fix(security): advisory lock for env first-insert race; handle all BodyInit types in pinnedFetch

waleedlatif1 · waleedlatif1 · commit 1fdb0df7ae6a · 2026-05-12T16:08:02.000-07:00
diff --git a/apps/sim/app/api/workspaces/[id]/environment/route.ts b/apps/sim/app/api/workspaces/[id]/environment/route.ts
@@ -104,9 +104,9 @@ export const PUT = withRouteHandler(
       ).then((entries) => Object.fromEntries(entries))
 
       const { existingEncrypted, merged } = await db.transaction(async (tx) => {
-        await tx.execute(
-          sql`SELECT id FROM workspace_environment WHERE workspace_id = ${workspaceId} FOR UPDATE`
-        )
+        // Advisory lock serialises all writes for this workspaceId, including concurrent
+        // first-inserts where no row exists yet and FOR UPDATE would acquire nothing.
+        await tx.execute(sql`SELECT pg_advisory_xact_lock(hashtext(${workspaceId}))`)
 
         const [existingRow] = await tx
           .select()
@@ -191,9 +191,7 @@ export const DELETE = withRouteHandler(
       const { keys } = parsed.data.body
 
       const result = await db.transaction(async (tx) => {
-        await tx.execute(
-          sql`SELECT id FROM workspace_environment WHERE workspace_id = ${workspaceId} FOR UPDATE`
-        )
+        await tx.execute(sql`SELECT pg_advisory_xact_lock(hashtext(${workspaceId}))`)
 
         const [existingRow] = await tx
           .select()
diff --git a/apps/sim/lib/a2a/utils.ts b/apps/sim/lib/a2a/utils.ts
@@ -83,12 +83,17 @@ export async function createA2AClient(agentUrl: string, apiKey?: string): Promis
 
     let body: string | Buffer | Uint8Array | undefined
     if (init?.body !== undefined && init.body !== null) {
-      body =
-        typeof init.body === 'string' || Buffer.isBuffer(init.body)
-          ? (init.body as string | Buffer)
-          : init.body instanceof Uint8Array
-            ? (init.body as Uint8Array)
-            : undefined
+      if (typeof init.body === 'string' || Buffer.isBuffer(init.body)) {
+        body = init.body as string | Buffer
+      } else if (init.body instanceof Uint8Array) {
+        body = init.body
+      } else if (init.body instanceof ArrayBuffer) {
+        body = new Uint8Array(init.body)
+      } else {
+        // URLSearchParams, Blob, ReadableStream, FormData — read as text via Response
+        const text = await new Response(init.body as BodyInit).text()
+        if (text) body = text
+      }
     } else if (input instanceof Request && !input.bodyUsed) {
       const text = await input.text()
       if (text) body = text
