improvement(security): added input validation for airtable, lemlist, and more tools to protect against SSRF

[waleedlatif1]

Summary

• added input validation for airtable, lemlist, and more tools to protect against SSRF

Type of Change

• Security

Testing

Added unit tests

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Jan 16, 2026 3:28am

[greptile-apps]

Greptile Summary

This PR strengthens SSRF protection by adding input validation for Airtable, Lemlist, and Webflow IDs before they are used in API calls.

Key changes:

• Added validateAirtableId() function that validates Airtable IDs with strict format checking (prefix + 14 alphanumeric chars)
• Applied validation in provider-subscriptions.ts before constructing API URLs for webhook deletion/creation
• Used existing validateAlphanumericId() for Lemlist and Webflow ID validation
• Comprehensive unit tests cover valid/invalid formats and attack scenarios (path traversal, special chars)
• Removed unrelated Google Drive hostname checks from Pulse/Reducto parsers and cleaned up comments

The validation prevents attackers from injecting malicious IDs that could manipulate API URLs to target internal services.

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The validation logic is well-implemented with strict regex patterns, comprehensive test coverage includes security attack scenarios, and the changes are narrowly scoped to prevent SSRF vulnerabilities without affecting other functionality
• No files require special attention

Important Files Changed

Filename	Overview
apps/sim/lib/core/security/input-validation.ts	Added validateAirtableId function with proper ID format validation for base/table/webhook IDs
apps/sim/lib/core/security/input-validation.test.ts	Comprehensive test coverage for validateAirtableId including edge cases and security scenarios
apps/sim/lib/webhooks/provider-subscriptions.ts	Applied validation for Airtable, Lemlist, and Webflow IDs before API calls to prevent SSRF

Sequence Diagram

sequenceDiagram
    participant User
    participant API as Webhook API
    participant Validator as Input Validator
    participant External as External API (Airtable/Lemlist/Webflow)

    User->>API: Request webhook operation (create/delete)
    API->>API: Extract ID from request (baseId, tableId, webhookId, etc)
    
    alt Airtable ID Validation
        API->>Validator: validateAirtableId(id, prefix, paramName)
        Validator->>Validator: Check null/undefined/empty
        Validator->>Validator: Regex test: ^{prefix}[a-zA-Z0-9]{14}$
        alt Invalid format
            Validator-->>API: {isValid: false, error: "..."}
            API->>API: Log warning & skip operation
            API-->>User: Operation skipped (or error thrown)
        else Valid format
            Validator-->>API: {isValid: true, sanitized: id}
        end
    end
    
    alt Lemlist/Webflow ID Validation
        API->>Validator: validateAlphanumericId(id, paramName, maxLength)
        Validator->>Validator: Check format (alphanumeric + hyphens/underscores)
        alt Invalid format
            Validator-->>API: {isValid: false, error: "..."}
            API->>API: Log warning & skip operation
            API-->>User: Operation skipped (or error thrown)
        else Valid format
            Validator-->>API: {isValid: true, sanitized: id}
        end
    end
    
    API->>API: Construct API URL with validated ID
    API->>External: HTTP request to external API
    External-->>API: Response
    API-->>User: Success/failure result

Loading