fix(security): address PR review comments and harden deepsec fixes

- fix(env): replace jsonb operators with transaction+FOR UPDATE read-modify-write
  - PUT: uses db.transaction + SELECT FOR UPDATE + JS merge to avoid lost-update race
  - DELETE: same pattern; fixes variable scope bug where current was referenced outside tx
  - removes broken || and - jsonb operators that fail on json-typed column

- fix(ssh): trim truncated output consistently with non-truncated path

- fix(gmail): remove redundant resolveOAuthAccountId call
  - adds credentialType field to CredentialAccessResult
  - authorizeCredentialUse now returns credentialType in all success paths
  - gmail/labels route uses authz.credentialType and authz.resolvedCredentialId directly

- fix(supabase): centralize table identifier validation
  - adds validateDatabaseIdentifier() to input-validation.ts
  - all 8 supabase tools use the shared util instead of inline regex

Author: waleedlatif1

apps/sim/app/api/tools/gmail/labels/route.ts

@@ -10,7 +10,6 @@ import { getScopesForService } from '@/lib/oauth/utils'
 import {
   getServiceAccountToken,
   refreshAccessTokenIfNeeded,
-  resolveOAuthAccountId,
   ServiceAccountTokenError,
 } from '@/app/api/auth/oauth/utils'
 export const dynamic = 'force-dynamic'
@@ -44,20 +43,15 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       credentialId,
       requireWorkflowIdForInternal: false,
     })
-    if (!authz.ok || !authz.credentialOwnerUserId) {
+    if (!authz.ok || !authz.credentialOwnerUserId || !authz.resolvedCredentialId) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    const resolved = await resolveOAuthAccountId(credentialId)
-    if (!resolved) {
-      return NextResponse.json({ error: 'Credential not found' }, { status: 404 })
-    }
-
     let accessToken: string | null = null
 
-    if (resolved.credentialType === 'service_account' && resolved.credentialId) {
+    if (authz.credentialType === 'service_account') {
       accessToken = await getServiceAccountToken(
-        resolved.credentialId,
+        authz.resolvedCredentialId,
         getScopesForService('gmail'),
         impersonateEmail
       )

apps/sim/app/api/tools/ssh/utils.ts

@@ -197,10 +197,10 @@ export function executeSSHCommand(client: Client, command: string): Promise<SSHC
       stream.on('close', (code: number) => {
         resolve({
           stdout: stdoutTruncated
-            ? `${stdout}\n[output truncated: exceeded 16MB limit]`
+            ? `${stdout.trim()}\n[output truncated: exceeded 16MB limit]`
             : stdout.trim(),
           stderr: stderrTruncated
-            ? `${stderr}\n[stderr truncated: exceeded 16MB limit]`
+            ? `${stderr.trim()}\n[stderr truncated: exceeded 16MB limit]`
             : stderr.trim(),
           exitCode: code ?? -1,
         })

apps/sim/app/api/workspaces/[id]/environment/route.ts

@@ -96,41 +96,47 @@ export const PUT = withRouteHandler(
       if (!parsed.success) return parsed.response
       const { variables } = parsed.data.body
 
-      // Read existing encrypted ws vars
-      const existingRows = await db
-        .select()
-        .from(workspaceEnvironment)
-        .where(eq(workspaceEnvironment.workspaceId, workspaceId))
-        .limit(1)
-
-      const existingEncrypted: Record<string, string> = (existingRows[0]?.variables as any) || {}
-
-      // Encrypt incoming
       const encryptedIncoming = await Promise.all(
         Object.entries(variables).map(async ([key, value]) => {
           const { encrypted } = await encryptSecret(value)
           return [key, encrypted] as const
         })
       ).then((entries) => Object.fromEntries(entries))
 
-      await db
-        .insert(workspaceEnvironment)
-        .values({
-          id: generateId(),
-          workspaceId,
-          variables: encryptedIncoming,
-          createdAt: new Date(),
-          updatedAt: new Date(),
-        })
-        .onConflictDoUpdate({
-          target: [workspaceEnvironment.workspaceId],
-          set: {
-            variables: sql`${workspaceEnvironment.variables} || EXCLUDED.variables`,
+      const { existingEncrypted, merged } = await db.transaction(async (tx) => {
+        await tx.execute(
+          sql`SELECT id FROM workspace_environment WHERE workspace_id = ${workspaceId} FOR UPDATE`
+        )
+
+        const [existingRow] = await tx
+          .select()
+          .from(workspaceEnvironment)
+          .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+          .limit(1)
+
+        const existing = ((existingRow?.variables as Record<string, string>) ?? {}) as Record<
+          string,
+          string
+        >
+        const mergedVars = { ...existing, ...encryptedIncoming }
+
+        await tx
+          .insert(workspaceEnvironment)
+          .values({
+            id: generateId(),
+            workspaceId,
+            variables: mergedVars,
+            createdAt: new Date(),
             updatedAt: new Date(),
-          },
-        })
+          })
+          .onConflictDoUpdate({
+            target: [workspaceEnvironment.workspaceId],
+            set: { variables: mergedVars, updatedAt: new Date() },
+          })
+
+        return { existingEncrypted: existing, merged: mergedVars }
+      })
 
