Skip to content

Commit d1fd2cb

Browse files
cursoragentcursoragent
committed
Fix Promise.allSettled error handling and path traversal vulnerability
- Add explicit check for rejected chatResult status in mothership chat API to prevent silent error swallowing and operations on invalid chats - Add endpoint parameter validation in admin mothership proxy to prevent path traversal attacks (restrict to alphanumeric, underscore, hyphen)
1 parent 949601c commit d1fd2cb

File tree

2 files changed

+16
-0
lines changed

2 files changed

+16
-0
lines changed

apps/sim/app/api/admin/mothership/route.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -41,6 +41,10 @@ export async function POST(req: NextRequest) {
4141
return NextResponse.json({ error: 'endpoint query param required' }, { status: 400 })
4242
}
4343

44+
if (!/^[a-zA-Z0-9_-]+$/.test(endpoint)) {
45+
return NextResponse.json({ error: 'Invalid endpoint parameter' }, { status: 400 })
46+
}
47+
4448
const baseUrl = getMothershipUrl(environment)
4549
if (!baseUrl) {
4650
return NextResponse.json(
@@ -93,6 +97,10 @@ export async function GET(req: NextRequest) {
9397
return NextResponse.json({ error: 'endpoint query param required' }, { status: 400 })
9498
}
9599

100+
if (!/^[a-zA-Z0-9_-]+$/.test(endpoint)) {
101+
return NextResponse.json({ error: 'Invalid endpoint parameter' }, { status: 400 })
102+
}
103+
96104
const baseUrl = getMothershipUrl(environment)
97105
if (!baseUrl) {
98106
return NextResponse.json(

apps/sim/app/api/mothership/chat/route.ts

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,14 @@ export async function POST(req: NextRequest) {
142142
return NextResponse.json({ error: 'Workspace not found or access denied' }, { status: 403 })
143143
}
144144

145+
if (chatResult.status === 'rejected') {
146+
logger.error(`[${tracker.requestId}] Failed to resolve chat`, {
147+
chatId,
148+
error: chatResult.reason instanceof Error ? chatResult.reason.message : 'Unknown error',
149+
})
150+
return NextResponse.json({ error: 'Failed to resolve chat' }, { status: 500 })
151+
}
152+
145153
let currentChat: any = null
146154
let conversationHistory: any[] = []
147155
let actualChatId = chatId

0 commit comments

Comments
 (0)