fix(integrations): use write-only scope for vanta document submit and stream-cap document downloads

Author: waleedlatif1

apps/sim/app/api/tools/vanta/download/route.ts

@@ -28,6 +28,33 @@ function downloadSizeError(bytes: number): NextResponse {
   )
 }
 
+/**
+ * Reads a response body incrementally, aborting as soon as the accumulated
+ * size exceeds the limit so oversized files are never fully buffered.
+ * Returns null when the limit is exceeded.
+ */
+async function readBodyWithLimit(response: Response, maxBytes: number): Promise<Buffer | null> {
+  const reader = response.body?.getReader()
+  if (!reader) {
+    const buffer = Buffer.from(await response.arrayBuffer())
+    return buffer.length > maxBytes ? null : buffer
+  }
+
+  const chunks: Uint8Array[] = []
+  let total = 0
+  while (true) {
+    const { done, value } = await reader.read()
+    if (done) break
+    total += value.byteLength
+    if (total > maxBytes) {
+      await reader.cancel()
+      return null
+    }
+    chunks.push(value)
+  }
+  return Buffer.concat(chunks)
+}
+
 /**
  * Extracts the filename from a Content-Disposition header, if present.
  */
@@ -99,9 +126,12 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       return downloadSizeError(contentLength)
     }
 
-    const buffer = Buffer.from(await response.arrayBuffer())
-    if (buffer.length > MAX_DOWNLOAD_SIZE_BYTES) {
-      return downloadSizeError(buffer.length)
+    const buffer = await readBodyWithLimit(response, MAX_DOWNLOAD_SIZE_BYTES)
+    if (buffer === null) {
+      return NextResponse.json(
+        { success: false, error: 'File exceeds download limit of 100MB' },
+        { status: 400 }
+      )
     }
 
     const mimeType = response.headers.get('content-type') || 'application/octet-stream'

apps/sim/app/api/tools/vanta/query/route.ts

@@ -32,8 +32,8 @@ import {
   normalizeVantaVulnerabilityRemediation,
   normalizeVantaVulnerableAsset,
   splitVantaCommaList,
-  VANTA_DOCUMENT_UPLOAD_SCOPE,
   VANTA_READ_SCOPE,
+  VANTA_WRITE_SCOPE,
 } from '@/tools/vanta/utils'
 
 export const dynamic = 'force-dynamic'
@@ -382,7 +382,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
     const baseUrl = getVantaBaseUrl(params.region)
     const scope =
-      params.operation === 'vanta_submit_document' ? VANTA_DOCUMENT_UPLOAD_SCOPE : VANTA_READ_SCOPE
+      params.operation === 'vanta_submit_document' ? VANTA_WRITE_SCOPE : VANTA_READ_SCOPE
     const accessToken = await getVantaAccessToken({
       clientId: params.clientId,
       clientSecret: params.clientSecret,

apps/sim/tools/vanta/utils.ts

@@ -35,6 +35,9 @@ export const VANTA_API_BASE_URLS: Record<VantaRegion, string> = {
 /** Read-only scope used by every query and download operation. */
 export const VANTA_READ_SCOPE = 'vanta-api.all:read'
 
+/** Read-write scope used by write operations that do not upload files. */
+export const VANTA_WRITE_SCOPE = 'vanta-api.all:read vanta-api.all:write'
+
 /**
  * Scope string for document evidence uploads, taken verbatim from Vanta's
  * "Upload a document" guide (the upload scope cannot be requested alone).