Validate workflow URLs better

Author: jverce

packages/sdk/src/server/__tests__/server.test.ts

@@ -507,6 +507,13 @@ describe("BackendClient", () => {
   });
 
   describe("invokeWorkflow", () => {
+    beforeEach(() => {
+      client = new BackendClient({
+        ...clientParams,
+        workflowDomain: "example.com",
+      });
+    });
+
     it("should invoke a workflow with provided URL and body, with no auth type", async () => {
       fetchMock.mockResponseOnce(
         JSON.stringify({
@@ -675,15 +682,10 @@ describe("BackendClient", () => {
     let client: BackendClient;
 
     beforeEach(() => {
-      client = new BackendClient(
-        {
-          credentials: {
-            clientId: "test-client-id",
-            clientSecret: "test-client-secret",
-          },
-          projectId,
-        },
-      );
+      client = new BackendClient({
+        ...clientParams,
+        workflowDomain: "example.com",
+      });
     });
 
     it("should include externalUserId and environment headers", async () => {
@@ -729,6 +731,22 @@ describe("BackendClient", () => {
   });
 
   describe("BackendClient - buildWorkflowUrl", () => {
+    describe("Validations", () => {
+      it("should throw an error when the input is blank", () => {
+        expect(() => client["buildWorkflowUrl"]("   ")).toThrow("URL or endpoint ID is required");
+      });
+
+      it("should throw an error when the URL doesn't match the workflow domain", () => {
+        const url = "https://example.com";
+        expect(() => client["buildWorkflowUrl"](url)).toThrow("Invalid workflow domain");
+      });
+
+      it("should throw an error when the endpoint ID doesn't match the expected format", () => {
+        const input = "foo123";
+        expect(() => client["buildWorkflowUrl"](input)).toThrow("Invalid endpoint ID format");
+      });
+    });
+
     describe("Default domain (m.pipedream.net)", () => {
       it("should return full URL if input is a full URL with protocol", () => {
         const input = "https://en123.m.pipedream.net";

packages/sdk/src/server/index.ts

@@ -693,23 +693,42 @@ export class BackendClient {
    * ```
    */
   private buildWorkflowUrl(input: string): string {
+    if (!input?.trim()) {
+      throw new Error("URL or endpoint ID is required");
+    }
+
+    input = input.trim().toLowerCase();
     let url: string;
 
     const isUrl = input.includes(".") || input.startsWith("http");
 
     if (isUrl) {
-    // Try to parse the input as a URL
+      // Try to parse the input as a URL
+      let parsedUrl: URL;
       try {
         const urlString = input.startsWith("http")
           ? input
           : `https://${input}`;
-        const parsedUrl = new URL(urlString);
-        url = parsedUrl.href;
+        parsedUrl = new URL(urlString);
       } catch (error) {
         throw new Error(`The provided URL is malformed: "${input}". Please provide a valid URL.`);
       }
+
+      // Validate the hostname to prevent potential DNS rebinding attacks
+      if (!parsedUrl.hostname.endsWith(this.workflowDomain)) {
+        throw new Error(`Invalid workflow domain. URL must end with ${this.workflowDomain}`);
+      }
+
+      url = parsedUrl.href;
     } else {
     // If the input is an ID, construct the full URL using the base domain
+      if (!/^e(n|o)[a-z0-9-]+$/i.test(input)) {
+        throw new Error(`
+          Invalid endpoint ID format.
+          Must contain only letters, numbers, and hyphens, and start with either "en" or "eo".
+        `);
+      }
+
       url = `https://${input}.${this.workflowDomain}`;
     }