fix(sanitization): added more input sanitization to tool routes #2475

waleedlatif1 · 2025-12-19T09:16:47Z

Summary

added more input sanitization to tool routes

Type of Change

Security

Testing

Tested manually

Checklist

Code follows project style guidelines
Self-reviewed my changes
Tests added/updated and passing
No new warnings introduced
I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

vercel · 2025-12-19T09:16:51Z

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Dec 19, 2025 9:26am

greptile-apps · 2025-12-19T09:24:38Z

Greptile Summary

This PR adds input sanitization to 16 tool API routes and introduces a comprehensive validation utility library (input-validation.ts). The changes prevent path traversal attacks and injection vulnerabilities by validating IDs before they're used in API calls.

Key improvements:

Added validateAlphanumericId() for credential IDs across Gmail, Outlook, SharePoint, Wealthbox, and Webflow routes
Added validateUUID() for workflow and credential IDs in Google Calendar route
Added validateMicrosoftGraphId() for Microsoft Teams, OneDrive, and Outlook routes to handle complex Graph API ID formats
Created validation utility with protection against path traversal (../), null bytes, control characters, and URL encoding bypasses

Critical issues found:

Gmail add-label and remove-label routes validate label IDs but miss validating messageId before URL interpolation (lines gmail/add-label/route.ts:69, gmail/remove-label/route.ts:72)
Google Drive files route validates folderId but doesn't validate query and mimeType parameters used in API queries
SharePoint sites route doesn't validate the query parameter

Validation coverage:

✅ 13 of 16 routes have complete input validation
⚠️ 3 routes have partial validation with missing parameters

Confidence Score: 3/5

This PR significantly improves security but leaves critical gaps in Gmail routes where messageId validation is missing
Score reflects strong security improvements across most routes (13/16 fully validated) but critical missing validation for messageId in Gmail add-label and remove-label routes creates path traversal risk. The validation library is well-designed with comprehensive protection patterns. Missing validations should be addressed before merge.
Pay close attention to apps/sim/app/api/tools/gmail/add-label/route.ts and apps/sim/app/api/tools/gmail/remove-label/route.ts where messageId lacks validation

Important Files Changed

Filename	Overview
apps/sim/lib/core/security/input-validation.ts	New comprehensive validation utility library with functions for UUIDs, alphanumeric IDs, Microsoft Graph IDs, and path traversal prevention
apps/sim/app/api/tools/drive/files/route.ts	Added validation for `folderId` parameter, but `query` and `mimeType` parameters remain unvalidated before use in API queries
apps/sim/app/api/tools/gmail/add-label/route.ts	Added validation for `labelIds`, but `messageId` is not validated before being interpolated into the API URL path
apps/sim/app/api/tools/gmail/remove-label/route.ts	Added validation for `labelIds`, but `messageId` is not validated before being interpolated into the API URL path
apps/sim/app/api/tools/sharepoint/sites/route.ts	Added validation for `credentialId`, but `query` parameter is not validated before being interpolated into the Microsoft Graph API URL

Sequence Diagram

sequenceDiagram
    participant Client
    participant Route as API Route
    participant Val as Validation
    participant Auth
    participant API as External Service
    
    Client->>Route: Send request
    Route->>Val: Validate input IDs
    
    alt Input invalid
        Val-->>Route: Return error
        Route-->>Client: 400 response
    else Input valid
        Val-->>Route: Continue
        Route->>Auth: Check permissions
        Auth-->>Route: Approved
        Route->>API: Make request
        API-->>Route: Data
        Route-->>Client: 200 response
    end

greptile-apps

Additional Comments (1)

apps/sim/app/api/tools/drive/files/route.ts, line 124-130 (link)

style: mimeType and query parameters are used in escapeForDriveQuery() but are never validated before use. While escapeForDriveQuery escapes quotes and backslashes, it doesn't prevent other injection vectors or validate that these are legitimate values.

Consider validating these parameters before using them in the query.

_{17 files reviewed, 4 comments}

_{Edit Code Review Agent Settings | Greptile}

greptile-apps · 2025-12-19T09:24:30Z

apps/sim/app/api/tools/gmail/add-label/route.ts

+    }
+
    const gmailResponse = await fetch(
      `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,


logic: messageId is directly interpolated into the URL path without validation. This could allow path traversal or injection if the ID contains special characters like ../ or encoded sequences.

