fix(security): SSRF localhost hardening and regex DoS protection

Block localhost/loopback URLs in hosted environments using isHosted flag
instead of allowHttp. Add safe-regex2 validation and input length limits
to regex guardrails to prevent catastrophic backtracking.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/lib/core/security/input-validation.server.ts

@@ -4,6 +4,7 @@ import https from 'https'
 import type { LookupFunction } from 'net'
 import { createLogger } from '@sim/logger'
 import * as ipaddr from 'ipaddr.js'
+import { isHosted } from '@/lib/core/config/feature-flags'
 import { type ValidationResult, validateExternalUrl } from '@/lib/core/security/input-validation'
 
 const logger = createLogger('InputValidation')
@@ -89,10 +90,7 @@ export async function validateUrlWithDNS(
         return ip === '127.0.0.1' || ip === '::1'
       })()
 
-    if (
-      isPrivateOrReservedIP(address) &&
-      !(isLocalhost && resolvedIsLoopback && !options.allowHttp)
-    ) {
+    if (isPrivateOrReservedIP(address) && !(isLocalhost && resolvedIsLoopback && !isHosted)) {
       logger.warn('URL resolves to blocked IP address', {
         paramName,
         hostname,

apps/sim/lib/core/security/input-validation.test.ts

@@ -569,25 +569,25 @@ describe('validateUrlWithDNS', () => {
       expect(result.error).toContain('https://')
     })
 
-    it('should accept https localhost URLs', async () => {
+    it('should accept https localhost URLs (self-hosted)', async () => {
       const result = await validateUrlWithDNS('https://localhost/api')
       expect(result.isValid).toBe(true)
       expect(result.resolvedIP).toBeDefined()
     })
 
-    it('should accept http localhost URLs', async () => {
+    it('should accept http localhost URLs (self-hosted)', async () => {
       const result = await validateUrlWithDNS('http://localhost/api')
       expect(result.isValid).toBe(true)
       expect(result.resolvedIP).toBeDefined()
     })
 
-    it('should accept IPv4 loopback URLs', async () => {
+    it('should accept IPv4 loopback URLs (self-hosted)', async () => {
       const result = await validateUrlWithDNS('http://127.0.0.1/api')
       expect(result.isValid).toBe(true)
       expect(result.resolvedIP).toBeDefined()
     })
 
-    it('should accept IPv6 loopback URLs', async () => {
+    it('should accept IPv6 loopback URLs (self-hosted)', async () => {
       const result = await validateUrlWithDNS('http://[::1]/api')
       expect(result.isValid).toBe(true)
       expect(result.resolvedIP).toBeDefined()
@@ -918,7 +918,7 @@ describe('validateExternalUrl', () => {
     })
   })
 
-  describe('localhost and loopback addresses', () => {
+  describe('localhost and loopback addresses (self-hosted)', () => {
     it.concurrent('should accept https localhost', () => {
       const result = validateExternalUrl('https://localhost/api')
       expect(result.isValid).toBe(true)
@@ -1027,7 +1027,7 @@ describe('validateImageUrl', () => {
     expect(result.isValid).toBe(true)
   })
 
-  it.concurrent('should accept localhost URLs', () => {
+  it.concurrent('should accept localhost URLs (self-hosted)', () => {
     const result = validateImageUrl('https://localhost/image.png')
     expect(result.isValid).toBe(true)
   })

apps/sim/lib/core/security/input-validation.ts

@@ -1,5 +1,6 @@
 import { createLogger } from '@sim/logger'
 import * as ipaddr from 'ipaddr.js'
+import { isHosted } from '@/lib/core/config/feature-flags'
 
 const logger = createLogger('InputValidation')
 
@@ -717,19 +718,26 @@ export function validateExternalUrl(
         error: `${paramName} must use http:// or https:// protocol`,
       }
     }
-    if (isLocalhost) {
+    if (isLocalhost && isHosted) {
       return {
         isValid: false,
         error: `${paramName} cannot point to localhost`,
       }
     }
-  } else if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost)) {
+  } else if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost && !isHosted)) {
     return {
       isValid: false,
       error: `${paramName} must use https:// protocol`,
     }
   }
 
+  if (isLocalhost && isHosted) {
+    return {
+      isValid: false,
+      error: `${paramName} cannot point to localhost`,
+    }
+  }
+
   if (!isLocalhost && ipaddr.isValid(cleanHostname)) {
     if (isPrivateOrReservedIP(cleanHostname)) {
       return {

apps/sim/lib/guardrails/validate_regex.ts

@@ -13,11 +13,17 @@ export interface ValidationResult {
 export function validateRegex(inputStr: string, pattern: string): ValidationResult {
   try {
     if (!safe(pattern)) {
-      return { passed: false, error: 'Regex pattern rejected: potentially unsafe (catastrophic backtracking)' }
+      return {
+        passed: false,
+        error: 'Regex pattern rejected: potentially unsafe (catastrophic backtracking)',
+      }
     }
 
     if (inputStr.length > MAX_INPUT_LENGTH) {
-      return { passed: false, error: `Input exceeds maximum length of ${MAX_INPUT_LENGTH} characters` }
+      return {
+        passed: false,
+        error: `Input exceeds maximum length of ${MAX_INPUT_LENGTH} characters`,
+      }
     }
 
     const regex = new RegExp(pattern)