fix(sanitization): added more input sanitization to tool routes (#2475)

* fix(sanitization): added more input sanitization to tool routes

* ack PR comments

Author: waleedlatif1

apps/sim/app/api/tools/drive/files/route.ts

@@ -1,6 +1,7 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -108,6 +109,14 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
     }
 
+    if (folderId) {
+      const folderIdValidation = validateAlphanumericId(folderId, 'folderId', 50)
+      if (!folderIdValidation.isValid) {
+        logger.warn(`[${requestId}] Invalid folderId`, { error: folderIdValidation.error })
+        return NextResponse.json({ error: folderIdValidation.error }, { status: 400 })
+      }
+    }
+
     const qParts: string[] = ['trashed = false']
     if (folderId) {
       qParts.push(`'${escapeForDriveQuery(folderId)}' in parents`)

apps/sim/app/api/tools/gmail/add-label/route.ts

@@ -1,6 +1,7 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 
@@ -50,6 +51,29 @@ export async function POST(request: NextRequest) {
       .map((id) => id.trim())
       .filter((id) => id.length > 0)
 
+    for (const labelId of labelIds) {
+      const labelIdValidation = validateAlphanumericId(labelId, 'labelId', 255)
+      if (!labelIdValidation.isValid) {
+        logger.warn(`[${requestId}] Invalid label ID: ${labelIdValidation.error}`)
+        return NextResponse.json(
+          {
+            success: false,
+            error: labelIdValidation.error,
+          },
+          { status: 400 }
+        )
+      }
+    }
+
+    const messageIdValidation = validateAlphanumericId(validatedData.messageId, 'messageId', 255)
+    if (!messageIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid message ID: ${messageIdValidation.error}`)
+      return NextResponse.json(
+        { success: false, error: messageIdValidation.error },
+        { status: 400 }
+      )
+    }
+
     const gmailResponse = await fetch(
       `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,
       {

apps/sim/app/api/tools/gmail/labels/route.ts

@@ -3,6 +3,7 @@ import { account } from '@sim/db/schema'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -38,6 +39,12 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
     }
 
+    const credentialIdValidation = validateAlphanumericId(credentialId, 'credentialId', 255)
+    if (!credentialIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credential ID: ${credentialIdValidation.error}`)
+      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    }
+
     let credentials = await db
       .select()
       .from(account)

apps/sim/app/api/tools/gmail/remove-label/route.ts

@@ -1,6 +1,7 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkHybridAuth } from '@/lib/auth/hybrid'
+import { validateAlphanumericId } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 
@@ -53,6 +54,29 @@ export async function POST(request: NextRequest) {
       .map((id) => id.trim())
       .filter((id) => id.length > 0)
 
+    for (const labelId of labelIds) {
+      const labelIdValidation = validateAlphanumericId(labelId, 'labelId', 255)
+      if (!labelIdValidation.isValid) {
+        logger.warn(`[${requestId}] Invalid label ID: ${labelIdValidation.error}`)
+        return NextResponse.json(
+          {
+            success: false,
+            error: labelIdValidation.error,
+          },
+          { status: 400 }
+        )
+      }
+    }
+
+    const messageIdValidation = validateAlphanumericId(validatedData.messageId, 'messageId', 255)
+    if (!messageIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid message ID: ${messageIdValidation.error}`)
+      return NextResponse.json(
+        { success: false, error: messageIdValidation.error },
+        { status: 400 }
+      )
+    }
+
     const gmailResponse = await fetch(
       `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,
       {

apps/sim/app/api/tools/google_calendar/calendars/route.ts

@@ -1,5 +1,6 @@
 import { type NextRequest, NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateUUID } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
@@ -25,7 +26,6 @@ export async function GET(request: NextRequest) {
   logger.info(`[${requestId}] Google Calendar calendars request received`)
 
   try {
-    // Get the credential ID from the query params
     const { searchParams } = new URL(request.url)
     const credentialId = searchParams.get('credentialId')
     const workflowId = searchParams.get('workflowId') || undefined
@@ -34,12 +34,25 @@ export async function GET(request: NextRequest) {
       logger.warn(`[${requestId}] Missing credentialId parameter`)
       return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
     }
+
+    const credentialValidation = validateUUID(credentialId, 'credentialId')
+    if (!credentialValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credentialId format`, { credentialId })
+      return NextResponse.json({ error: credentialValidation.error }, { status: 400 })
+    }
+
+    if (workflowId) {
+      const workflowValidation = validateUUID(workflowId, 'workflowId')
+      if (!workflowValidation.isValid) {
+        logger.warn(`[${requestId}] Invalid workflowId format`, { workflowId })
+        return NextResponse.json({ error: workflowValidation.error }, { status: 400 })
+      }
+    }
     const authz = await authorizeCredentialUse(request, { credentialId, workflowId })
     if (!authz.ok || !authz.credentialOwnerUserId) {
       return NextResponse.json({ error: authz.error || 'Unauthorized' }, { status: 403 })
     }
 
