fix(security): validate mothership proxy endpoint to block path traversal

waleedlatif1 · waleedlatif1 · commit 07feab534503 · 2026-04-27T14:25:58.000-07:00
diff --git a/apps/sim/app/api/admin/mothership/route.ts b/apps/sim/app/api/admin/mothership/route.ts
@@ -16,6 +16,14 @@ function getMothershipUrl(environment: string): string | null {
   return ENV_URLS[environment] ?? null
 }
 
+const ENDPOINT_PATTERN = /^[a-zA-Z0-9_-]+(?:\/[a-zA-Z0-9_-]+)*$/
+
+function isValidEndpoint(endpoint: string): boolean {
+  if (!endpoint) return false
+  if (endpoint.includes('..')) return false
+  return ENDPOINT_PATTERN.test(endpoint)
+}
+
 async function isAdminRequestAuthorized() {
   const session = await getSession()
   if (!session?.user?.id) return false
@@ -57,6 +65,10 @@ export const POST = withRouteHandler(async (req: NextRequest) => {
     return NextResponse.json({ error: 'endpoint query param required' }, { status: 400 })
   }
 
+  if (!isValidEndpoint(endpoint)) {
+    return NextResponse.json({ error: 'invalid endpoint' }, { status: 400 })
+  }
+
   const baseUrl = getMothershipUrl(environment)
   if (!baseUrl) {
     return NextResponse.json(
@@ -108,6 +120,10 @@ export const GET = withRouteHandler(async (req: NextRequest) => {
     return NextResponse.json({ error: 'endpoint query param required' }, { status: 400 })
   }
 
+  if (!isValidEndpoint(endpoint)) {
+    return NextResponse.json({ error: 'invalid endpoint' }, { status: 400 })
+  }
+
   const baseUrl = getMothershipUrl(environment)
   if (!baseUrl) {
     return NextResponse.json(
