fix(security): add authentication and input validation to API routes #2959
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
Greptile Summary
Important Files Changed
Confidence score: 4/5
Sequence DiagramsequenceDiagram
participant User
|
waleedlatif1
force-pushed
the
fix/vuln
branch
from
ba48941 to
4761b80
Compare
waleedlatif1
force-pushed
the
fix/vuln
branch
from
4761b80 to
eefbf53
Compare
Collaborator
Author
waleedlatif1
added a commit
that referenced
this pull request
Jan 24, 2026
…2973) * fix(subflows): tag dropdown + resolution logic (#2949) * fix(subflows): tag dropdown + resolution logic * fixes; * revert parallel change * chore(deps): bump posthog-js to 1.334.1 (#2948) * fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950) * fix(idempotency): add conflict target to atomicallyClaimDb query * delete needs to account for namespace * simplify namespace filtering logic * fix cleanup * consistent target * improvement(kb): add document filtering, select all, and React Query migration (#2951) * improvement(kb): add document filtering, select all, and React Query migration * test(kb): update tests for enabledFilter and removed userId params * fix(kb): remove non-null assertion, add explicit guard * improvement(logs): trace span, details (#2952) * improvement(action-bar): ordering * improvement(logs): details, trace span * feat(blog): v0.5 release post (#2953) * feat(blog): v0.5 post * improvement(blog): simplify title and remove code block header - Simplified blog title from "Introducing Sim Studio v0.5" to "Introducing Sim v0.5" - Removed language label header and copy button from code blocks for cleaner appearance Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * ack PR comments * small styling improvements * created system to create post-specific components * updated componnet * cache invalidation --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(admin): add credits endpoint to issue credits to users (#2954) * feat(admin): add credits endpoint to issue credits to users * fix(admin): use existing credit functions and handle enterprise seats * fix(admin): reject NaN and Infinity in amount validation * styling * fix(admin): validate userId and email are strings * improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955) * Improvements * Fix actions mapping * Remove console logs * fix(billing): handle missing userStats and prevent crashes (#2956) * fix(billing): handle missing userStats and prevent crashes * fix(billing): correct import path for getFilledPillColor * fix(billing): add Number.isFinite check to lastPeriodCost * fix(logs): refresh logic to refresh logs details (#2958) * fix(security): add authentication and input validation to API routes (#2959) * fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep * improvement(helm): add internal ingress support and same-host path consolidation (#2960) * improvement(helm): add internal ingress support and same-host path consolidation * improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(blog): enterprise post (#2961) * feat(blog): enterprise post * added more images, styling * more content * updated v0-5 post * remove unused transition --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> * fix(envvars): resolution standardized (#2957) * fix(envvars): resolution standardized * remove comments * address bugbot * fix highlighting for env vars * remove comments * address greptile * address bugbot * fix(copilot): mask credentials fix (#2963) * Fix copilot masking * Clean up * Lint * improvement(webhooks): remove dead code (#2965) * fix(webhooks): subscription recreation path * improvement(webhooks): remove dead code * fix tests * address bugbot comments * fix restoration edge case * fix more edge cases * address bugbot comments * fix gmail polling * add warnings for UI indication for credential sets * fix(preview): subblock values (#2969) * fix(child-workflow): nested spans handoff (#2966) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments * fix(security): restrict API key access on internal-only routes (#2964) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt * fix(copilot): update copilot chat title (#2968) * fix(hitl): fix condition blocks after hitl (#2967) * fix(notes): ghost edges (#2970) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check * improvement(docs): loop and parallel var reference syntax (#2975) * fix(blog): slash actions description (#2976) * improvement(docs): loop and parallel var reference syntax * fix(blog): slash actions description * fix(auth): copilot routes (#2977) * Fix copilot auth * Fix * Fix * Fix * fix(copilot): fix edit summary for loops/parallels (#2978) * fix(integrations): hide from tool bar (#2544) * fix(landing): ui (#2979) * fix(edge-validation): race condition on collaborative add (#2980) * fix(variables): boolean type support and input improvements (#2981) * fix(variables): boolean type support and input improvements * fix formatting --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: Emir Karabeg <78010029+emir-karabeg@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Siddharth Ganesan <33737564+Sg312@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
waleedlatif1
added a commit
that referenced
this pull request
Jan 24, 2026
