fix(security): resolve credentialId guard on OneDrive, use assertToolFileAccess in WordPress, memoize body buffer to prevent silent empty reads, fix ArrayBuffer type cast

Author: waleedlatif1

apps/sim/app/api/tools/onedrive/folders/route.ts

@@ -47,7 +47,7 @@ export const GET = withRouteHandler(async (request: NextRequest) => {
       credentialId,
       requireWorkflowIdForInternal: false,
     })
-    if (!authz.ok || !authz.credentialOwnerUserId) {
+    if (!authz.ok || !authz.credentialOwnerUserId || !authz.resolvedCredentialId) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 

apps/sim/app/api/tools/wordpress/upload/route.ts

@@ -11,7 +11,7 @@ import {
   processSingleFileToUserFile,
 } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
-import { verifyFileAccess } from '@/app/api/files/authorization'
+import { assertToolFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
 
@@ -78,22 +78,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       )
     }
 
-    if (typeof userFile.key !== 'string' || userFile.key.length === 0) {
-      logger.warn(`[${requestId}] File access check rejected: missing key`)
-      return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-    }
-    if (!authResult.userId) {
-      logger.warn(`[${requestId}] File access check requires userId but none available`)
-      return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-    }
-    const hasAccess = await verifyFileAccess(userFile.key, authResult.userId)
-    if (!hasAccess) {
-      logger.warn(`[${requestId}] File access denied for user`, {
-        userId: authResult.userId,
-        key: userFile.key,
-      })
-      return NextResponse.json({ success: false, error: 'File not found' }, { status: 404 })
-    }
+    const denied = await assertToolFileAccess(userFile.key, authResult.userId, requestId, logger)
+    if (denied) return denied
 
     logger.info(`[${requestId}] Downloading file from storage`, {
       fileName: userFile.name,

apps/sim/lib/core/security/input-validation.server.ts

@@ -409,15 +409,21 @@ export async function secureFetchWithPinnedIP(
         },
       })
 
-      async function readBodyAsBuffer(): Promise<Buffer> {
-        const reader = body.getReader()
-        const buffers: Uint8Array[] = []
-        while (true) {
-          const { done, value } = await reader.read()
-          if (done) break
-          if (value) buffers.push(value)
+      let bodyBufferPromise: Promise<Buffer> | null = null
+      function readBodyAsBuffer(): Promise<Buffer> {
+        if (!bodyBufferPromise) {
+          bodyBufferPromise = (async () => {
+            const reader = body.getReader()
+            const buffers: Uint8Array[] = []
+            while (true) {
+              const { done, value } = await reader.read()
+              if (done) break
+              if (value) buffers.push(value)
+            }
+            return Buffer.concat(buffers.map((b) => Buffer.from(b)))
+          })()
         }
-        return Buffer.concat(buffers.map((b) => Buffer.from(b)))
+        return bodyBufferPromise
       }
 
       settledResolve({
@@ -430,7 +436,7 @@ export async function secureFetchWithPinnedIP(
         json: async () => JSON.parse((await readBodyAsBuffer()).toString('utf-8')),
         arrayBuffer: async () => {
           const buf = await readBodyAsBuffer()
-          return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength)
+          return buf.buffer.slice(buf.byteOffset, buf.byteOffset + buf.byteLength) as ArrayBuffer
         },
       })
     })