-    // Refresh access token if needed using the utility function
     const accessToken = await refreshAccessTokenIfNeeded(
       credentialId,
       authz.credentialOwnerUserId,
@@ -50,7 +63,6 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'Failed to obtain valid access token' }, { status: 401 })
     }
 
-    // Fetch calendars from Google Calendar API
     logger.info(`[${requestId}] Fetching calendars from Google Calendar API`)
     const calendarResponse = await fetch(
       'https://www.googleapis.com/calendar/v3/users/me/calendarList',
@@ -81,7 +93,6 @@ export async function GET(request: NextRequest) {
     const data = await calendarResponse.json()
     const calendars: CalendarListItem[] = data.items || []
 
-    // Sort calendars with primary first, then alphabetically
     calendars.sort((a, b) => {
       if (a.primary && !b.primary) return -1
       if (!a.primary && b.primary) return 1

apps/sim/app/api/tools/microsoft-teams/channels/route.ts

@@ -1,5 +1,6 @@
 import { NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -23,6 +24,12 @@ export async function POST(request: Request) {
       return NextResponse.json({ error: 'Team ID is required' }, { status: 400 })
     }
 
+    const teamIdValidation = validateMicrosoftGraphId(teamId, 'Team ID')
+    if (!teamIdValidation.isValid) {
+      logger.warn('Invalid team ID provided', { teamId, error: teamIdValidation.error })
+      return NextResponse.json({ error: teamIdValidation.error }, { status: 400 })
+    }
+
     try {
       const authz = await authorizeCredentialUse(request as any, {
         credentialId: credential,
@@ -70,7 +77,6 @@ export async function POST(request: Request) {
           endpoint: `https://graph.microsoft.com/v1.0/teams/${teamId}/channels`,
         })
 
-        // Check for auth errors specifically
         if (response.status === 401) {
           return NextResponse.json(
             {
@@ -93,7 +99,6 @@ export async function POST(request: Request) {
     } catch (innerError) {
       logger.error('Error during API requests:', innerError)
 
-      // Check if it's an authentication error
       const errorMessage = innerError instanceof Error ? innerError.message : String(innerError)
       if (
         errorMessage.includes('auth') ||

apps/sim/app/api/tools/microsoft-teams/chats/route.ts

@@ -1,27 +1,42 @@
 import { NextResponse } from 'next/server'
 import { authorizeCredentialUse } from '@/lib/auth/credential-access'
+import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
 export const dynamic = 'force-dynamic'
 
 const logger = createLogger('TeamsChatsAPI')
 
-// Helper function to get chat members and create a meaningful name
+/**
+ * Helper function to get chat members and create a meaningful name
+ *
+ * @param chatId - Microsoft Teams chat ID to get display name for
+ * @param accessToken - Access token for Microsoft Graph API
+ * @param chatTopic - Optional existing chat topic
+ * @returns A meaningful display name for the chat
+ */
 const getChatDisplayName = async (
   chatId: string,
   accessToken: string,
   chatTopic?: string
 ): Promise<string> => {
   try {
-    // If the chat already has a topic, use it
+    const chatIdValidation = validateMicrosoftGraphId(chatId, 'chatId')
+    if (!chatIdValidation.isValid) {
+      logger.warn('Invalid chat ID in getChatDisplayName', {
+        error: chatIdValidation.error,
+        chatId: chatId.substring(0, 50),
+      })
+      return `Chat ${chatId.substring(0, 8)}...`
+    }
+
     if (chatTopic?.trim() && chatTopic !== 'null') {
       return chatTopic
     }
 
