fix(security): address review comments on SSRF PR

waleedlatif1 · waleedlatif1 · commit 28f3f1c8a191 · 2026-03-09T19:30:50.000-07:00
- Remove Promise.race timeout pattern to avoid unhandled rejections
  (http.request timeout is sufficient for webhook delivery)
- Use safeCompare in verifyCronAuth instead of inline HMAC logic
- Strip IPv6 brackets before validateDatabaseHost in Redis route
diff --git a/apps/sim/app/api/tools/redis/execute/route.ts b/apps/sim/app/api/tools/redis/execute/route.ts
@@ -26,7 +26,11 @@ export async function POST(request: NextRequest) {
     const { url, command, args } = RequestSchema.parse(body)
 
     const parsedUrl = new URL(url)
-    const hostValidation = await validateDatabaseHost(parsedUrl.hostname, 'host')
+    const hostname =
+      parsedUrl.hostname.startsWith('[') && parsedUrl.hostname.endsWith(']')
+        ? parsedUrl.hostname.slice(1, -1)
+        : parsedUrl.hostname
+    const hostValidation = await validateDatabaseHost(hostname, 'host')
     if (!hostValidation.isValid) {
       return NextResponse.json({ error: hostValidation.error }, { status: 400 })
     }
diff --git a/apps/sim/app/api/workspaces/[id]/notifications/[notificationId]/test/route.ts b/apps/sim/app/api/workspaces/[id]/notifications/[notificationId]/test/route.ts
@@ -137,7 +137,7 @@ async function testWebhook(subscription: typeof workspaceNotificationSubscriptio
   }
 
   try {
-    const fetchPromise = secureFetchWithValidation(
+    const response = await secureFetchWithValidation(
       webhookConfig.url,
       {
         method: 'POST',
@@ -147,12 +147,6 @@ async function testWebhook(subscription: typeof workspaceNotificationSubscriptio
       },
       'webhookUrl'
     )
-
-    const timeoutPromise = new Promise<never>((_resolve, reject) => {
-      setTimeout(() => reject(new Error('Request timeout')), 10000)
-    })
-
-    const response = await Promise.race([fetchPromise, timeoutPromise])
     const responseBody = await response.text().catch(() => '')
 
     return {
diff --git a/apps/sim/background/workspace-notification-delivery.ts b/apps/sim/background/workspace-notification-delivery.ts
@@ -209,7 +209,7 @@ async function deliverWebhook(
   }
 
   try {
-    const fetchPromise = secureFetchWithValidation(
+    const response = await secureFetchWithValidation(
       webhookConfig.url,
       {
         method: 'POST',
@@ -220,12 +220,6 @@ async function deliverWebhook(
       'webhookUrl'
     )
 
-    const timeoutPromise = new Promise<never>((_resolve, reject) => {
-      setTimeout(() => reject(new Error('Request timeout')), 30000)
-    })
-
-    const response = await Promise.race([fetchPromise, timeoutPromise])
-
     return {
       success: response.ok,
       status: response.status,
diff --git a/apps/sim/lib/auth/internal.ts b/apps/sim/lib/auth/internal.ts
@@ -1,8 +1,8 @@
-import { createHmac, timingSafeEqual } from 'crypto'
 import { createLogger } from '@sim/logger'
 import { jwtVerify, SignJWT } from 'jose'
 import { type NextRequest, NextResponse } from 'next/server'
 import { env } from '@/lib/core/config/env'
+import { safeCompare } from '@/lib/core/security/encryption'
 
 const logger = createLogger('CronAuth')
 
@@ -82,13 +82,7 @@ export function verifyCronAuth(request: NextRequest, context?: string): NextResp
 
   const authHeader = request.headers.get('authorization')
   const expectedAuth = `Bearer ${env.CRON_SECRET}`
-  const key = 'verifyCronAuth'
-  const isValid =
-    authHeader !== null &&
-    timingSafeEqual(
-      createHmac('sha256', key).update(authHeader).digest(),
-      createHmac('sha256', key).update(expectedAuth).digest()
-    )
+  const isValid = authHeader !== null && safeCompare(authHeader, expectedAuth)
   if (!isValid) {
     const contextInfo = context ? ` for ${context}` : ''
     logger.warn(`Unauthorized CRON access attempt${contextInfo}`, {

Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,7 @@ async function testWebhook(subscription: typeof workspaceNotificationSubscriptio`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	`try {`
`140`		`- const fetchPromise = secureFetchWithValidation(`
	`140`	`+ const response = await secureFetchWithValidation(`
`141`	`141`	`webhookConfig.url,`
`142`	`142`	`{`
`143`	`143`	`method: 'POST',`
`@@ -147,12 +147,6 @@ async function testWebhook(subscription: typeof workspaceNotificationSubscriptio`
`147`	`147`	`},`
`148`	`148`	`'webhookUrl'`
`149`	`149`	`)`
`150`		`-`
`151`		`- const timeoutPromise = new Promise<never>((_resolve, reject) => {`
`152`		`- setTimeout(() => reject(new Error('Request timeout')), 10000)`
`153`		`- })`
`154`		`-`
`155`		`- const response = await Promise.race([fetchPromise, timeoutPromise])`
`156`	`150`	`const responseBody = await response.text().catch(() => '')`
`157`	`151`
`158`	`152`	`return {`
Original file line number	Diff line number	Diff line change
`@@ -209,7 +209,7 @@ async function deliverWebhook(`
`209`	`209`	`}`
`210`	`210`
`211`	`211`	`try {`
`212`		`- const fetchPromise = secureFetchWithValidation(`
	`212`	`+ const response = await secureFetchWithValidation(`
`213`	`213`	`webhookConfig.url,`
`214`	`214`	`{`
`215`	`215`	`method: 'POST',`
`@@ -220,12 +220,6 @@ async function deliverWebhook(`
`220`	`220`	`'webhookUrl'`
`221`	`221`	`)`
`222`	`222`
`223`		`- const timeoutPromise = new Promise<never>((_resolve, reject) => {`
`224`		`- setTimeout(() => reject(new Error('Request timeout')), 30000)`
`225`		`- })`
`226`		`-`
`227`		`- const response = await Promise.race([fetchPromise, timeoutPromise])`
`228`		`-`
`229`	`223`	`return {`
`230`	`224`	`success: response.ok,`
`231`	`225`	`status: response.status,`