fix(security): add credentialId validation to wealthbox oauth route; fix null body override in pinnedFetch

Author: waleedlatif1

apps/sim/app/api/auth/oauth/wealthbox/items/route.ts

@@ -3,6 +3,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { wealthboxOAuthItemsContract } from '@/lib/api/contracts/selectors/wealthbox'
 import { parseRequest } from '@/lib/api/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validatePathSegment } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -32,6 +33,18 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     const { credentialId, type } = parsed.data.query
     const query = parsed.data.query.query ?? ''
 
+    const credentialIdValidation = validatePathSegment(credentialId, {
+      paramName: 'credentialId',
+      maxLength: 100,
+      allowHyphens: true,
+      allowUnderscores: true,
+      allowDots: false,
+    })
+    if (!credentialIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credentialId format: ${credentialId}`)
+      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    }
+
     const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,

apps/sim/lib/a2a/utils.ts

@@ -93,7 +93,7 @@ export async function createA2AClient(agentUrl: string, apiKey?: string): Promis
         const text = await new Response(init.body as BodyInit).text()
         if (text) body = text
       }
-    } else if (input instanceof Request && !input.bodyUsed) {
+    } else if (init?.body === undefined && input instanceof Request && !input.bodyUsed) {
       const text = await input.text()
       if (text) body = text
     }