-      const merged = { ...existingEncrypted, ...encryptedIncoming }
       const newKeys = Object.keys(variables).filter((k) => !(k in existingEncrypted))
       await createWorkspaceEnvCredentials({ workspaceId, newKeys, actingUserId: userId })
 
@@ -184,36 +190,43 @@ export const DELETE = withRouteHandler(
       if (!parsed.success) return parsed.response
       const { keys } = parsed.data.body
 
-      const wsRows = await db
-        .select()
-        .from(workspaceEnvironment)
-        .where(eq(workspaceEnvironment.workspaceId, workspaceId))
-        .limit(1)
-
-      const current: Record<string, string> = (wsRows[0]?.variables as any) || {}
-      let changed = false
-      for (const k of keys) {
-        if (k in current) {
-          delete current[k]
-          changed = true
+      const result = await db.transaction(async (tx) => {
+        await tx.execute(
+          sql`SELECT id FROM workspace_environment WHERE workspace_id = ${workspaceId} FOR UPDATE`
+        )
+
+        const [existingRow] = await tx
+          .select()
+          .from(workspaceEnvironment)
+          .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+          .limit(1)
+
+        if (!existingRow) return null
+
+        const current: Record<string, string> =
+          (existingRow.variables as Record<string, string>) ?? {}
+        let modified = false
+        for (const k of keys) {
+          if (k in current) {
+            delete current[k]
+            modified = true
+          }
         }
-      }
 
-      if (!changed) {
+        if (!modified) return null
+
+        await tx
+          .update(workspaceEnvironment)
+          .set({ variables: current, updatedAt: new Date() })
+          .where(eq(workspaceEnvironment.workspaceId, workspaceId))
+
+        return { remainingKeysCount: Object.keys(current).length }
+      })
+
+      if (!result) {
         return NextResponse.json({ success: true })
       }
 
-      await db
-        .update(workspaceEnvironment)
-        .set({
-          variables: sql`${workspaceEnvironment.variables} - ARRAY[${sql.join(
-            keys.map((k) => sql`${k}`),
-            sql`, `
-          )}]::text[]`,
-          updatedAt: new Date(),
-        })
-        .where(eq(workspaceEnvironment.workspaceId, workspaceId))
-
       await deleteWorkspaceEnvCredentials({ workspaceId, removedKeys: keys })
 
       recordAudit({
@@ -227,7 +240,7 @@ export const DELETE = withRouteHandler(
         description: `Removed ${keys.length} workspace environment variable(s)`,
         metadata: {
           removedKeys: keys,
-          remainingKeysCount: Object.keys(current).length,
+          remainingKeysCount: result.remainingKeysCount,
         },
         request,
       })

apps/sim/lib/auth/credential-access.ts

@@ -13,6 +13,7 @@ export interface CredentialAccessResult {
   credentialOwnerUserId?: string
   workspaceId?: string
   resolvedCredentialId?: string
+  credentialType?: string
 }
 
 /**
@@ -114,6 +115,7 @@ export async function authorizeCredentialUse(
         credentialOwnerUserId: actingUserId,
         workspaceId: platformCredential.workspaceId,
         resolvedCredentialId: platformCredential.id,
+        credentialType: 'service_account',
       }
     }
 
@@ -182,6 +184,7 @@ export async function authorizeCredentialUse(
       credentialOwnerUserId: accountRow.userId,
       workspaceId: platformCredential.workspaceId,
       resolvedCredentialId: platformCredential.accountId,
+      credentialType: 'oauth',
     }
   }
 
@@ -252,6 +255,7 @@ export async function authorizeCredentialUse(
       credentialOwnerUserId: accountRow.userId,
       workspaceId: workflowContext.workspaceId,
       resolvedCredentialId: workspaceCredential.accountId,
+      credentialType: 'oauth',
     }
   }
 
