fix(security): allow HTTP webhooks and fix misleading MCP error docs

- Add allowHttp option to validateExternalUrl, validateUrlWithDNS,
  and secureFetchWithValidation to support HTTP webhook URLs
- Pass allowHttp: true for webhook delivery and test endpoints
- Fix misleading JSDoc on createMcpErrorResponse (doesn't log errors)
- Mark unused error param with underscore prefix

Author: waleedlatif1

apps/sim/app/api/workspaces/[id]/notifications/[notificationId]/test/route.ts

@@ -144,6 +144,7 @@ async function testWebhook(subscription: typeof workspaceNotificationSubscriptio
         headers,
         body,
         timeout: 10000,
+        allowHttp: true,
       },
       'webhookUrl'
     )

apps/sim/background/workspace-notification-delivery.ts

@@ -216,6 +216,7 @@ async function deliverWebhook(
         headers,
         body,
         timeout: 30000,
+        allowHttp: true,
       },
       'webhookUrl'
     )

apps/sim/lib/core/security/input-validation.server.ts

@@ -54,9 +54,10 @@ function isPrivateOrReservedIP(ip: string): boolean {
  */
 export async function validateUrlWithDNS(
   url: string | null | undefined,
-  paramName = 'url'
+  paramName = 'url',
+  options: { allowHttp?: boolean } = {}
 ): Promise<AsyncValidationResult> {
-  const basicValidation = validateExternalUrl(url, paramName)
+  const basicValidation = validateExternalUrl(url, paramName, options)
   if (!basicValidation.isValid) {
     return basicValidation
   }
@@ -404,10 +405,12 @@ export async function secureFetchWithPinnedIP(
  */
 export async function secureFetchWithValidation(
   url: string,
-  options: SecureFetchOptions = {},
+  options: SecureFetchOptions & { allowHttp?: boolean } = {},
   paramName = 'url'
 ): Promise<SecureFetchResponse> {
-  const validation = await validateUrlWithDNS(url, paramName)
+  const validation = await validateUrlWithDNS(url, paramName, {
+    allowHttp: options.allowHttp,
+  })
   if (!validation.isValid) {
     throw new Error(validation.error)
   }

apps/sim/lib/core/security/input-validation.ts

@@ -676,7 +676,8 @@ export function validateJiraIssueKey(
  */
 export function validateExternalUrl(
   url: string | null | undefined,
-  paramName = 'url'
+  paramName = 'url',
+  options: { allowHttp?: boolean } = {}
 ): ValidationResult {
   if (!url || typeof url !== 'string') {
     return {
@@ -709,7 +710,14 @@ export function validateExternalUrl(
     }
   }
 
-  if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost)) {
+  if (options.allowHttp) {
+    if (protocol !== 'https:' && protocol !== 'http:') {
+      return {
+        isValid: false,
+        error: `${paramName} must use http:// or https:// protocol`,
+      }
+    }
+  } else if (protocol !== 'https:' && !(protocol === 'http:' && isLocalhost)) {
     return {
       isValid: false,
       error: `${paramName} must use https:// protocol`,

apps/sim/lib/mcp/utils.ts

@@ -51,10 +51,10 @@ export const MCP_CLIENT_CONSTANTS = {
 /**
  * Create standardized MCP error response.
  * Always returns the defaultMessage to clients to prevent leaking internal error details.
- * The original error is logged server-side for debugging.
+ * Callers are responsible for logging the original error before calling this function.
  */
 export function createMcpErrorResponse(
-  error: unknown,
+  _error: unknown,
   defaultMessage: string,
   status = 500
 ): NextResponse {