fix(security): allow HTTP for localhost and loopback addresses

[waleedlatif1]

Summary

• Fix failing SSRF test in route.test.ts — http://127.0.0.1 is now intentionally allowed per PR fix(security): allow HTTP for localhost and loopback addresses #3286 (loopback exemption for local dev), update assertion to match
• Remove extraneous inline comments from input-validation.ts and input-validation.server.ts per project style (no non-TSDoc comments); retain useful annotations like blocked port labels and the Airtable/AWS pattern comments

Type of Change

• Bug fix

Testing

Tests pass — 271 tests across both affected test files

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Feb 22, 2026 10:45pm

[greptile-apps]

Greptile Summary

Fixes failing SSRF test and removes extraneous comments per project style guidelines.

Changes

• Updated SSRF test in route.test.ts to expect http://127.0.0.1:8080/admin to pass validation, aligning with the localhost exemption added in PR fix(security): allow HTTP for localhost and loopback addresses #3286
• Removed non-TSDoc inline comments from input-validation.ts and input-validation.server.ts per project style (global.mdc specifies "Use TSDoc for documentation. No non-TSDoc comments")
• Retained useful inline labels like blocked port annotations and specific pattern comments for Airtable/AWS validation
• All security logic remains intact - no weakening of SSRF protections

Test Coverage

Added comprehensive test cases for localhost exemption covering HTTP/HTTPS and IPv4/IPv6 loopback addresses (271 tests pass).

Confidence Score: 5/5

• Safe to merge - clean style conformance with no security regressions
• All changes are either test updates to match implemented behavior or comment removal for style consistency. No functional security logic was modified beyond what was already implemented in PR fix(security): allow HTTP for localhost and loopback addresses #3286. Test suite passes with 271 tests.
• No files require special attention

Important Files Changed

Filename	Overview
apps/sim/app/api/function/execute/route.test.ts	Updated SSRF test assertion to reflect localhost exemption - test now expects http://127.0.0.1:8080/admin to be allowed per PR #3286
apps/sim/lib/core/security/input-validation.server.ts	Implements localhost detection logic with IPv6 bracket handling, removes extraneous comments per project style (TSDoc only)
apps/sim/lib/core/security/input-validation.test.ts	Added comprehensive test coverage for localhost/loopback exemption (HTTP + HTTPS, IPv4 + IPv6), updated existing tests to accept localhost
apps/sim/lib/core/security/input-validation.ts	Implements localhost exemption logic in validateExternalUrl, removes non-TSDoc comments per project style, preserves useful inline labels

_{Last reviewed commit: e298899}

[greptile-apps]

_{4 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[waleedlatif1]

@cursor review

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR