fix: harden SSRF protections and input validation across API routes

Add DNS-based SSRF validation for MCP server URLs, secure OIDC discovery
with IP-pinned fetch, strengthen OTP/chat/form input validation, sanitize
1Password vault parameters, and tighten deployment security checks.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/auth/sso/register/route.ts

@@ -4,6 +4,10 @@ import { z } from 'zod'
 import { auth, getSession } from '@/lib/auth'
 import { hasSSOAccess } from '@/lib/billing'
 import { env } from '@/lib/core/config/env'
+import {
+  secureFetchWithPinnedIP,
+  validateUrlWithDNS,
+} from '@/lib/core/security/input-validation.server'
 import { REDACTED_MARKER } from '@/lib/core/security/redaction'
 
 const logger = createLogger('SSORegisterRoute')
@@ -156,24 +160,37 @@ export async function POST(request: NextRequest) {
             hasJwksEndpoint: !!oidcConfig.jwksEndpoint,
           })
 
-          const discoveryResponse = await fetch(discoveryUrl, {
-            headers: { Accept: 'application/json' },
-          })
+          const urlValidation = await validateUrlWithDNS(discoveryUrl, 'OIDC discovery URL')
+          if (!urlValidation.isValid) {
+            logger.warn('OIDC discovery URL failed SSRF validation', {
+              discoveryUrl,
+              error: urlValidation.error,
+            })
+            return NextResponse.json({ error: urlValidation.error }, { status: 400 })
+          }
+
+          const discoveryResponse = await secureFetchWithPinnedIP(
+            discoveryUrl,
+            urlValidation.resolvedIP!,
+            {
+              headers: { Accept: 'application/json' },
+            }
+          )
 
           if (!discoveryResponse.ok) {
             logger.error('Failed to fetch OIDC discovery document', {
               status: discoveryResponse.status,
-              statusText: discoveryResponse.statusText,
             })
             return NextResponse.json(
               {
-                error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Status: ${discoveryResponse.status}. Provide all endpoints explicitly or verify the issuer URL.`,
+                error:
+                  'Failed to fetch OIDC discovery document. Provide all endpoints explicitly or verify the issuer URL.',
               },
               { status: 400 }
             )
           }
 
-          const discovery = await discoveryResponse.json()
+          const discovery = (await discoveryResponse.json()) as Record<string, unknown>
 
           oidcConfig.authorizationEndpoint =
             oidcConfig.authorizationEndpoint || discovery.authorization_endpoint
@@ -196,7 +213,8 @@ export async function POST(request: NextRequest) {
           })
           return NextResponse.json(
             {
-              error: `Failed to fetch OIDC discovery document from ${discoveryUrl}. Please verify the issuer URL is correct or provide all endpoints explicitly.`,
+              error:
+                'Failed to fetch OIDC discovery document. Please verify the issuer URL is correct or provide all endpoints explicitly.',
             },
             { status: 400 }
           )

apps/sim/app/api/files/authorization.ts

@@ -114,9 +114,9 @@ export async function verifyFileAccess(
     // Infer context from key if not explicitly provided
     const inferredContext = context || inferContextFromKey(cloudKey)
 
-    // 0. Profile pictures: Public access (anyone can view creator profile pictures)
-    if (inferredContext === 'profile-pictures') {
-      logger.info('Profile picture access allowed (public)', { cloudKey })
+    // 0. Public contexts: profile pictures and OG images are publicly accessible
+    if (inferredContext === 'profile-pictures' || inferredContext === 'og-images') {
+      logger.info('Public file access allowed', { cloudKey, context: inferredContext })
       return true
     }
 

apps/sim/app/api/files/serve/[...path]/route.ts

@@ -94,9 +94,6 @@ export async function GET(
     const isCloudPath = isS3Path || isBlobPath
     const cloudKey = isCloudPath ? path.slice(1).join('/') : fullPath
 
-    const contextParam = request.nextUrl.searchParams.get('context')
-    const raw = request.nextUrl.searchParams.get('raw') === '1'
-
     const isPublicByKeyPrefix =
       cloudKey.startsWith('profile-pictures/') || cloudKey.startsWith('og-images/')
 
@@ -109,6 +106,9 @@ export async function GET(
       return await handleLocalFilePublic(fullPath)
     }
 
