fix(security): add SSRF protection to database tools and webhook delivery

Author: waleedlatif1

apps/sim/app/api/chat/utils.test.ts

@@ -51,6 +51,17 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
   isProd: false,
 }))
 
+vi.mock('@/lib/core/config/env', () => ({
+  getEnv: vi.fn((key: string) => {
+    if (key === 'NEXT_PUBLIC_APP_URL') return 'http://localhost:3000'
+    return undefined
+  }),
+}))
+
+vi.mock('@/lib/core/utils/urls', () => ({
+  getBaseUrl: vi.fn(() => 'http://localhost:3000'),
+}))
+
 vi.mock('@/lib/workflows/utils', () => ({
   authorizeWorkflowByWorkspacePermission: vi.fn(),
 }))

apps/sim/app/api/form/utils.test.ts

@@ -24,6 +24,17 @@ vi.mock('@/lib/core/config/feature-flags', () => ({
   isProd: false,
 }))
 
+vi.mock('@/lib/core/config/env', () => ({
+  getEnv: vi.fn((key: string) => {
+    if (key === 'NEXT_PUBLIC_APP_URL') return 'http://localhost:3000'
+    return undefined
+  }),
+}))
+
+vi.mock('@/lib/core/utils/urls', () => ({
+  getBaseUrl: vi.fn(() => 'http://localhost:3000'),
+}))
+
 vi.mock('@/lib/workflows/utils', () => ({
   authorizeWorkflowByWorkspacePermission: vi.fn(),
 }))
@@ -114,7 +125,7 @@ describe('Form API Utils', () => {
   })
 
   describe('CORS handling', () => {
-    it.concurrent('should add CORS headers for any origin', () => {
+    it('should add CORS headers for allowed origins', () => {
       const mockRequest = {
         headers: {
           get: vi.fn().mockReturnValue('http://localhost:3000'),
@@ -147,7 +158,25 @@ describe('Form API Utils', () => {
       )
     })
 
-    it.concurrent('should not set CORS headers when no origin', () => {
+    it('should not set CORS headers for disallowed origins', () => {
+      const mockRequest = {
+        headers: {
+          get: vi.fn().mockReturnValue('https://evil.com'),
+        },
+      } as any
+
+      const mockResponse = {
+        headers: {
+          set: vi.fn(),
+        },
+      } as unknown as NextResponse
+
+      addCorsHeaders(mockResponse, mockRequest)
+
+      expect(mockResponse.headers.set).not.toHaveBeenCalled()
+    })
+
+    it('should not set CORS headers when no origin', () => {
       const mockRequest = {
         headers: {
           get: vi.fn().mockReturnValue(''),

apps/sim/app/api/mcp/servers/[id]/refresh/route.ts

@@ -192,7 +192,8 @@ export const POST = withMcpAuth<{ id: string }>('read')(
         )
       } catch (error) {
         connectionStatus = 'error'
-        lastError = error instanceof Error ? error.message : 'Connection test failed'
+        lastError =
+          error instanceof Error ? error.message.split('\n')[0].slice(0, 200) : 'Connection failed'
         logger.warn(`[${requestId}] Failed to connect to server ${serverId}:`, error)
       }
 

apps/sim/app/api/mcp/servers/test-connection/route.ts

@@ -41,6 +41,26 @@ interface TestConnectionResult {
   warnings?: string[]
 }
 
+/**
+ * Extracts a user-friendly error message from connection errors.
+ * Keeps diagnostic info (timeout, DNS, HTTP status) but strips
+ * verbose internals (Zod details, full response bodies, stack traces).
+ */
+function sanitizeConnectionError(error: unknown): string {
+  if (!(error instanceof Error)) {
+    return 'Unknown connection error'
+  }
+
+  const msg = error.message
+
+  if (msg.length > 200) {
+    const firstLine = msg.split('\n')[0]
+    return firstLine.length > 200 ? `${firstLine.slice(0, 200)}...` : firstLine
+  }
+
+  return msg
+}
+
 /**
  * POST - Test connection to an MCP server before registering it
  */
@@ -137,8 +157,7 @@ export const POST = withMcpAuth('write')(
         } catch (toolError) {
           logger.warn(`[${requestId}] Connection established but could not list tools:`, toolError)
           result.success = false
-          const errorMessage = toolError instanceof Error ? toolError.message : 'Unknown error'
-          result.error = `Connection established but could not list tools: ${errorMessage}`
+          result.error = 'Connection established but could not list tools'
           result.warnings = result.warnings || []
           result.warnings.push(
             'Server connected but tool listing failed - connection may be incomplete'
@@ -163,11 +182,7 @@ export const POST = withMcpAuth('write')(
         logger.warn(`[${requestId}] MCP server test failed:`, error)
 
         result.success = false
-        if (error instanceof Error) {
-          result.error = error.message
-        } else {
-          result.error = 'Unknown connection error'
-        }
+        result.error = sanitizeConnectionError(error)
       } finally {
         if (client) {
           try {

apps/sim/app/api/mcp/tools/execute/route.ts

@@ -89,11 +89,12 @@ export const POST = withMcpAuth('read')(
           tool = tools.find((t) => t.name === toolName) ?? null
 
           if (!tool) {
+            logger.warn(`[${requestId}] Tool ${toolName} not found on server ${serverId}`, {
+              availableTools: tools.map((t) => t.name),
+            })
             return createMcpErrorResponse(
-              new Error(
-                `Tool ${toolName} not found on server ${serverId}. Available tools: ${tools.map((t) => t.name).join(', ')}`
-              ),
-              'Tool not found',
+              new Error('Tool not found'),
+              'Tool not found on the specified server',
               404
             )
           }

apps/sim/app/api/tools/a2a/cancel-task/route.ts

@@ -76,7 +76,7 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(
       {
         success: false,
-        error: error instanceof Error ? error.message : 'Failed to cancel task',
+        error: 'Failed to cancel task',
       },
       { status: 500 }
     )

apps/sim/app/api/tools/a2a/delete-push-notification/route.ts

@@ -86,7 +86,7 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(
       {
         success: false,
-        error: error instanceof Error ? error.message : 'Failed to delete push notification',
+        error: 'Failed to delete push notification',
       },
       { status: 500 }
     )

apps/sim/app/api/tools/a2a/get-agent-card/route.ts

@@ -84,7 +84,7 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(
       {
         success: false,
-        error: error instanceof Error ? error.message : 'Failed to fetch Agent Card',
+        error: 'Failed to fetch Agent Card',
       },
       { status: 500 }
     )

apps/sim/app/api/tools/a2a/get-push-notification/route.ts

@@ -107,7 +107,7 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(
       {
         success: false,
-        error: error instanceof Error ? error.message : 'Failed to get push notification',
+        error: 'Failed to get push notification',
       },
       { status: 500 }
     )

apps/sim/app/api/tools/a2a/get-task/route.ts

@@ -87,7 +87,7 @@ export async function POST(request: NextRequest) {
     return NextResponse.json(
       {
         success: false,
-        error: error instanceof Error ? error.message : 'Failed to get task',
+        error: 'Failed to get task',
       },
       { status: 500 }
     )