fix(jsm): validate Assets workspaceId and honor last pagination flag

waleedlatif1 · waleedlatif1 · commit 5539c1beca18 · 2026-06-15T16:07:49.000-07:00
Address review findings on the Assets tools:
- Add validateAssetsWorkspaceId and guard the workspaceId in every Assets
  route before it is interpolated into the API path (mirrors the existing
  cloudId guard) — prevents a crafted workspaceId from escaping the
  workspace-scoped path
- Object schema list now falls back to the `last` flag when `isLast` is
  absent, so pagination doesn't stop early
diff --git a/apps/sim/app/api/tools/jsm/assets/attributes/route.ts b/apps/sim/app/api/tools/jsm/assets/attributes/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmObjectTypeAttributesContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import { getAssetsApiBaseUrl, getJsmHeaders, resolveAssetsContext } from '@/tools/jsm/utils'
@@ -45,6 +48,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const query = new URLSearchParams()
     if (onlyValueEditable !== undefined) {
       query.append('onlyValueEditable', String(onlyValueEditable))
diff --git a/apps/sim/app/api/tools/jsm/assets/object-types/route.ts b/apps/sim/app/api/tools/jsm/assets/object-types/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmListObjectTypesContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import { getAssetsApiBaseUrl, getJsmHeaders, resolveAssetsContext } from '@/tools/jsm/utils'
@@ -44,6 +47,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const query = new URLSearchParams()
     if (excludeAbstract !== undefined) query.append('excludeAbstract', String(excludeAbstract))
 
diff --git a/apps/sim/app/api/tools/jsm/assets/object/create/route.ts b/apps/sim/app/api/tools/jsm/assets/object/create/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmCreateObjectContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import {
@@ -49,6 +52,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const url = `${getAssetsApiBaseUrl(cloudId, workspaceId)}/object/create`
 
     const response = await fetch(url, {
diff --git a/apps/sim/app/api/tools/jsm/assets/object/delete/route.ts b/apps/sim/app/api/tools/jsm/assets/object/delete/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmDeleteObjectContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import { getAssetsApiBaseUrl, getJsmHeaders, resolveAssetsContext } from '@/tools/jsm/utils'
@@ -43,6 +46,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const url = `${getAssetsApiBaseUrl(cloudId, workspaceId)}/object/${encodeURIComponent(objectId)}`
 
     const response = await fetch(url, { method: 'DELETE', headers: getJsmHeaders(accessToken) })
diff --git a/apps/sim/app/api/tools/jsm/assets/object/get/route.ts b/apps/sim/app/api/tools/jsm/assets/object/get/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmGetObjectContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import {
@@ -48,6 +51,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const url = `${getAssetsApiBaseUrl(cloudId, workspaceId)}/object/${encodeURIComponent(objectId)}`
 
     const response = await fetch(url, { method: 'GET', headers: getJsmHeaders(accessToken) })
diff --git a/apps/sim/app/api/tools/jsm/assets/object/update/route.ts b/apps/sim/app/api/tools/jsm/assets/object/update/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmUpdateObjectContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import {
@@ -50,6 +53,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const url = `${getAssetsApiBaseUrl(cloudId, workspaceId)}/object/${encodeURIComponent(objectId)}`
 
     const body: Record<string, unknown> = { attributes }
diff --git a/apps/sim/app/api/tools/jsm/assets/schema/route.ts b/apps/sim/app/api/tools/jsm/assets/schema/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmGetObjectSchemaContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import { getAssetsApiBaseUrl, getJsmHeaders, resolveAssetsContext } from '@/tools/jsm/utils'
@@ -43,6 +46,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const url = `${getAssetsApiBaseUrl(cloudId, workspaceId)}/objectschema/${encodeURIComponent(schemaId)}`
 
     const response = await fetch(url, { method: 'GET', headers: getJsmHeaders(accessToken) })
diff --git a/apps/sim/app/api/tools/jsm/assets/schemas/route.ts b/apps/sim/app/api/tools/jsm/assets/schemas/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmListObjectSchemasContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import { getAssetsApiBaseUrl, getJsmHeaders, resolveAssetsContext } from '@/tools/jsm/utils'
@@ -45,6 +48,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const query = new URLSearchParams()
     if (startAt !== undefined) query.append('startAt', String(startAt))
     if (maxResults !== undefined) query.append('maxResults', String(maxResults))
@@ -76,7 +84,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         ts: new Date().toISOString(),
         schemas: data.values ?? [],
         total: data.total ?? (data.values?.length || 0),
-        isLast: data.isLast ?? true,
+        isLast: data.isLast ?? data.last ?? true,
       },
     })
   } catch (error) {
diff --git a/apps/sim/app/api/tools/jsm/assets/search/route.ts b/apps/sim/app/api/tools/jsm/assets/search/route.ts
@@ -4,7 +4,10 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { jsmSearchObjectsAqlContract } from '@/lib/api/contracts/selectors/jsm'
 import { parseRequest } from '@/lib/api/server'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
-import { validateJiraCloudId } from '@/lib/core/security/input-validation'
+import {
+  validateAssetsWorkspaceId,
+  validateJiraCloudId,
+} from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { parseAtlassianErrorMessage } from '@/tools/jira/utils'
 import {
@@ -60,6 +63,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return NextResponse.json({ error: cloudIdValidation.error }, { status: 400 })
     }
 
+    const workspaceIdValidation = validateAssetsWorkspaceId(workspaceId, 'workspaceId')
+    if (!workspaceIdValidation.isValid) {
+      return NextResponse.json({ error: workspaceIdValidation.error }, { status: 400 })
+    }
+
     const includeAttrs =
       includeAttributes === undefined ? true : String(includeAttributes) === 'true'
 
diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
@@ -627,6 +627,27 @@ export function validateJiraCloudId(
   })
 }
 
+/**
+ * Validates an Atlassian Assets workspace ID (a UUID-shaped, hyphenated
+ * alphanumeric identifier) before it is interpolated into an API path.
+ *
+ * @param value - The Assets workspace ID to validate
+ * @param paramName - Name of the parameter for error messages
+ * @returns ValidationResult
+ */
+export function validateAssetsWorkspaceId(
+  value: string | null | undefined,
+  paramName = 'workspaceId'
+): ValidationResult {
+  return validatePathSegment(value, {
+    paramName,
+    allowHyphens: true,
+    allowUnderscores: false,
+    allowDots: false,
+    maxLength: 100,
+  })
+}
+
 /**
  * Validates Jira issue keys (format: PROJECT-123 or PROJECT-KEY-123)
  *