+    const contextParam = request.nextUrl.searchParams.get('context')
+    const raw = request.nextUrl.searchParams.get('raw') === '1'
+
     const authResult = await checkSessionOrInternalAuth(request, { requireWorkflowId: false })
 
     if (!authResult.success || !authResult.userId) {

apps/sim/app/api/mcp/servers/[id]/route.ts

@@ -4,7 +4,12 @@ import { createLogger } from '@sim/logger'
 import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
-import { McpDomainNotAllowedError, validateMcpDomain } from '@/lib/mcp/domain-check'
+import {
+  McpDomainNotAllowedError,
+  McpSsrfError,
+  validateMcpDomain,
+  validateMcpServerSsrf,
+} from '@/lib/mcp/domain-check'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpService } from '@/lib/mcp/service'
 import { createMcpErrorResponse, createMcpSuccessResponse } from '@/lib/mcp/utils'
@@ -44,6 +49,15 @@ export const PATCH = withMcpAuth<{ id: string }>('write')(
           }
           throw e
         }
+
+        try {
+          await validateMcpServerSsrf(updateData.url)
+        } catch (e) {
+          if (e instanceof McpSsrfError) {
+            return createMcpErrorResponse(e, e.message, 403)
+          }
+          throw e
+        }
       }
 
       // Get the current server to check if URL is changing

apps/sim/app/api/mcp/servers/route.ts

@@ -4,7 +4,12 @@ import { createLogger } from '@sim/logger'
 import { and, eq, isNull } from 'drizzle-orm'
 import type { NextRequest } from 'next/server'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
-import { McpDomainNotAllowedError, validateMcpDomain } from '@/lib/mcp/domain-check'
+import {
+  McpDomainNotAllowedError,
+  McpSsrfError,
+  validateMcpDomain,
+  validateMcpServerSsrf,
+} from '@/lib/mcp/domain-check'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { mcpService } from '@/lib/mcp/service'
 import {
@@ -83,6 +88,15 @@ export const POST = withMcpAuth('write')(
         throw e
       }
 
+      try {
+        await validateMcpServerSsrf(body.url)
+      } catch (e) {
+        if (e instanceof McpSsrfError) {
+          return createMcpErrorResponse(e, e.message, 403)
+        }
+        throw e
+      }
+
       const serverId = body.url ? generateMcpServerId(workspaceId, body.url) : crypto.randomUUID()
 
       const [existingServer] = await db

apps/sim/app/api/mcp/servers/test-connection/route.ts

@@ -1,7 +1,12 @@
 import { createLogger } from '@sim/logger'
 import type { NextRequest } from 'next/server'
 import { McpClient } from '@/lib/mcp/client'
-import { McpDomainNotAllowedError, validateMcpDomain } from '@/lib/mcp/domain-check'
+import {
+  McpDomainNotAllowedError,
+  McpSsrfError,
+  validateMcpDomain,
+  validateMcpServerSsrf,
+} from '@/lib/mcp/domain-check'
 import { getParsedBody, withMcpAuth } from '@/lib/mcp/middleware'
 import { resolveMcpConfigEnvVars } from '@/lib/mcp/resolve-config'
 import type { McpTransport } from '@/lib/mcp/types'
@@ -95,6 +100,15 @@ export const POST = withMcpAuth('write')(
         throw e
       }
 
+      try {
+        await validateMcpServerSsrf(body.url)
+      } catch (e) {
+        if (e instanceof McpSsrfError) {
+          return createMcpErrorResponse(e, e.message, 403)
+        }
+        throw e
+      }
+
       // Build initial config for resolution
       const initialConfig = {
         id: `test-${requestId}`,
@@ -119,7 +133,7 @@ export const POST = withMcpAuth('write')(
         logger.warn(`[${requestId}] Some environment variables not found:`, { missingVars })
       }
 
-      // Re-validate domain after env var resolution
+      // Re-validate domain and SSRF after env var resolution
       try {
         validateMcpDomain(testConfig.url)
       } catch (e) {
@@ -129,6 +143,15 @@ export const POST = withMcpAuth('write')(
         throw e
       }
 
