fix(obsidian): use isomorphic SSRF validation to unblock client build

The Obsidian connector is reachable from client bundles via `connectors/registry.ts` (the knowledge UI reads metadata like `.icon`/`.name`). Importing `validateUrlWithDNS` / `secureFetchWithPinnedIP` from `input-validation.server` pulled `dns/promises`, `http`, `https`, `net` into client chunks, breaking the Turbopack build:

  Module not found: Can't resolve 'dns/promises'
  ./apps/sim/lib/core/security/input-validation.server.ts [Client Component Browser]
  ./apps/sim/connectors/obsidian/obsidian.ts [Client Component Browser]
  ./apps/sim/connectors/registry.ts [Client Component Browser]

Once that file polluted a browser context, Turbopack also failed to resolve the Node builtins in its legitimate server-route imports, cascading the error across App Routes and Server Components.

Fix: switch the Obsidian connector to the isomorphic `validateExternalUrl` + `fetchWithRetry` helpers, matching the pattern used by every other connector in the registry. This keeps the core SSRF protections:
  - hosted Sim: blocks localhost, private IPs, HTTP (HTTPS enforced)
  - self-hosted Sim: allows localhost + HTTP, still blocks non-loopback private IPs and dangerous ports (22, 25, 3306, 5432, 6379, 27017, 9200)

Drops the DNS-rebinding defense specifically (the IP-pinned fetch chain). The trade-off is acceptable because the vault URL is entered by the workspace admin — not arbitrary untrusted input — and hosted deployments already force the plugin to be exposed through a public URL (tunnel/port-forward), making rebinding a narrow threat.

Also reverts the `secureFetchWithPinnedIPAndRetry` wrapper in `lib/knowledge/documents/utils.ts` (no longer needed, and its `.server` import was the original source of the client-bundle pollution).

Author: waleedlatif1

apps/sim/connectors/obsidian/obsidian.ts

@@ -1,11 +1,8 @@
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { ObsidianIcon } from '@/components/icons'
-import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
-import {
-  secureFetchWithPinnedIPAndRetry,
-  VALIDATE_RETRY_OPTIONS,
-} from '@/lib/knowledge/documents/utils'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { fetchWithRetry, VALIDATE_RETRY_OPTIONS } from '@/lib/knowledge/documents/utils'
 import type { ConnectorConfig, ExternalDocument, ExternalDocumentList } from '@/connectors/types'
 import { joinTagArray, parseTagDate } from '@/connectors/utils'
 
@@ -27,31 +24,28 @@ interface NoteJson {
 }
 
 /**
- * Normalizes the vault URL and resolves its hostname to a concrete IP that
- * will be pinned for the lifetime of this request sequence.
+ * Normalizes the vault URL and validates it against SSRF protections.
  *
- * The Obsidian Local REST API plugin runs on the user's own machine — there
- * is no Obsidian SaaS domain we can allowlist. For hosted Sim deployments the
- * user must expose the plugin through a public URL (tunnel, port-forward).
- * Because the hostname is fully user-controlled, we resolve DNS once through
- * validateUrlWithDNS (which blocks private IPs/localhost in hosted mode,
- * allows localhost in self-hosted mode, and rejects dangerous ports) and
- * then reuse that IP on every outgoing fetch via secureFetchWithPinnedIP —
- * this prevents DNS rebinding attacks where a malicious nameserver would
- * otherwise swap in a private IP between validation and the actual request.
+ * The Obsidian Local REST API plugin runs on the user's own machine, so there
+ * is no SaaS domain to allowlist — the vault URL is fully user-controlled. We
+ * defer to the shared `validateExternalUrl` policy:
+ *   - hosted Sim: blocks localhost, private IPs, HTTP (forces HTTPS)
+ *   - self-hosted Sim: allows localhost + HTTP, still blocks non-loopback
+ *     private IPs and dangerous ports (22, 25, 3306, 5432, 6379, 27017, 9200)
+ *
+ * This does not defend against DNS rebinding; for hosted deployments the user
+ * must expose the plugin through a public URL (tunnel, port-forward).
  */
-async function resolveVaultEndpoint(
-  rawUrl: string | undefined
-): Promise<{ baseUrl: string; resolvedIP: string }> {
+function resolveVaultEndpoint(rawUrl: string | undefined): string {
   let url = (rawUrl || DEFAULT_VAULT_URL).trim().replace(/\/+$/, '')
   if (url && !url.startsWith('https://') && !url.startsWith('http://')) {
     url = `https://${url}`
   }
-  const validation = await validateUrlWithDNS(url, 'vaultUrl', { allowHttp: true })
-  if (!validation.isValid || !validation.resolvedIP) {
+  const validation = validateExternalUrl(url, 'vaultUrl', { allowHttp: true })
+  if (!validation.isValid) {
     throw new Error(validation.error || 'Invalid vault URL')
   }
-  return { baseUrl: url, resolvedIP: validation.resolvedIP }
+  return url
 }
 
 /**
@@ -60,24 +54,21 @@ async function resolveVaultEndpoint(
  */
 async function listDirectory(
   baseUrl: string,
-  resolvedIP: string,
   accessToken: string,
   dirPath: string,
-  retryOptions?: Parameters<typeof secureFetchWithPinnedIPAndRetry>[3]
+  retryOptions?: Parameters<typeof fetchWithRetry>[2]
 ): Promise<string[]> {
   const encodedDir = dirPath ? dirPath.split('/').map(encodeURIComponent).join('/') : ''
   const endpoint = encodedDir ? `${baseUrl}/vault/${encodedDir}/` : `${baseUrl}/vault/`
 
-  const response = await secureFetchWithPinnedIPAndRetry(
+  const response = await fetchWithRetry(
     endpoint,
-    resolvedIP,
     {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${accessToken}`,
         Accept: 'application/json',
       },
-      allowHttp: true,
     },
     retryOptions
   )
@@ -90,17 +81,13 @@ async function listDirectory(
   return data.files ?? []
 }
 
-/**
- * Recursively lists all markdown files in the vault or a specific folder.
- */
 const MAX_RECURSION_DEPTH = 20
 
 async function listVaultFiles(
   baseUrl: string,
-  resolvedIP: string,
   accessToken: string,
   folderPath?: string,
-  retryOptions?: Parameters<typeof secureFetchWithPinnedIPAndRetry>[3],
+  retryOptions?: Parameters<typeof fetchWithRetry>[2],
   depth = 0
 ): Promise<string[]> {
   if (depth > MAX_RECURSION_DEPTH) {
@@ -109,7 +96,7 @@ async function listVaultFiles(
   }
 
   const rootPath = folderPath || ''
-  const entries = await listDirectory(baseUrl, resolvedIP, accessToken, rootPath, retryOptions)
+  const entries = await listDirectory(baseUrl, accessToken, rootPath, retryOptions)
 
   const mdFiles: string[] = []
   const subDirs: string[] = []
@@ -126,14 +113,7 @@ async function listVaultFiles(
 
   for (const dir of subDirs) {
     try {
-      const nested = await listVaultFiles(
-        baseUrl,
-        resolvedIP,
-        accessToken,
-        dir,
-        retryOptions,
-        depth + 1
-      )
+      const nested = await listVaultFiles(baseUrl, accessToken, dir, retryOptions, depth + 1)
       mdFiles.push(...nested)
     } catch (error) {
       logger.warn('Failed to list subdirectory', {
@@ -151,21 +131,18 @@ async function listVaultFiles(
  */
 async function fetchNote(
   baseUrl: string,
-  resolvedIP: string,
   accessToken: string,
   filePath: string,
-  retryOptions?: Parameters<typeof secureFetchWithPinnedIPAndRetry>[3]
+  retryOptions?: Parameters<typeof fetchWithRetry>[2]
 ): Promise<NoteJson> {
-  const response = await secureFetchWithPinnedIPAndRetry(
+  const response = await fetchWithRetry(
     `${baseUrl}/vault/${filePath.split('/').map(encodeURIComponent).join('/')}`,
-    resolvedIP,
     {
       method: 'GET',
       headers: {
         Authorization: `Bearer ${accessToken}`,
         Accept: 'application/vnd.olrapi.note+json',
       },
-      allowHttp: true,
     },
     retryOptions
   )
@@ -223,13 +200,13 @@ export const obsidianConnector: ConnectorConfig = {
     cursor?: string,
     syncContext?: Record<string, unknown>
   ): Promise<ExternalDocumentList> => {
-    const { baseUrl, resolvedIP } = await resolveVaultEndpoint(sourceConfig.vaultUrl as string)
+    const baseUrl = resolveVaultEndpoint(sourceConfig.vaultUrl as string)
     const folderPath = (sourceConfig.folderPath as string) || ''
 
