Skip to content

Comments

fix(security): allow HTTP for localhost and loopback addresses#3304

Merged
waleedlatif1 merged 4 commits intostagingfrom
fix/url-localhost-http
Feb 22, 2026
Merged

fix(security): allow HTTP for localhost and loopback addresses#3304
waleedlatif1 merged 4 commits intostagingfrom
fix/url-localhost-http

Conversation

@waleedlatif1
Copy link
Collaborator

Summary

  • Fix failing SSRF test in route.test.tshttp://127.0.0.1 is now intentionally allowed per PR fix(security): allow HTTP for localhost and loopback addresses #3286 (loopback exemption for local dev), update assertion to match
  • Remove extraneous inline comments from input-validation.ts and input-validation.server.ts per project style (no non-TSDoc comments); retain useful annotations like blocked port labels and the Airtable/AWS pattern comments

Type of Change

  • Bug fix

Testing

Tests pass — 271 tests across both affected test files

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Feb 22, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Feb 22, 2026 10:45pm

Request Review

@waleedlatif1 waleedlatif1 changed the title fix(security): remove extraneous comments and fix failing SSRF test fix(security): allow HTTP for localhost and loopback addresses Feb 22, 2026
@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 22, 2026

Greptile Summary

Fixes failing SSRF test and removes extraneous comments per project style guidelines.

Changes

  • Updated SSRF test in route.test.ts to expect http://127.0.0.1:8080/admin to pass validation, aligning with the localhost exemption added in PR fix(security): allow HTTP for localhost and loopback addresses #3286
  • Removed non-TSDoc inline comments from input-validation.ts and input-validation.server.ts per project style (global.mdc specifies "Use TSDoc for documentation. No non-TSDoc comments")
  • Retained useful inline labels like blocked port annotations and specific pattern comments for Airtable/AWS validation
  • All security logic remains intact - no weakening of SSRF protections

Test Coverage

Added comprehensive test cases for localhost exemption covering HTTP/HTTPS and IPv4/IPv6 loopback addresses (271 tests pass).

Confidence Score: 5/5

  • Safe to merge - clean style conformance with no security regressions
  • All changes are either test updates to match implemented behavior or comment removal for style consistency. No functional security logic was modified beyond what was already implemented in PR fix(security): allow HTTP for localhost and loopback addresses #3286. Test suite passes with 271 tests.
  • No files require special attention

Important Files Changed

Filename Overview
apps/sim/app/api/function/execute/route.test.ts Updated SSRF test assertion to reflect localhost exemption - test now expects http://127.0.0.1:8080/admin to be allowed per PR #3286
apps/sim/lib/core/security/input-validation.server.ts Implements localhost detection logic with IPv6 bracket handling, removes extraneous comments per project style (TSDoc only)
apps/sim/lib/core/security/input-validation.test.ts Added comprehensive test coverage for localhost/loopback exemption (HTTP + HTTPS, IPv4 + IPv6), updated existing tests to accept localhost
apps/sim/lib/core/security/input-validation.ts Implements localhost exemption logic in validateExternalUrl, removes non-TSDoc comments per project style, preserves useful inline labels

Last reviewed commit: e298899

Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

4 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

@cursor review

@waleedlatif1
Copy link
Collaborator Author

@cursor review

Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

@waleedlatif1 waleedlatif1 merged commit 996dc96 into staging Feb 22, 2026
12 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/url-localhost-http branch February 22, 2026 22:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants