Skip to content

fix(security): SSRF, access control, and info disclosure #3815

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
waleedlatif1 merged 13 commits into from
Mar 28, 2026
Merged

fix(security): SSRF, access control, and info disclosure #3815

Changes from 1 commit
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
952239d
fix(security): scope copilot feedback GET endpoint to authenticated user
waleedlatif1 Mar 27, 2026
89b4699
fix(smtp): add SSRF validation and genericize network error messages
waleedlatif1 Mar 27, 2026
7b5a296
fix(security): add SSRF validation to SFTP/SSH and access control to …
waleedlatif1 Mar 27, 2026
6026598
fix(smtp): restore SMTP response code handling for post-connection er…
waleedlatif1 Mar 27, 2026
a3f48e9
fix(security): use session email directly instead of extra DB query
waleedlatif1 Mar 27, 2026
c52698d
lint
waleedlatif1 Mar 27, 2026
0fa3c3e
fix(auth): revert lint autofix that broke hasExternalApiCredentials r…
waleedlatif1 Mar 27, 2026
4c0aa7a
fix(smtp): pin resolved IP to prevent DNS rebinding (TOCTOU)
waleedlatif1 Mar 28, 2026
d747565
refactor(security): extract createPinnedLookup helper for DNS rebindi…
waleedlatif1 Mar 28, 2026
c9f2a06
fix(security): pin IMAP connections to validated resolved IP
waleedlatif1 Mar 28, 2026
d2937d9
lint
waleedlatif1 Mar 28, 2026
98e42d3
fix(auth): revert lint autofix on hasExternalApiCredentials return type
waleedlatif1 Mar 28, 2026
1db2ab4
fix(security): short-circuit admin check when caller is invitee
waleedlatif1 Mar 28, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fix(security): use session email directly instead of extra DB query 
Addresses PR review feedback — align with the workspace invitation
route pattern by using session.user.email instead of re-fetching
from the database.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
  • Loading branch information
@waleedlatif1 @claude
waleedlatif1 and claude committed Mar 27, 2026
commit a3f48e9eb20fcc682f58d1536ee784ee04c062fd
9 changes: 2 additions & 7 deletions apps/sim/app/api/organizations/[id]/invitations/[invitationId]/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -62,13 +62,8 @@ export async function GET(
}

// Verify caller is either an org member or the invitee
const userData = await db
.select({ email: user.email })
.from(user)
.where(eq(user.id, session.user.id))
.then((rows) => rows[0])

const isInvitee = userData && userData.email.toLowerCase() === orgInvitation.email.toLowerCase()
const isInvitee =
session.user.email?.toLowerCase() === orgInvitation.email.toLowerCase()

if (!isInvitee) {
const memberEntry = await db
Expand Down
Loading