fix(security): block localhost when allowHttp is enabled

waleedlatif1 · waleedlatif1 · commit 820df09fd949 · 2026-03-09T19:59:59.000-07:00
When allowHttp is true (user-supplied webhook URLs), explicitly block
localhost/loopback in both validateExternalUrl and validateUrlWithDNS
to prevent SSRF against internal services.
diff --git a/apps/sim/lib/core/security/input-validation.server.ts b/apps/sim/lib/core/security/input-validation.server.ts
@@ -89,7 +89,10 @@ export async function validateUrlWithDNS(
         return ip === '127.0.0.1' || ip === '::1'
       })()
 
-    if (isPrivateOrReservedIP(address) && !(isLocalhost && resolvedIsLoopback)) {
+    if (
+      isPrivateOrReservedIP(address) &&
+      !(isLocalhost && resolvedIsLoopback && !options.allowHttp)
+    ) {
       logger.warn('URL resolves to blocked IP address', {
         paramName,
         hostname,
diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
@@ -717,6 +717,12 @@ export function validateExternalUrl(
         error: `${paramName} must use http:// or https:// protocol`,
       }
     }
+    if (isLocalhost) {
+      return {
+        isValid: false,
+        error: `${paramName} cannot point to localhost`,
+      }
+    }
   } else if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost)) {
     return {
       isValid: false,

Original file line number	Diff line number	Diff line change
`@@ -717,6 +717,12 @@ export function validateExternalUrl(`
`717`	`717`	error: `${paramName} must use http:// or https:// protocol`,
`718`	`718`	`}`
`719`	`719`	`}`
	`720`	`+ if (isLocalhost) {`
	`721`	`+ return {`
	`722`	`+ isValid: false,`
	`723`	+ error: `${paramName} cannot point to localhost`,
	`724`	`+ }`
	`725`	`+ }`
`720`	`726`	`} else if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost)) {`
`721`	`727`	`return {`
`722`	`728`	`isValid: false,`