…2973) * fix(subflows): tag dropdown + resolution logic (#2949) * fix(subflows): tag dropdown + resolution logic * fixes; * revert parallel change * chore(deps): bump posthog-js to 1.334.1 (#2948) * fix(idempotency): add conflict target to atomicallyClaimDb query + remove redundant db namespace tracking (#2950) * fix(idempotency): add conflict target to atomicallyClaimDb query * delete needs to account for namespace * simplify namespace filtering logic * fix cleanup * consistent target * improvement(kb): add document filtering, select all, and React Query migration (#2951) * improvement(kb): add document filtering, select all, and React Query migration * test(kb): update tests for enabledFilter and removed userId params * fix(kb): remove non-null assertion, add explicit guard * improvement(logs): trace span, details (#2952) * improvement(action-bar): ordering * improvement(logs): details, trace span * feat(blog): v0.5 release post (#2953) * feat(blog): v0.5 post * improvement(blog): simplify title and remove code block header - Simplified blog title from Introducing Sim Studio v0.5 to Introducing Sim v0.5 - Removed language label header and copy button from code blocks for cleaner appearance Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * ack PR comments * small styling improvements * created system to create post-specific components * updated componnet * cache invalidation --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(admin): add credits endpoint to issue credits to users (#2954) * feat(admin): add credits endpoint to issue credits to users * fix(admin): use existing credit functions and handle enterprise seats * fix(admin): reject NaN and Infinity in amount validation * styling * fix(admin): validate userId and email are strings * improvement(copilot): fast mode, subagent tool responses and allow preferences (#2955) * Improvements * Fix actions mapping * Remove console logs * fix(billing): handle missing userStats and prevent crashes (#2956) * fix(billing): handle missing userStats and prevent crashes * fix(billing): correct import path for getFilledPillColor * fix(billing): add Number.isFinite check to lastPeriodCost * fix(logs): refresh logic to refresh logs details (#2958) * fix(security): add authentication and input validation to API routes (#2959) * fix(security): add authentication and input validation to API routes * moved utils * remove extraneous commetns * removed unused dep * improvement(helm): add internal ingress support and same-host path consolidation (#2960) * improvement(helm): add internal ingress support and same-host path consolidation * improvement(helm): clean up ingress template comments Simplify verbose inline Helm comments and section dividers to match the minimal style used in services.yaml. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(helm): add missing copilot path consolidation for realtime host When copilot.host equals realtime.host but differs from app.host, copilot paths were not being routed. Added logic to consolidate copilot paths into the realtime rule for this scenario. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * improvement(helm): follow ingress best practices - Remove orphan comments that appeared when services were disabled - Add documentation about path ordering requirements - Paths rendered in order: realtime, copilot, app (specific before catch-all) - Clean template output matching industry Helm chart standards --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> * feat(blog): enterprise post (#2961) * feat(blog): enterprise post * added more images, styling * more content * updated v0-5 post * remove unused transition --------- Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai> * fix(envvars): resolution standardized (#2957) * fix(envvars): resolution standardized * remove comments * address bugbot * fix highlighting for env vars * remove comments * address greptile * address bugbot * fix(copilot): mask credentials fix (#2963) * Fix copilot masking * Clean up * Lint * improvement(webhooks): remove dead code (#2965) * fix(webhooks): subscription recreation path * improvement(webhooks): remove dead code * fix tests * address bugbot comments * fix restoration edge case * fix more edge cases * address bugbot comments * fix gmail polling * add warnings for UI indication for credential sets * fix(preview): subblock values (#2969) * fix(child-workflow): nested spans handoff (#2966) * fix(child-workflow): nested spans handoff * remove overly defensive programming * update type check * type more code * remove more dead code * address bugbot comments * fix(security): restrict API key access on internal-only routes (#2964) * fix(security): restrict API key access on internal-only routes * test(security): update function execute tests for checkInternalAuth * updated agent handler * move session check higher in checkSessionOrInternalAuth * extracted duplicate code into helper for resolving user from jwt * fix(copilot): update copilot chat title (#2968) * fix(hitl): fix condition blocks after hitl (#2967) * fix(notes): ghost edges (#2970) * fix(notes): ghost edges * fix deployed state fallback * fallback * remove UI level checks * annotation missing from autoconnect source check * improvement(docs): loop and parallel var reference syntax (#2975) * fix(blog): slash actions description (#2976) * improvement(docs): loop and parallel var reference syntax * fix(blog): slash actions description * fix(auth): copilot routes (#2977) * Fix copilot auth * Fix * Fix * Fix * fix(copilot): fix edit summary for loops/parallels (#2978) * fix(integrations): hide from tool bar (#2544) * fix(landing): ui (#2979) * fix(edge-validation): race condition on collaborative add (#2980) * fix(variables): boolean type support and input improvements (#2981) * fix(variables): boolean type support and input improvements * fix formatting --------- Co-authored-by: Vikhyath Mondreti <vikhyathvikku@gmail.com> Co-authored-by: Emir Karabeg <78010029+emir-karabeg@users.noreply.github.com> Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> Co-authored-by: Siddharth Ganesan <33737564+Sg312@users.noreply.github.com> Co-authored-by: Vikhyath Mondreti <vikhyath@simstudio.ai>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
checkHybridAuth()to all unauthenticated API routes (function execute, providers, MySQL, PostgreSQL, SSH)checkWorkspaceAccess()to A2A agent routes to prevent IDORvalidateExternalUrl()and DNS pinning for push notifications and vLLMsafeAssign()utility to prevent prototype pollution attacksType of Change
Testing
Tested manually, type-check passes
Checklist