+      try {
+        await validateMcpServerSsrf(testConfig.url)
+      } catch (e) {
+        if (e instanceof McpSsrfError) {
+          return createMcpErrorResponse(e, e.message, 403)
+        }
+        throw e
+      }
+
       const testSecurityPolicy = {
         requireConsent: false,
         auditLevel: 'none' as const,

apps/sim/app/api/tools/onepassword/utils.ts

@@ -1,3 +1,4 @@
+import dns from 'dns/promises'
 import type {
   Item,
   ItemCategory,
@@ -8,6 +9,8 @@ import type {
   VaultOverview,
   Website,
 } from '@1password/sdk'
+import { createLogger } from '@sim/logger'
+import * as ipaddr from 'ipaddr.js'
 
 /** Connect-format field type strings returned by normalization. */
 type ConnectFieldType =
@@ -238,6 +241,49 @@ export async function createOnePasswordClient(serviceAccountToken: string) {
   })
 }
 
+const connectLogger = createLogger('OnePasswordConnect')
+
+/**
+ * Validates that a Connect server URL does not target cloud metadata endpoints.
+ * Allows private IPs and localhost since 1Password Connect is designed to be self-hosted.
+ */
+async function validateConnectServerUrl(serverUrl: string): Promise<void> {
+  let hostname: string
+  try {
+    hostname = new URL(serverUrl).hostname
+  } catch {
+    throw new Error('1Password server URL is not a valid URL')
+  }
+
+  const clean = hostname.startsWith('[') && hostname.endsWith(']') ? hostname.slice(1, -1) : hostname
+
+  if (ipaddr.isValid(clean)) {
+    const addr = ipaddr.process(clean)
+    if (addr.range() === 'linkLocal') {
+      throw new Error('1Password server URL cannot point to a link-local address')
+    }
+    return
+  }
+
+  try {
+    const { address } = await dns.lookup(clean, { verbatim: true })
+    if (ipaddr.isValid(address) && ipaddr.process(address).range() === 'linkLocal') {
+      connectLogger.warn('1Password Connect server URL resolves to link-local IP', {
+        hostname: clean,
+        resolvedIP: address,
+      })
+      throw new Error('1Password server URL resolves to a link-local address')
+    }
+  } catch (error) {
+    if (error instanceof Error && error.message.startsWith('1Password')) throw error
+    connectLogger.warn('DNS lookup failed for 1Password Connect server URL', {
+      hostname: clean,
+      error: error instanceof Error ? error.message : String(error),
+    })
+    throw new Error('1Password server URL hostname could not be resolved')
+  }
+}
+
 /** Proxy a request to the 1Password Connect Server. */
 export async function connectRequest(options: {
   serverUrl: string
@@ -247,6 +293,8 @@ export async function connectRequest(options: {
   body?: unknown
   query?: string
 }): Promise<Response> {
+  await validateConnectServerUrl(options.serverUrl)
+
   const base = options.serverUrl.replace(/\/$/, '')
   const queryStr = options.query ? `?${options.query}` : ''
   const url = `${base}${options.path}${queryStr}`

apps/sim/background/schedule-execution.ts

@@ -913,7 +913,7 @@ export async function executeJobInline(payload: JobExecutionPayload) {
 
   try {
     const url = buildAPIUrl('/api/mothership/execute')
-    const headers = await buildAuthHeaders()
+    const headers = await buildAuthHeaders(jobRecord.sourceUserId)
 
     const body = {
       messages: [{ role: 'user', content: promptText }],

apps/sim/executor/handlers/agent/agent-handler.ts

@@ -289,7 +289,7 @@ export class AgentBlockHandler implements BlockHandler {
     }
 
     try {
-      const headers = await buildAuthHeaders()
+      const headers = await buildAuthHeaders(ctx.userId)
       const params: Record<string, string> = {}
 
       if (ctx.workspaceId) {
@@ -467,7 +467,7 @@ export class AgentBlockHandler implements BlockHandler {
       throw new Error('workflowId is required for internal JWT authentication')
     }
 
-    const headers = await buildAuthHeaders()
+    const headers = await buildAuthHeaders(ctx.userId)
     const url = buildAPIUrl('/api/mcp/tools/discover', {
       serverId,
       workspaceId: ctx.workspaceId,

apps/sim/executor/handlers/evaluator/evaluator-handler.ts

@@ -134,7 +134,7 @@ export class EvaluatorBlockHandler implements BlockHandler {
 
       const response = await fetch(url.toString(), {
         method: 'POST',
-        headers: await buildAuthHeaders(),
+        headers: await buildAuthHeaders(ctx.userId),
         body: stringifyJSON(providerRequest),
       })