Suggested change

`${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,

const messageIdValidation = validateAlphanumericId(validatedData.messageId, 'messageId', 255)

if (!messageIdValidation.isValid) {

logger.warn(`[${requestId}] Invalid message ID: ${messageIdValidation.error}`)

return NextResponse.json(

{

success: false,

error: messageIdValidation.error,

},

{ status: 400 }

)

}

const gmailResponse = await fetch(

`${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,

Prompt To Fix With AI

This is a comment left during a code review. Path: apps/sim/app/api/tools/gmail/add-label/route.ts Line: 69:69 Comment: **logic:** `messageId` is directly interpolated into the URL path without validation. This could allow path traversal or injection if the ID contains special characters like `../` or encoded sequences. ```suggestion const messageIdValidation = validateAlphanumericId(validatedData.messageId, 'messageId', 255) if (!messageIdValidation.isValid) { logger.warn(`[${requestId}] Invalid message ID: ${messageIdValidation.error}`) return NextResponse.json( { success: false, error: messageIdValidation.error, }, { status: 400 } ) } const gmailResponse = await fetch( `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`, ``` How can I resolve this? If you propose a fix, please make it concise.

greptile-apps · 2025-12-19T09:24:31Z

apps/sim/app/api/tools/gmail/remove-label/route.ts

+    }
+
    const gmailResponse = await fetch(
      `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,


logic: messageId is directly interpolated into the URL path without validation. This could allow path traversal or injection if the ID contains special characters like ../ or encoded sequences.

Suggested change

`${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,

const messageIdValidation = validateAlphanumericId(validatedData.messageId, 'messageId', 255)

if (!messageIdValidation.isValid) {

logger.warn(`[${requestId}] Invalid message ID: ${messageIdValidation.error}`)

return NextResponse.json(

{

success: false,

error: messageIdValidation.error,

},

{ status: 400 }

)

}

const gmailResponse = await fetch(

`${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,

Prompt To Fix With AI

This is a comment left during a code review. Path: apps/sim/app/api/tools/gmail/remove-label/route.ts Line: 72:72 Comment: **logic:** `messageId` is directly interpolated into the URL path without validation. This could allow path traversal or injection if the ID contains special characters like `../` or encoded sequences. ```suggestion const messageIdValidation = validateAlphanumericId(validatedData.messageId, 'messageId', 255) if (!messageIdValidation.isValid) { logger.warn(`[${requestId}] Invalid message ID: ${messageIdValidation.error}`) return NextResponse.json( { success: false, error: messageIdValidation.error, }, { status: 400 } ) } const gmailResponse = await fetch( `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`, ``` How can I resolve this? If you propose a fix, please make it concise.

greptile-apps · 2025-12-19T09:24:38Z

apps/sim/app/api/tools/sharepoint/sites/route.ts

    const searchQuery = query || '*'
    const url = `https://graph.microsoft.com/v1.0/sites?search=${encodeURIComponent(searchQuery)}&$select=id,name,displayName,webUrl,createdDateTime,lastModifiedDateTime&$top=50`


style: query parameter is used directly in URL without validation. While it's URL-encoded, consider adding input validation to prevent potential abuse or malformed queries.

Suggested change

const searchQuery = query || '*'

const url = `https://graph.microsoft.com/v1.0/sites?search=${encodeURIComponent(searchQuery)}&$select=id,name,displayName,webUrl,createdDateTime,lastModifiedDateTime&$top=50`

let searchQuery = query || '*'

if (query && query.length > 500) {

logger.warn(`[${requestId}] Search query too long`, { length: query.length })

return NextResponse.json({ error: 'Search query exceeds maximum length' }, { status: 400 })

}

const url = `https://graph.microsoft.com/v1.0/sites?search=${encodeURIComponent(searchQuery)}&$select=id,name,displayName,webUrl,createdDateTime,lastModifiedDateTime&$top=50`

