Skip to content

fix(security): SSRF, access control, and info disclosure #3815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
waleedlatif1 merged 13 commits into from
Mar 28, 2026
Merged

fix(security): SSRF, access control, and info disclosure #3815

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
952239d
fix(security): scope copilot feedback GET endpoint to authenticated user
waleedlatif1 Mar 27, 2026
89b4699
fix(smtp): add SSRF validation and genericize network error messages
waleedlatif1 Mar 27, 2026
7b5a296
fix(security): add SSRF validation to SFTP/SSH and access control to …
waleedlatif1 Mar 27, 2026
6026598
fix(smtp): restore SMTP response code handling for post-connection er…
waleedlatif1 Mar 27, 2026
a3f48e9
fix(security): use session email directly instead of extra DB query
waleedlatif1 Mar 27, 2026
c52698d
lint
waleedlatif1 Mar 27, 2026
0fa3c3e
fix(auth): revert lint autofix that broke hasExternalApiCredentials r…
waleedlatif1 Mar 27, 2026
4c0aa7a
fix(smtp): pin resolved IP to prevent DNS rebinding (TOCTOU)
waleedlatif1 Mar 28, 2026
d747565
refactor(security): extract createPinnedLookup helper for DNS rebindi…
waleedlatif1 Mar 28, 2026
c9f2a06
fix(security): pin IMAP connections to validated resolved IP
waleedlatif1 Mar 28, 2026
d2937d9
lint
waleedlatif1 Mar 28, 2026
98e42d3
fix(auth): revert lint autofix on hasExternalApiCredentials return type
waleedlatif1 Mar 28, 2026
1db2ab4
fix(security): short-circuit admin check when caller is invitee
waleedlatif1 Mar 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(smtp): pin resolved IP to prevent DNS rebinding (TOCTOU) 
Use the pre-resolved IP from validateDatabaseHost instead of the
original hostname when creating the nodemailer transporter. Set
servername to the original hostname to preserve TLS SNI validation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
  • Loading branch information
@waleedlatif1 @claude
waleedlatif1 and claude committed Mar 28, 2026
commit 4c0aa7acde4de8e24f47439436a65d058cc5671d
19 changes: 10 additions & 9 deletions apps/sim/app/api/tools/smtp/send/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,22 +74,23 @@ export async function POST(request: NextRequest) {
secure: validatedData.smtpSecure,
})

// Use the pre-resolved IP to prevent DNS rebinding attacks (TOCTOU).
// Set servername to the original hostname for correct TLS SNI/certificate validation.
const resolvedHost = hostValidation.resolvedIP ?? validatedData.smtpHost
const tlsOptions =
validatedData.smtpSecure === 'None'
? { rejectUnauthorized: false, servername: validatedData.smtpHost }
: { rejectUnauthorized: true, servername: validatedData.smtpHost }

const transporter = nodemailer.createTransport({
host: validatedData.smtpHost,
host: resolvedHost,
port: validatedData.smtpPort,
secure: validatedData.smtpSecure === 'SSL',
auth: {
user: validatedData.smtpUsername,
pass: validatedData.smtpPassword,
},
tls:
validatedData.smtpSecure === 'None'
? {
rejectUnauthorized: false,
}
: {
rejectUnauthorized: true,
},
tls: tlsOptions,
})

const contentType = validatedData.contentType || 'text'
Expand Down
Loading