@@ -279,5 +283,6 @@ export async function authorizeCredentialUse(
     requesterUserId: auth.userId,
     credentialOwnerUserId: legacyAccount.userId,
     resolvedCredentialId: credentialId,
+    credentialType: 'oauth',
   }
 }

apps/sim/lib/core/security/input-validation.ts

@@ -1593,3 +1593,30 @@ export function validateWorkdayTenantUrl(
 
   return { isValid: true, sanitized: url as string }
 }
+
+/**
+ * Validates a database identifier (table or column name) to prevent SQL injection.
+ *
+ * Accepts only identifiers that start with a letter or underscore and contain
+ * only letters, digits, and underscores — the safe subset of SQL identifiers.
+ *
+ * @param value - The identifier to validate
+ * @param paramName - Name of the parameter for error messages (e.g. 'table', 'column')
+ * @returns ValidationResult with isValid flag and optional error message
+ */
+export function validateDatabaseIdentifier(
+  value: unknown,
+  paramName = 'identifier'
+): ValidationResult {
+  if (typeof value !== 'string' || value.length === 0) {
+    return { isValid: false, error: `${paramName} is required` }
+  }
+  if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(value)) {
+    logger.warn('Invalid database identifier', { paramName, value: value.substring(0, 100) })
+    return {
+      isValid: false,
+      error: `Invalid ${paramName}: must start with a letter or underscore and contain only letters, digits, and underscores`,
+    }
+  }
+  return { isValid: true, sanitized: value }
+}

apps/sim/tools/supabase/count.ts

@@ -1,3 +1,4 @@
+import { validateDatabaseIdentifier } from '@/lib/core/security/input-validation'
 import type { SupabaseCountParams, SupabaseCountResponse } from '@/tools/supabase/types'
 import { supabaseBaseUrl } from '@/tools/supabase/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -50,9 +51,8 @@ export const countTool: ToolConfig<SupabaseCountParams, SupabaseCountResponse> =
 
   request: {
     url: (params) => {
-      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
-        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
-      }
+      const tableValidation = validateDatabaseIdentifier(params.table, 'table')
+      if (!tableValidation.isValid) throw new Error(tableValidation.error)
       let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=*`
 
       if (params.filter?.trim()) {

apps/sim/tools/supabase/delete.ts

@@ -1,3 +1,4 @@
+import { validateDatabaseIdentifier } from '@/lib/core/security/input-validation'
 import type { SupabaseDeleteParams, SupabaseDeleteResponse } from '@/tools/supabase/types'
 import { supabaseBaseUrl } from '@/tools/supabase/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -44,9 +45,8 @@ export const deleteTool: ToolConfig<SupabaseDeleteParams, SupabaseDeleteResponse
 
   request: {
     url: (params) => {
-      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
-        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
-      }
+      const tableValidation = validateDatabaseIdentifier(params.table, 'table')
+      if (!tableValidation.isValid) throw new Error(tableValidation.error)
 
       let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=*`
 

apps/sim/tools/supabase/get_row.ts

@@ -1,3 +1,4 @@
+import { validateDatabaseIdentifier } from '@/lib/core/security/input-validation'
 import type { SupabaseGetRowParams, SupabaseGetRowResponse } from '@/tools/supabase/types'
 import { supabaseBaseUrl } from '@/tools/supabase/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -50,9 +51,8 @@ export const getRowTool: ToolConfig<SupabaseGetRowParams, SupabaseGetRowResponse
 
   request: {
     url: (params) => {
-      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
-        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
-      }
+      const tableValidation = validateDatabaseIdentifier(params.table, 'table')
+      if (!tableValidation.isValid) throw new Error(tableValidation.error)
 
       const selectColumns = params.select?.trim() || '*'
       let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=${encodeURIComponent(selectColumns)}`

apps/sim/tools/supabase/insert.ts

@@ -1,3 +1,4 @@
+import { validateDatabaseIdentifier } from '@/lib/core/security/input-validation'
 import type { SupabaseInsertParams, SupabaseInsertResponse } from '@/tools/supabase/types'
 import { supabaseBaseUrl } from '@/tools/supabase/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -44,9 +45,8 @@ export const insertTool: ToolConfig<SupabaseInsertParams, SupabaseInsertResponse
 
   request: {
     url: (params) => {
-      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
-        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
-      }
+      const tableValidation = validateDatabaseIdentifier(params.table, 'table')
+      if (!tableValidation.isValid) throw new Error(tableValidation.error)
       return `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=*`
     },
     method: 'POST',

apps/sim/tools/supabase/query.ts

@@ -1,3 +1,4 @@
+import { validateDatabaseIdentifier } from '@/lib/core/security/input-validation'
 import type { SupabaseQueryParams, SupabaseQueryResponse } from '@/tools/supabase/types'
 import { supabaseBaseUrl } from '@/tools/supabase/utils'
 import type { ToolConfig } from '@/tools/types'
@@ -68,9 +69,8 @@ export const queryTool: ToolConfig<SupabaseQueryParams, SupabaseQueryResponse> =
 
   request: {
     url: (params) => {
-      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
-        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
-      }
+      const tableValidation = validateDatabaseIdentifier(params.table, 'table')
+      if (!tableValidation.isValid) throw new Error(tableValidation.error)
       const selectColumns = params.select?.trim() || '*'
       let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=${encodeURIComponent(selectColumns)}`