Fix SSRF bypass, IPv6 coverage, download size cap, and missing deps

waleedlatif1 · waleedlatif1 · commit c5f73a762d2b · 2026-03-23T08:04:20.000-07:00
- Validate post-redirect URL to block SSRF via open redirectors
- Expand IPv6 private range blocking: fe80::/10, fc00::/7, ::ffff: mapped
- Add 50 MB download cap (Content-Length pre-check + post-buffer check)
- Add refetchOnWindowFocus: 'always' to useWorkspaceFileBinary
- Add workspaceId to PptxPreview useEffect dependency array
diff --git a/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/file-viewer.tsx b/apps/sim/app/workspace/[workspaceId]/files/components/file-viewer/file-viewer.tsx
@@ -610,7 +610,7 @@ function PptxPreview({
     return () => {
       cancelled = true
     }
-  }, [fileData, dataUpdatedAt, streamingContent, cacheKey])
+  }, [fileData, dataUpdatedAt, streamingContent, cacheKey, workspaceId])
 
   const error = fetchError
     ? fetchError instanceof Error
diff --git a/apps/sim/hooks/queries/workspace-files.ts b/apps/sim/hooks/queries/workspace-files.ts
@@ -119,6 +119,7 @@ export function useWorkspaceFileBinary(workspaceId: string, fileId: string, key:
     queryFn: ({ signal }) => fetchWorkspaceFileBinary(key, signal),
     enabled: !!workspaceId && !!fileId && !!key,
     staleTime: 30 * 1000,
+    refetchOnWindowFocus: 'always',
   })
 }
 
diff --git a/apps/sim/lib/copilot/tools/server/files/download-to-workspace-file.ts b/apps/sim/lib/copilot/tools/server/files/download-to-workspace-file.ts
@@ -30,20 +30,41 @@ const DownloadToWorkspaceFileResultSchema = z.object({
 type DownloadToWorkspaceFileArgs = z.infer<typeof DownloadToWorkspaceFileArgsSchema>
 type DownloadToWorkspaceFileResult = z.infer<typeof DownloadToWorkspaceFileResultSchema>
 
+const MAX_DOWNLOAD_BYTES = 50 * 1024 * 1024 // 50 MB
+
+function isPrivateIPv4(a: number, b: number): boolean {
+  if (a === 0 || a === 127 || a === 10) return true
+  if (a === 172 && b >= 16 && b <= 31) return true
+  if (a === 192 && b === 168) return true
+  if (a === 169 && b === 254) return true // link-local + cloud metadata
+  return false
+}
+
 function isPrivateUrl(url: string): boolean {
   try {
     const { hostname, protocol } = new URL(url)
     if (protocol !== 'https:' && protocol !== 'http:') return true
-    if (hostname === 'localhost' || hostname === '::1') return true
+    if (hostname === 'localhost') return true
+
+    // Plain IPv4
     const ipv4 = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/)
     if (ipv4) {
-      const [a, b] = [Number(ipv4[1]), Number(ipv4[2])]
-      // Loopback, RFC 1918, link-local (including cloud metadata 169.254.169.254)
-      if (a === 127 || a === 10 || a === 0) return true
-      if (a === 172 && b >= 16 && b <= 31) return true
-      if (a === 192 && b === 168) return true
-      if (a === 169 && b === 254) return true
+      return isPrivateIPv4(Number(ipv4[1]), Number(ipv4[2]))
     }
+
+    // IPv6: block loopback, link-local (fe80::/10), unique local (fc00::/7),
+    // and IPv4-mapped (::ffff:a.b.c.d) that resolve to private IPv4
+    if (hostname.includes(':')) {
+      const h = hostname.toLowerCase()
+      if (h === '::1') return true
+      if (h.startsWith('fe8') || h.startsWith('fe9') || h.startsWith('fea') || h.startsWith('feb'))
+        return true // fe80::/10 link-local
+      if (h.startsWith('fc') || h.startsWith('fd')) return true // fc00::/7 unique local
+      const mapped = h.match(/^::ffff:(\d+)\.(\d+)\.(\d+)\.(\d+)$/)
+      if (mapped) return isPrivateIPv4(Number(mapped[1]), Number(mapped[2]))
+      return false
+    }
+
     return false
   } catch {
     return true
@@ -166,13 +187,29 @@ export const downloadToWorkspaceFileServerTool: BaseServerTool<
         signal: context.abortSignal,
       })
 
+      // Block SSRF via redirect (e.g. initial URL passes check but redirects to internal IP)
+      if (response.url && response.url !== params.url && isPrivateUrl(response.url)) {
+        return {
+          success: false,
+          message: 'Downloading from private or internal URLs is not allowed',
+        }
+      }
+
       if (!response.ok) {
         return {
           success: false,
           message: `Download failed with status ${response.status} ${response.statusText}`,
         }
       }
 
+      const contentLength = Number(response.headers.get('content-length') ?? Number.NaN)
+      if (!Number.isNaN(contentLength) && contentLength > MAX_DOWNLOAD_BYTES) {
+        return {
+          success: false,
+          message: `File too large (limit ${MAX_DOWNLOAD_BYTES / 1024 / 1024} MB)`,
+        }
+      }
+
       const mimeType = resolveMimeType(
         response.headers.get('content-type'),
         params.fileName,
@@ -190,6 +227,13 @@ export const downloadToWorkspaceFileServerTool: BaseServerTool<
       const arrayBuffer = await response.arrayBuffer()
       const fileBuffer = Buffer.from(arrayBuffer)
 
+      if (fileBuffer.length > MAX_DOWNLOAD_BYTES) {
+        return {
+          success: false,
+          message: `File too large (limit ${MAX_DOWNLOAD_BYTES / 1024 / 1024} MB)`,
+        }
+      }
+
       if (fileBuffer.length === 0) {
         return { success: false, message: 'Downloaded file is empty' }
       }

Original file line number	Diff line number	Diff line change
`@@ -610,7 +610,7 @@ function PptxPreview({`
`610`	`610`	`return () => {`
`611`	`611`	`cancelled = true`
`612`	`612`	`}`
`613`		`- }, [fileData, dataUpdatedAt, streamingContent, cacheKey])`
	`613`	`+ }, [fileData, dataUpdatedAt, streamingContent, cacheKey, workspaceId])`
`614`	`614`
`615`	`615`	`const error = fetchError`
`616`	`616`	`? fetchError instanceof Error`
Original file line number	Diff line number	Diff line change
`@@ -119,6 +119,7 @@ export function useWorkspaceFileBinary(workspaceId: string, fileId: string, key:`
`119`	`119`	`queryFn: ({ signal }) => fetchWorkspaceFileBinary(key, signal),`
`120`	`120`	`enabled: !!workspaceId && !!fileId && !!key,`
`121`	`121`	`staleTime: 30 * 1000,`
	`122`	`+ refetchOnWindowFocus: 'always',`
`122`	`123`	`})`
`123`	`124`	`}`
`124`	`125`