fix(security): address audit findings from security fix review

waleedlatif1 · waleedlatif1 · commit 7b6e43d205f1 · 2026-05-12T14:50:18.000-07:00
- SMTP send: restructure attachment loop from Promise.all to sequential
  for...of so verifyFileAccess denial returns 404 instead of propagating
  as a generic 500 via the SMTP error classifier

- Supabase tools: extend table-name validation and encodeURIComponent to
  the five previously missed tools — insert, upsert, count, query,
  text_search — completing coverage across all nine Supabase tools

- Credential routes: remove unnecessary `request as any` casts in Gmail,
  OneDrive, and Wealthbox routes; authorizeCredentialUse already accepts
  NextRequest directly

- Form soft delete: also set isActive=false alongside archivedAt so that
  any future code paths querying by isActive see a consistent state

- SSH utils: fix exit code fallback from 0 to -1 so an abnormally closed
  connection that supplies no exit code is not reported as success

- Workspace env: capitalize EXCLUDED.variables in the onConflictDoUpdate
  set clause to make the pseudo-table reference unambiguous
diff --git a/apps/sim/app/api/auth/oauth/wealthbox/items/route.ts b/apps/sim/app/api/auth/oauth/wealthbox/items/route.ts
@@ -32,7 +32,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
     const { credentialId, type } = parsed.data.query
     const query = parsed.data.query.query ?? ''
 
-    const authz = await authorizeCredentialUse(request as any, {
+    const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,
     })
diff --git a/apps/sim/app/api/form/manage/[id]/route.ts b/apps/sim/app/api/form/manage/[id]/route.ts
@@ -199,7 +199,7 @@ export const DELETE = withRouteHandler(
 
       await db
         .update(form)
-        .set({ archivedAt: new Date(), updatedAt: new Date() })
+        .set({ archivedAt: new Date(), isActive: false, updatedAt: new Date() })
         .where(eq(form.id, id))
 
       logger.info(`Form ${id} soft deleted`)
diff --git a/apps/sim/app/api/tools/gmail/labels/route.ts b/apps/sim/app/api/tools/gmail/labels/route.ts
@@ -40,7 +40,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
     }
 
-    const authz = await authorizeCredentialUse(request as any, {
+    const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,
     })
diff --git a/apps/sim/app/api/tools/onedrive/folders/route.ts b/apps/sim/app/api/tools/onedrive/folders/route.ts
@@ -43,7 +43,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
     }
 
-    const authz = await authorizeCredentialUse(request as any, {
+    const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,
     })
diff --git a/apps/sim/app/api/tools/smtp/send/route.ts b/apps/sim/app/api/tools/smtp/send/route.ts
@@ -120,44 +120,39 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
           )
         }
 
-        const attachmentBuffers = await Promise.all(
-          attachments.map(async (file) => {
-            try {
-              if (typeof file.key !== 'string' || file.key.length === 0) {
-                logger.warn(`[${requestId}] File access check rejected: missing key`)
-                throw new Error('File not found')
-              }
-              if (!authResult.userId) {
-                logger.warn(`[${requestId}] File access check requires userId but none available`)
-                throw new Error('File not found')
-              }
-              const hasAccess = await verifyFileAccess(file.key, authResult.userId)
-              if (!hasAccess) {
-                logger.warn(`[${requestId}] File access denied for user`, {
-                  userId: authResult.userId,
-                  key: file.key,
-                })
-                throw new Error('File not found')
-              }
-              logger.info(
-                `[${requestId}] Downloading attachment: ${file.name} (${file.size} bytes)`
-              )
-
-              const buffer = await downloadFileFromStorage(file, requestId, logger)
-
-              return {
-                filename: file.name,
-                content: buffer,
-                contentType: file.type || 'application/octet-stream',
-              }
-            } catch (error) {
-              logger.error(`[${requestId}] Failed to download attachment ${file.name}:`, error)
-              throw new Error(
-                `Failed to download attachment "${file.name}": ${error instanceof Error ? error.message : 'Unknown error'}`
-              )
-            }
-          })
-        )
+        const attachmentBuffers: { filename: string; content: Buffer; contentType: string }[] = []
+        for (const file of attachments) {
+          if (typeof file.key !== 'string' || file.key.length === 0) {
+            logger.warn(`[${requestId}] File access check rejected: missing key`)
+            return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
+          }
+          if (!authResult.userId) {
+            logger.warn(`[${requestId}] File access check requires userId but none available`)
+            return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
+          }
+          const hasAccess = await verifyFileAccess(file.key, authResult.userId)
+          if (!hasAccess) {
+            logger.warn(`[${requestId}] File access denied for user`, {
+              userId: authResult.userId,
+              key: file.key,
+            })
+            return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
+          }
+          try {
+            logger.info(`[${requestId}] Downloading attachment: ${file.name} (${file.size} bytes)`)
+            const buffer = await downloadFileFromStorage(file, requestId, logger)
+            attachmentBuffers.push({
+              filename: file.name,
+              content: buffer,
+              contentType: file.type || 'application/octet-stream',
+            })
+          } catch (error) {
+            logger.error(`[${requestId}] Failed to download attachment ${file.name}:`, error)
+            throw new Error(
+              `Failed to download attachment "${file.name}": ${error instanceof Error ? error.message : 'Unknown error'}`
+            )
+          }
+        }
 
         logger.info(`[${requestId}] Processed ${attachmentBuffers.length} attachment(s)`)
         mailOptions.attachments = attachmentBuffers
diff --git a/apps/sim/app/api/tools/ssh/utils.ts b/apps/sim/app/api/tools/ssh/utils.ts
@@ -202,7 +202,7 @@ export function executeSSHCommand(client: Client, command: string): Promise<SSHC
           stderr: stderrTruncated
             ? `${stderr}\n[stderr truncated: exceeded 16MB limit]`
             : stderr.trim(),
-          exitCode: code ?? 0,
+          exitCode: code ?? -1,
         })
       })
 
diff --git a/apps/sim/app/api/tools/wealthbox/items/route.ts b/apps/sim/app/api/tools/wealthbox/items/route.ts
@@ -45,7 +45,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
     }
 