_{Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!}

Prompt To Fix With AI

This is a comment left during a code review. Path: apps/sim/app/api/tools/sharepoint/sites/route.ts Line: 57:58 Comment: **style:** `query` parameter is used directly in URL without validation. While it's URL-encoded, consider adding input validation to prevent potential abuse or malformed queries. ```suggestion let searchQuery = query || '*' if (query && query.length > 500) { logger.warn(`[${requestId}] Search query too long`, { length: query.length }) return NextResponse.json({ error: 'Search query exceeds maximum length' }, { status: 400 }) } const url = `https://graph.microsoft.com/v1.0/sites?search=${encodeURIComponent(searchQuery)}&$select=id,name,displayName,webUrl,createdDateTime,lastModifiedDateTime&$top=50` ``` <sub>Note: If this suggestion doesn't match your team's coding style, reply to this and let me know. I'll remember it for next time!</sub> How can I resolve this? If you propose a fix, please make it concise.

fix(sanitization): added more input sanitization to tool routes

38958e4

greptile-apps bot reviewed Dec 19, 2025

View reviewed changes

ack PR comments

1beecc3

vercel bot temporarily deployed to Preview December 19, 2025 09:26 Inactive

waleedlatif1 merged commit 656a6b8 into staging Dec 19, 2025
6 checks passed

waleedlatif1 deleted the fix/jira branch December 19, 2025 09:27

waleedlatif1 mentioned this pull request Dec 19, 2025

v0.5.36: hitl improvements, opengraph, slack fixes, one-click unsubscribe, auth checks, new db indexes #2474

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(sanitization): added more input sanitization to tool routes #2475

fix(sanitization): added more input sanitization to tool routes #2475

Uh oh!

waleedlatif1 commented Dec 19, 2025

Uh oh!

vercel bot commented Dec 19, 2025 •

edited

Loading

Uh oh!

greptile-apps bot commented Dec 19, 2025

Uh oh!

greptile-apps bot left a comment •

edited

Loading

Uh oh!

greptile-apps bot Dec 19, 2025

Uh oh!

greptile-apps bot Dec 19, 2025

Uh oh!

greptile-apps bot Dec 19, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

-      `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,
+    const messageIdValidation = validateAlphanumericId(validatedData.messageId, 'messageId', 255)
+    if (!messageIdValidation.isValid) {
+      logger.warn(`[${requestId}] Invalid message ID: ${messageIdValidation.error}`)
+      return NextResponse.json(
+        {
+          success: false,
+          error: messageIdValidation.error,
+        },
+        { status: 400 }
+      )
+    }
+    const gmailResponse = await fetch(
+      `${GMAIL_API_BASE}/messages/${validatedData.messageId}/modify`,

		const searchQuery = query \|\| '*'
		const url = `https://graph.microsoft.com/v1.0/sites?search=${encodeURIComponent(searchQuery)}&$select=id,name,displayName,webUrl,createdDateTime,lastModifiedDateTime&$top=50`

-    const searchQuery = query || '*'
-    const url = `https://graph.microsoft.com/v1.0/sites?search=${encodeURIComponent(searchQuery)}&$select=id,name,displayName,webUrl,createdDateTime,lastModifiedDateTime&$top=50`
+    let searchQuery = query || '*'
+    if (query && query.length > 500) {
+      logger.warn(`[${requestId}] Search query too long`, { length: query.length })
+      return NextResponse.json({ error: 'Search query exceeds maximum length' }, { status: 400 })
+    }
+    const url = `https://graph.microsoft.com/v1.0/sites?search=${encodeURIComponent(searchQuery)}&$select=id,name,displayName,webUrl,createdDateTime,lastModifiedDateTime&$top=50`

fix(sanitization): added more input sanitization to tool routes #2475

fix(sanitization): added more input sanitization to tool routes #2475

Uh oh!

Conversation

waleedlatif1 commented Dec 19, 2025

Summary

Type of Change

Testing

Checklist

Uh oh!

vercel bot commented Dec 19, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

greptile-apps bot commented Dec 19, 2025

Greptile Summary

Confidence Score: 3/5

Important Files Changed

Sequence Diagram

Uh oh!

greptile-apps bot left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Additional Comments (1)

Uh oh!

greptile-apps bot Dec 19, 2025

Choose a reason for hiding this comment

Uh oh!

greptile-apps bot Dec 19, 2025

Choose a reason for hiding this comment

Uh oh!

greptile-apps bot Dec 19, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

vercel bot commented Dec 19, 2025 •

edited

Loading

greptile-apps bot left a comment •

edited

Loading