fix(security): thread workflowId through all processQueuedResumes call sites

waleedlatif1 · waleedlatif1 · commit fd234acb08c8 · 2026-05-10T18:33:04.000-07:00
Closes residual cross-tenant IDOR gap where processQueuedResumes was called
without a workflowId scope in persistPauseResult, startResumeExecution (success
and error paths), and clearPausedCancellationIntent. workflowId was already in
scope at each site — this wires it through to the existing optional parameter.
diff --git a/apps/sim/lib/workflows/executor/human-in-the-loop-manager.ts b/apps/sim/lib/workflows/executor/human-in-the-loop-manager.ts
@@ -264,7 +264,7 @@ export class PauseResumeManager {
         .where(eq(pausedExecutions.id, existing.id))
     })
 
-    await PauseResumeManager.processQueuedResumes(executionId)
+    await PauseResumeManager.processQueuedResumes(executionId, workflowId)
   }
 
   static async enqueueOrStartResume(args: EnqueueResumeArgs): Promise<EnqueueResumeResult> {
@@ -504,7 +504,10 @@ export class PauseResumeManager {
         })
       }
 
-      await PauseResumeManager.processQueuedResumes(pausedExecution.executionId)
+      await PauseResumeManager.processQueuedResumes(
+        pausedExecution.executionId,
+        pausedExecution.workflowId
+      )
 
       return result
     } catch (error) {
@@ -532,7 +535,10 @@ export class PauseResumeManager {
         contextId,
         error,
       })
-      await PauseResumeManager.processQueuedResumes(pausedExecution.executionId)
+      await PauseResumeManager.processQueuedResumes(
+        pausedExecution.executionId,
+        pausedExecution.workflowId
+      )
       throw error
     }
   }
@@ -1689,7 +1695,7 @@ export class PauseResumeManager {
           eq(pausedExecutions.status, 'cancelling')
         )
       )
-    await PauseResumeManager.processQueuedResumes(executionId)
+    await PauseResumeManager.processQueuedResumes(executionId, workflowId)
   }
 
   static async getPausedCancellationStatus(

Original file line number	Diff line number	Diff line change
`@@ -264,7 +264,7 @@ export class PauseResumeManager {`
`264`	`264`	`.where(eq(pausedExecutions.id, existing.id))`
`265`	`265`	`})`
`266`	`266`
`267`		`- await PauseResumeManager.processQueuedResumes(executionId)`
	`267`	`+ await PauseResumeManager.processQueuedResumes(executionId, workflowId)`
`268`	`268`	`}`
`269`	`269`
`270`	`270`	`static async enqueueOrStartResume(args: EnqueueResumeArgs): Promise<EnqueueResumeResult> {`
`@@ -504,7 +504,10 @@ export class PauseResumeManager {`
`504`	`504`	`})`
`505`	`505`	`}`
`506`	`506`
`507`		`- await PauseResumeManager.processQueuedResumes(pausedExecution.executionId)`
	`507`	`+ await PauseResumeManager.processQueuedResumes(`
	`508`	`+ pausedExecution.executionId,`
	`509`	`+ pausedExecution.workflowId`
	`510`	`+ )`
`508`	`511`
`509`	`512`	`return result`
`510`	`513`	`} catch (error) {`
`@@ -532,7 +535,10 @@ export class PauseResumeManager {`
`532`	`535`	`contextId,`
`533`	`536`	`error,`
`534`	`537`	`})`
`535`		`- await PauseResumeManager.processQueuedResumes(pausedExecution.executionId)`
	`538`	`+ await PauseResumeManager.processQueuedResumes(`
	`539`	`+ pausedExecution.executionId,`
	`540`	`+ pausedExecution.workflowId`
	`541`	`+ )`
`536`	`542`	`throw error`
`537`	`543`	`}`
`538`	`544`	`}`
`@@ -1689,7 +1695,7 @@ export class PauseResumeManager {`
`1689`	`1695`	`eq(pausedExecutions.status, 'cancelling')`
`1690`	`1696`	`)`
`1691`	`1697`	`)`
`1692`		`- await PauseResumeManager.processQueuedResumes(executionId)`
	`1698`	`+ await PauseResumeManager.processQueuedResumes(executionId, workflowId)`
`1693`	`1699`	`}`
`1694`	`1700`
`1695`	`1701`	`static async getPausedCancellationStatus(`