     let allFiles = syncContext?.allFiles as string[] | undefined
     if (!allFiles) {
       logger.info('Listing all vault files', { baseUrl, folderPath })
-      allFiles = await listVaultFiles(baseUrl, resolvedIP, accessToken, folderPath || undefined)
+      allFiles = await listVaultFiles(baseUrl, accessToken, folderPath || undefined)
       if (syncContext) {
         syncContext.allFiles = allFiles
       }
@@ -268,10 +245,10 @@ export const obsidianConnector: ConnectorConfig = {
     externalId: string,
     _syncContext?: Record<string, unknown>
   ): Promise<ExternalDocument | null> => {
-    const { baseUrl, resolvedIP } = await resolveVaultEndpoint(sourceConfig.vaultUrl as string)
+    const baseUrl = resolveVaultEndpoint(sourceConfig.vaultUrl as string)
 
     try {
-      const note = await fetchNote(baseUrl, resolvedIP, accessToken, externalId)
+      const note = await fetchNote(baseUrl, accessToken, externalId)
       const content = note.content || ''
 
       return {
@@ -312,23 +289,18 @@ export const obsidianConnector: ConnectorConfig = {
     }
 
     let baseUrl: string
-    let resolvedIP: string
     try {
-      const endpoint = await resolveVaultEndpoint(rawUrl)
-      baseUrl = endpoint.baseUrl
-      resolvedIP = endpoint.resolvedIP
+      baseUrl = resolveVaultEndpoint(rawUrl)
     } catch (error) {
       return { valid: false, error: toError(error).message }
     }
 
     try {
-      const response = await secureFetchWithPinnedIPAndRetry(
+      const response = await fetchWithRetry(
         `${baseUrl}/`,
-        resolvedIP,
         {
           method: 'GET',
           headers: { Authorization: `Bearer ${accessToken}` },
-          allowHttp: true,
         },
         VALIDATE_RETRY_OPTIONS
       )
@@ -348,7 +320,6 @@ export const obsidianConnector: ConnectorConfig = {
       if (folderPath.trim()) {
         const entries = await listDirectory(
           baseUrl,
-          resolvedIP,
           accessToken,
           folderPath.trim(),
           VALIDATE_RETRY_OPTIONS

apps/sim/lib/knowledge/documents/utils.ts

@@ -1,11 +1,6 @@
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { sleep } from '@sim/utils/helpers'
-import {
-  type SecureFetchOptions,
-  type SecureFetchResponse,
-  secureFetchWithPinnedIP,
-} from '@/lib/core/security/input-validation.server'
 
 const logger = createLogger('RetryUtils')
 
@@ -213,45 +208,3 @@ export async function fetchWithRetry(
     return response
   }, retryOptions)
 }
-
-/**
- * Wrapper for secure fetch requests with retry logic and DNS pinning.
- * Use when connecting to user-controlled hostnames that cannot be restricted
- * to a domain allowlist (e.g. self-hosted plugin endpoints). The DNS lookup
- * happens once during validation; this helper reuses that resolved IP so a
- * malicious nameserver cannot rebind to a private IP between validation and
- * the actual request.
- */
-export async function secureFetchWithPinnedIPAndRetry(
-  url: string,
-  resolvedIP: string,
-  options: SecureFetchOptions & { allowHttp?: boolean } = {},
-  retryOptions: RetryOptions = {}
-): Promise<SecureFetchResponse> {
-  return retryWithExponentialBackoff(async () => {
-    const response = await secureFetchWithPinnedIP(url, resolvedIP, options)
-
-    if (!response.ok && isRetryableError({ status: response.status })) {
-      const errorText = await response.text()
-      const error: HTTPError = new Error(
-        `HTTP ${response.status}: ${response.statusText} - ${errorText}`
-      )
-      error.status = response.status
-      error.statusText = response.statusText
-
-      const retryAfter = response.headers.get('Retry-After')
-      if (retryAfter) {
-        const waitMs = Number.isNaN(Number(retryAfter))
-          ? Math.max(0, new Date(retryAfter).getTime() - Date.now())
-          : Number(retryAfter) * 1000
-        if (waitMs > 0) {
-          error.retryAfterMs = waitMs
-        }
-      }
-
-      throw error
-    }
-
-    return response
-  }, retryOptions)
-}