-    // Fetch chat members to create a meaningful name
     const membersResponse = await fetch(
-      `https://graph.microsoft.com/v1.0/chats/${chatId}/members`,
+      `https://graph.microsoft.com/v1.0/chats/${encodeURIComponent(chatId)}/members`,
       {
         method: 'GET',
         headers: {
@@ -35,27 +50,25 @@ const getChatDisplayName = async (
       const membersData = await membersResponse.json()
       const members = membersData.value || []
 
-      // Filter out the current user and get display names
       const memberNames = members
         .filter((member: any) => member.displayName && member.displayName !== 'Unknown')
         .map((member: any) => member.displayName)
-        .slice(0, 3) // Limit to first 3 names to avoid very long names
+        .slice(0, 3)
 
       if (memberNames.length > 0) {
         if (memberNames.length === 1) {
-          return memberNames[0] // 1:1 chat
+          return memberNames[0]
         }
         if (memberNames.length === 2) {
-          return memberNames.join(' & ') // 2-person group
+          return memberNames.join(' & ')
         }
-        return `${memberNames.slice(0, 2).join(', ')} & ${memberNames.length - 2} more` // Larger group
+        return `${memberNames.slice(0, 2).join(', ')} & ${memberNames.length - 2} more`
       }
     }
 
-    // Fallback: try to get a better name from recent messages
     try {
       const messagesResponse = await fetch(
-        `https://graph.microsoft.com/v1.0/chats/${chatId}/messages?$top=10&$orderby=createdDateTime desc`,
+        `https://graph.microsoft.com/v1.0/chats/${encodeURIComponent(chatId)}/messages?$top=10&$orderby=createdDateTime desc`,
         {
           method: 'GET',
           headers: {
@@ -69,14 +82,12 @@ const getChatDisplayName = async (
         const messagesData = await messagesResponse.json()
         const messages = messagesData.value || []
 
-        // Look for chat rename events
         for (const message of messages) {
           if (message.eventDetail?.chatDisplayName) {
             return message.eventDetail.chatDisplayName
           }
         }
 
-        // Get unique sender names from recent messages as last resort
         const senderNames = [
           ...new Set(
             messages
@@ -103,7 +114,6 @@ const getChatDisplayName = async (
       )
     }
 
-    // Final fallback
     return `Chat ${chatId.split(':')[0] || chatId.substring(0, 8)}...`
   } catch (error) {
     logger.warn(
@@ -146,7 +156,6 @@ export async function POST(request: Request) {
         return NextResponse.json({ error: 'Could not retrieve access token' }, { status: 401 })
       }
 
-      // Now try to fetch the chats
       const response = await fetch('https://graph.microsoft.com/v1.0/me/chats', {
         method: 'GET',
         headers: {
@@ -163,7 +172,6 @@ export async function POST(request: Request) {
           endpoint: 'https://graph.microsoft.com/v1.0/me/chats',
         })
 
-        // Check for auth errors specifically
         if (response.status === 401) {
           return NextResponse.json(
             {
@@ -179,7 +187,6 @@ export async function POST(request: Request) {
 
       const data = await response.json()
 
-      // Process chats with enhanced display names
       const chats = await Promise.all(
         data.value.map(async (chat: any) => ({
           id: chat.id,
@@ -193,7 +200,6 @@ export async function POST(request: Request) {
     } catch (innerError) {
       logger.error('Error during API requests:', innerError)
 
-      // Check if it's an authentication error
       const errorMessage = innerError instanceof Error ? innerError.message : String(innerError)
       if (
         errorMessage.includes('auth') ||

apps/sim/app/api/tools/onedrive/files/route.ts

@@ -4,6 +4,7 @@ import { account } from '@sim/db/schema'
 import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { validateMicrosoftGraphId } from '@/lib/core/security/input-validation'
 import { createLogger } from '@/lib/logs/console/logger'
 import { refreshAccessTokenIfNeeded } from '@/app/api/auth/oauth/utils'
 
@@ -36,6 +37,12 @@ export async function GET(request: NextRequest) {
       return NextResponse.json({ error: 'Credential ID is required' }, { status: 400 })
     }
 
+    const credentialIdValidation = validateMicrosoftGraphId(credentialId, 'credentialId')
+    if (!credentialIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid credential ID`, { error: credentialIdValidation.error })
+      return NextResponse.json({ error: credentialIdValidation.error }, { status: 400 })
+    }
+
     logger.info(`[${requestId}] Fetching credential`, { credentialId })
 
     const credentials = await db.select().from(account).where(eq(account.id, credentialId)).limit(1)