Skip to content

fix(security): harden auth, SSRF, injection, and CORS across API routes #3792

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
waleedlatif1 merged 25 commits into from
Mar 26, 2026
Merged

fix(security): harden auth, SSRF, injection, and CORS across API routes #3792

Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
6f43fc9
fix: prevent auth bypass via user-controlled context query param in f…
waleedlatif1 Mar 26, 2026
be41fbc
fix: use randomized heredoc delimiter in SSH execute-script route
waleedlatif1 Mar 26, 2026
86d7a20
fix: escape workingDirectory in SSH execute-command route
waleedlatif1 Mar 26, 2026
331e9fc
fix: harden chat/form deployment auth (OTP brute-force, CSPRNG, HMAC …
waleedlatif1 Mar 26, 2026
dac7dda
fix: harden SSRF protections and input validation across API routes
waleedlatif1 Mar 26, 2026
c5ecc19
lint
waleedlatif1 Mar 26, 2026
35bc843
fix(file-serve): remove user-controlled context param from authentica…
waleedlatif1 Mar 26, 2026
dea9fbe
fix: handle legacy OTP format in decodeOTPValue for deploy-time compat
waleedlatif1 Mar 26, 2026
7e56894
fix(mcp): distinguish DNS resolution failures from SSRF policy blocks
waleedlatif1 Mar 26, 2026
16072b5
fix: make OTP attempt counting atomic to prevent TOCTOU race
waleedlatif1 Mar 26, 2026
44b8aba
fix: check attempt count before OTP comparison to prevent bypass
waleedlatif1 Mar 26, 2026
bf81938
fix: validate OIDC discovered endpoints against SSRF
waleedlatif1 Mar 26, 2026
002748f
fix: remove duplicate OIDC endpoint SSRF validation block
waleedlatif1 Mar 26, 2026
5493234
fix: validate OIDC discovered endpoints and pin DNS for 1Password Con…
waleedlatif1 Mar 26, 2026
994e711
lint
waleedlatif1 Mar 26, 2026
971888d
fix: replace KEEPTTL with TTL+EX for Redis <6.0 compat, add DB retry …
waleedlatif1 Mar 26, 2026
2f85b31
fix: address review feedback on OTP atomicity and 1Password fetch
waleedlatif1 Mar 26, 2026
1313265
fix: treat Lua nil return as locked when OTP key is missing
waleedlatif1 Mar 26, 2026
f1fd878
fix: handle Lua nil as locked OTP and add SSRF check to MCP env resol…
waleedlatif1 Mar 26, 2026
1cc6ed4
fix: narrow resolvedIP type guard instead of non-null assertion
waleedlatif1 Mar 26, 2026
3db061b
fix: bind auth tokens to deployment password for immediate revocation
waleedlatif1 Mar 26, 2026
78c0454
fix: bind auth tokens to deployment password and remove resolvedIP no…
waleedlatif1 Mar 26, 2026
b7bc591
fix: update test assertions for new encryptedPassword parameter
waleedlatif1 Mar 26, 2026
4790853
fix: format long lines in chat/form test assertions
waleedlatif1 Mar 26, 2026
33e6576
fix: pass encryptedPassword through OTP route cookie generation
waleedlatif1 Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix: check attempt count before OTP comparison to prevent bypass 
Reject OTPs that have already reached max failed attempts before
comparing the code, closing a race window where a correct guess
could bypass brute-force protection.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
  • Loading branch information
@waleedlatif1 @claude
waleedlatif1 and claude committed Mar 26, 2026
commit 44b8aba182aa521afc80a1d2668edc9842fc4108
9 changes: 9 additions & 0 deletions apps/sim/app/api/chat/[identifier]/otp/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -311,6 +311,15 @@ export async function PUT(

const { otp: storedOTP, attempts } = decodeOTPValue(storedValue)

Comment thread
waleedlatif1 marked this conversation as resolved.
if (attempts >= MAX_OTP_ATTEMPTS) {
await deleteOTP(email, deployment.id)
logger.warn(`[${requestId}] OTP already locked out for ${email}`)
return addCorsHeaders(
createErrorResponse('Too many failed attempts. Please request a new code.', 429),
request
)
}

if (storedOTP !== otp) {
const result = await incrementOTPAttempts(email, deployment.id, storedValue)
if (result === 'locked') {
Expand Down
Loading