-    const authz = await authorizeCredentialUse(request as any, {
+    const authz = await authorizeCredentialUse(request, {
       credentialId,
       requireWorkflowIdForInternal: false,
     })
diff --git a/apps/sim/app/api/workspaces/[id]/environment/route.ts b/apps/sim/app/api/workspaces/[id]/environment/route.ts
@@ -125,7 +125,7 @@ export const PUT = withRouteHandler(
         .onConflictDoUpdate({
           target: [workspaceEnvironment.workspaceId],
           set: {
-            variables: sql`${workspaceEnvironment.variables} || excluded.variables`,
+            variables: sql`${workspaceEnvironment.variables} || EXCLUDED.variables`,
             updatedAt: new Date(),
           },
         })
diff --git a/apps/sim/tools/supabase/count.ts b/apps/sim/tools/supabase/count.ts
@@ -50,9 +50,11 @@ export const countTool: ToolConfig<SupabaseCountParams, SupabaseCountResponse> =
 
   request: {
     url: (params) => {
-      let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${params.table}?select=*`
+      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
+        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
+      }
+      let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=*`
 
-      // Add filters if provided
       if (params.filter?.trim()) {
         url += `&${params.filter.trim()}`
       }
diff --git a/apps/sim/tools/supabase/insert.ts b/apps/sim/tools/supabase/insert.ts
@@ -43,7 +43,12 @@ export const insertTool: ToolConfig<SupabaseInsertParams, SupabaseInsertResponse
   },
 
   request: {
-    url: (params) => `${supabaseBaseUrl(params.projectId)}/rest/v1/${params.table}?select=*`,
+    url: (params) => {
+      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
+        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
+      }
+      return `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=*`
+    },
     method: 'POST',
     headers: (params) => {
       const headers: Record<string, string> = {
diff --git a/apps/sim/tools/supabase/query.ts b/apps/sim/tools/supabase/query.ts
@@ -68,9 +68,11 @@ export const queryTool: ToolConfig<SupabaseQueryParams, SupabaseQueryResponse> =
 
   request: {
     url: (params) => {
-      // Construct the URL for the Supabase REST API
+      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
+        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
+      }
       const selectColumns = params.select?.trim() || '*'
-      let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${params.table}?select=${encodeURIComponent(selectColumns)}`
+      let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=${encodeURIComponent(selectColumns)}`
 
       // Add filters if provided - using PostgREST syntax
       if (params.filter?.trim()) {
diff --git a/apps/sim/tools/supabase/text_search.ts b/apps/sim/tools/supabase/text_search.ts
@@ -74,11 +74,13 @@ export const textSearchTool: ToolConfig<SupabaseTextSearchParams, SupabaseTextSe
 
   request: {
     url: (params) => {
+      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
+        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
+      }
       const searchType = params.searchType || 'websearch'
       const language = params.language || 'english'
 
-      // Build the text search filter
-      let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${params.table}?select=*`
+      let url = `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=*`
 
       // Map search types to PostgREST operators
       // plfts = plainto_tsquery (natural language), phfts = phraseto_tsquery, wfts = websearch_to_tsquery
diff --git a/apps/sim/tools/supabase/upsert.ts b/apps/sim/tools/supabase/upsert.ts
@@ -43,7 +43,12 @@ export const upsertTool: ToolConfig<SupabaseUpsertParams, SupabaseUpsertResponse
   },
 
   request: {
-    url: (params) => `${supabaseBaseUrl(params.projectId)}/rest/v1/${params.table}?select=*`,
+    url: (params) => {
+      if (!/^[A-Za-z_][A-Za-z0-9_]*$/.test(params.table)) {
+        throw new Error('Invalid table name: must contain only letters, digits, and underscores')
+      }
+      return `${supabaseBaseUrl(params.projectId)}/rest/v1/${encodeURIComponent(params.table)}?select=*`
+    },
     method: 'POST',
     headers: (params) => {
       const headers: Record<string, string> = {

Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {`
`40`	`40`	`return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })`
`41`	`41`	`}`
`42`	`42`
`43`		`- const authz = await authorizeCredentialUse(request as any, {`
	`43`	`+ const authz = await authorizeCredentialUse(request, {`
`44`	`44`	`credentialId,`
`45`	`45`	`requireWorkflowIdForInternal: false,`
`46`	`46`	`})`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {`
`43`	`43`	`return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })`
`44`	`44`	`}`
`45`	`45`
`46`		`- const authz = await authorizeCredentialUse(request as any, {`
	`46`	`+ const authz = await authorizeCredentialUse(request, {`
`47`	`47`	`credentialId,`
`48`	`48`	`requireWorkflowIdForInternal: false,`
`49`	`49`	`})`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {`
`45`	`45`	`return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })`
`46`	`46`	`}`
`47`	`47`
`48`		`- const authz = await authorizeCredentialUse(request as any, {`
	`48`	`+ const authz = await authorizeCredentialUse(request, {`
`49`	`49`	`credentialId,`
`50`	`50`	`requireWorkflowIdForInternal: false,`
`51`	`51`	`})`