The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Mar 26, 2026 11:30pm

PR Summary

High Risk
High risk because it changes authentication token format/validation and file-serving authorization paths, and adds new SSRF defenses that could block previously-accepted URLs or break integrations if misconfigured.

Overview
Hardens multiple security-sensitive paths across the API.

Prevents file-serve auth bypass by removing trust in user-supplied ?context and treating only profile-pictures/ + og-images/ key prefixes as public, while adding og-images support to context inference and authorization.

Adds OTP brute-force protection for chat email auth by storing OTPs as code:attempts, atomically incrementing attempts (Redis Lua / DB optimistic update), and returning 429 + invalidating the code after 5 failures.

Strengthens deployed chat/form auth cookies by switching to HMAC-signed tokens (BETTER_AUTH_SECRET + timingSafeEqual), and hardens CORS by no longer setting Access-Control-Allow-Credentials.

Expands SSRF protections: OIDC discovery fetch now does DNS validation and IP-pinned fetch; MCP server create/update/test and service env-var resolution now perform DNS-based SSRF checks with explicit error mapping.

Mitigates command injection in SSH tool routes by escaping workingDirectory and randomizing heredoc delimiters, and tightens internal executor authentication by only trusting userId embedded in internal JWTs and propagating that userId when generating internal tokens.

^{Written by Cursor Bugbot for commit 4790853. Configure here.}

@greptile

@cursor review

Greptile Summary

This PR applies a broad set of hardening fixes across authentication, SSRF, SSH injection, CORS, and OTP brute-force protection. The changes are well-scoped and address real attack vectors:

• Auth bypass fixed: File-serve route no longer trusts the user-controlled ?context query param; now performs a key-prefix check, closing a simple bypass that let any user skip auth with ?context=profile-pictures.
• HMAC tokens: Chat/form auth cookies are now HMAC-SHA256-signed with BETTER_AUTH_SECRET and validated with timingSafeEqual, replacing unsigned base64 tokens.
• OTP brute-force: Attempt counter is now embedded in the stored value (code:attempts) and incremented atomically (Redis Lua script or DB optimistic-lock), returning 429 after 5 failures.
• SSRF on MCP servers: DNS-based validation (validateMcpServerSsrf) is applied before and after env-var resolution in all three MCP routes and in the service layer as defense-in-depth.
• SSH injection: workingDirectory is now properly escaped with escapeShellArg, and heredoc delimiters are randomized with a UUID to prevent delimiter injection.
• OIDC SSRF: Discovery URL and all discovered OIDC endpoints are validated via validateUrlWithDNS + secureFetchWithPinnedIP.
• CORS: Access-Control-Allow-Credentials: true removed from chat/form CORS headers (cookies are SameSite=Lax and were never sent cross-site anyway).
• Internal JWT hardening: resolveUserFromJwt now trusts only the JWT payload, removing user-controlled userId extraction from query params and POST bodies.

Previous review comments (TOCTOU, Redis KEEPTTL compat, legacy OTP format, DNS vs SSRF error distinction, unreachable fetch fallback) have all been addressed.

Confidence Score: 5/5

Safe to merge — all raised security concerns from previous review rounds are resolved, and no new regressions or vulnerabilities were found.

All eight stated attack vectors are correctly addressed. Previously flagged issues (TOCTOU race, Redis KEEPTTL compatibility, legacy OTP format backward-compat, DNS vs SSRF error distinction, unreachable fetch fallback) are all resolved. The single remaining note is a minor P2 style suggestion to parallelise four sequential DNS lookups during SSO registration — it does not affect correctness or security.

No files require special attention. apps/sim/app/api/auth/sso/register/route.ts has a minor sequential DNS lookup pattern worth optimising but it is not blocking.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Client
    participant MCPRoute as MCP Route (POST/PATCH)
    participant DomainCheck as validateMcpDomain
    participant SsrfCheck as validateMcpServerSsrf
    participant DNS as DNS Resolver
    participant Service as McpService.resolveConfigEnvVars
    participant DB as Database

    Client->>MCPRoute: POST /api/mcp/servers {url}
    MCPRoute->>DomainCheck: validateMcpDomain(url)
    alt Domain not allowed
        DomainCheck-->>MCPRoute: throw McpDomainNotAllowedError
        MCPRoute-->>Client: 403 Domain not allowed
    end
    MCPRoute->>SsrfCheck: validateMcpServerSsrf(url) [pre-resolution]
    SsrfCheck->>DNS: dns.lookup(hostname)
    alt DNS failure
        DNS-->>SsrfCheck: error
        SsrfCheck-->>MCPRoute: throw McpDnsResolutionError
        MCPRoute-->>Client: 502 DNS resolution failed
    else Resolves to private IP
        SsrfCheck-->>MCPRoute: throw McpSsrfError
        MCPRoute-->>Client: 403 SSRF blocked
    end
    MCPRoute->>DB: INSERT server
    MCPRoute-->>Client: 201 Created

    Note over Service,DNS: At tool-execution time (defense-in-depth)
    Service->>DNS: dns.lookup(resolvedUrl)
    alt DNS rebinding detected
        DNS-->>Service: private IP
        Service-->>Service: throw McpSsrfError (fail-closed)
    end

_{Reviews (7): Last reviewed commit: "fix: format long lines in chat/form test..." | Re-trigger Greptile}

@greptile

@cursor review

@greptile

@cursor review

@greptile

@cursor review

@cursor review

@greptile

@greptile

@cursor review