = 'force-dynamic'
+
+const logger = createLogger('GitHubLatestCommitAPI')
+
+const GitHubLatestCommitSchema = z.object({
+  owner: z.string().min(1, 'Owner is required'),
+  repo: z.string().min(1, 'Repo is required'),
+  branch: z.string().optional().nullable(),
+  apiKey: z.string().min(1, 'API key is required'),
+})
+
+export async function POST(request: NextRequest) {
+  const requestId = generateRequestId()
+
+  try {
+    const authResult = await checkInternalAuth(request, { requireWorkflowId: false })
+
+    if (!authResult.success) {
+      logger.warn(`[${requestId}] Unauthorized GitHub latest commit attempt: ${authResult.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: authResult.error || 'Authentication required',
+        },
+        { status: 401 }
+      )
+    }
+
+    const body = await request.json()
+    const validatedData = GitHubLatestCommitSchema.parse(body)
+
+    const { owner, repo, branch, apiKey } = validatedData
+
+    const baseUrl = `https://api.github.com/repos/${owner}/${repo}`
+    const commitUrl = branch ? `${baseUrl}/commits/${branch}` : `${baseUrl}/commits/HEAD`
+
+    logger.info(`[${requestId}] Fetching latest commit from GitHub`, { owner, repo, branch })
+
+    const urlValidation = await validateUrlWithDNS(commitUrl, 'commitUrl')
+    if (!urlValidation.isValid) {
+      return NextResponse.json({ success: false, error: urlValidation.error }, { status: 400 })
+    }
+
+    const response = await secureFetchWithPinnedIP(commitUrl, urlValidation.resolvedIP!, {
+      method: 'GET',
+      headers: {
+        Accept: 'application/vnd.github.v3+json',
+        Authorization: `Bearer ${apiKey}`,
+        'X-GitHub-Api-Version': '2022-11-28',
+      },
+    })
+
+    if (!response.ok) {
+      const errorData = await response.json().catch(() => ({}))
+      logger.error(`[${requestId}] GitHub API error`, {
+        status: response.status,
+        error: errorData,
+      })
+      return NextResponse.json(
+        { success: false, error: errorData.message || `GitHub API error: ${response.status}` },
+        { status: 400 }
+      )
+    }
+
+    const data = await response.json()
+
+    const content = `Latest commit: "${data.commit.message}" by ${data.commit.author.name} on ${data.commit.author.date}. SHA: ${data.sha}`
+
+    const files = data.files || []
+    const fileDetailsWithContent = []
+
+    for (const file of files) {
+      const fileDetail: Record<string, any> = {
+        filename: file.filename,
+        additions: file.additions,
+        deletions: file.deletions,
+        changes: file.changes,
+        status: file.status,
+        raw_url: file.raw_url,
+        blob_url: file.blob_url,
+        patch: file.patch,
+        content: undefined,
+      }
+
+      if (file.status !== 'removed' && file.raw_url) {
+        try {
+          const rawUrlValidation = await validateUrlWithDNS(file.raw_url, 'rawUrl')
+          if (rawUrlValidation.isValid) {
+            const contentResponse = await secureFetchWithPinnedIP(
+              file.raw_url,
+              rawUrlValidation.resolvedIP!,
+              {
+                headers: {
+                  Authorization: `Bearer ${apiKey}`,
+                  'X-GitHub-Api-Version': '2022-11-28',
+                },
+              }
+            )
+
+            if (contentResponse.ok) {
+              fileDetail.content = await contentResponse.text()
+            }
+          }
+        } catch (error) {
+          logger.warn(`[${requestId}] Failed to fetch content for ${file.filename}:`, error)
+        }
+      }
+
+      fileDetailsWithContent.push(fileDetail)
+    }
+
+    logger.info(`[${requestId}] Latest commit fetched successfully`, {
+      sha: data.sha,
+      fileCount: files.length,
+    })
+
+    return NextResponse.json({
+      success: true,
+      output: {
+        content,
+        metadata: {
+          sha: data.sha,
+          html_url: data.html_url,
+          commit_message: data.commit.message,
+          author: {
+            name: data.commit.author.name,
+            login: data.author?.login || 'Unknown',
+            avatar_url: data.author?.avatar_url || '',
+            html_url: data.author?.html_url || '',
+          },
+          committer: {
+            name: data.commit.committer.name,
+            login: data.committer?.login || 'Unknown',
+            avatar_url: data.committer?.avatar_url || '',
+            html_url: data.committer?.html_url || '',
+          },
+          stats: data.stats
+            ? {
+                additions: data.stats.additions,
+                deletions: data.stats.deletions,
+                total: data.stats.total,
+              }
+            : undefined,
+          files: fileDetailsWithContent.length > 0 ? fileDetailsWithContent : undefined,
+        },
+      },
+    })
+  } catch (error) {
+    logger.error(`[${requestId}] Error fetching GitHub latest commit:`, error)
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : 'Unknown error occurred',
+      },
+      { status: 500 }
+    )
+  }
+}