fix(uploads): match internal file marker in URL path only

waleedlatif1 · waleedlatif1 · commit 9f47c1487cd3 · 2026-06-15T12:02:04.000-07:00
isInternalFileUrl matched the /api/files/serve/ substring anywhere in the
string, so a crafted URL could carry it in a query string or fragment and
skip DNS/SSRF validation. Match it in the path component only.

The raw path is checked without URL normalization on purpose: the files
parse route relies on traversal sequences surviving this check (an absolute
https://host/api/files/serve/../.. URL must classify as internal so the '..'
check rejects it, rather than being normalized to /etc/... and waved through
as external). Host is intentionally not gated — cross-tenant reads are
prevented at the storage sink by verifyFileAccess, and host-allowlisting
would break self-hosted/multi-domain deployments. Adds unit tests.
diff --git a/apps/sim/lib/uploads/utils/file-utils.test.ts b/apps/sim/lib/uploads/utils/file-utils.test.ts
@@ -2,7 +2,42 @@
  * @vitest-environment node
  */
 import { describe, expect, it } from 'vitest'
-import { isAbortError, isNetworkError } from '@/lib/uploads/utils/file-utils'
+import { isAbortError, isInternalFileUrl, isNetworkError } from '@/lib/uploads/utils/file-utils'
+
+describe('isInternalFileUrl', () => {
+  it('classifies relative serve paths as internal', () => {
+    expect(isInternalFileUrl('/api/files/serve/kb/123-file.pdf')).toBe(true)
+    expect(isInternalFileUrl('/api/files/serve/workspace/ws-1/file.txt?context=workspace')).toBe(
+      true
+    )
+  })
+
+  it('classifies absolute serve URLs as internal regardless of host', () => {
+    expect(isInternalFileUrl('https://www.sim.ai/api/files/serve/kb/x.pdf')).toBe(true)
+    expect(isInternalFileUrl('http://localhost:3000/api/files/serve/blob/kb/x')).toBe(true)
+    // Host is not used to gate (self-hosted/multi-domain); the storage sink authorizes.
+    expect(isInternalFileUrl('https://other-host/api/files/serve/workspace/v/x')).toBe(true)
+  })
+
+  it('does not match the marker outside the path (query/fragment)', () => {
+    expect(isInternalFileUrl('https://evil.com/x?next=/api/files/serve/secret')).toBe(false)
+    expect(isInternalFileUrl('https://evil.com/page#/api/files/serve/secret')).toBe(false)
+    expect(isInternalFileUrl('https://evil.com/redirect?u=/api/files/serve/kb/x')).toBe(false)
+  })
+
+  it('preserves traversal sequences so they survive downstream rejection', () => {
+    // Must stay internal (not normalized away) so the parse route applies its `..` check.
+    expect(isInternalFileUrl('https://attacker.com/api/files/serve/../../../etc/passwd')).toBe(true)
+    expect(isInternalFileUrl('/api/files/serve/../../app.js')).toBe(true)
+  })
+
+  it('returns false for non-internal and non-string inputs', () => {
+    expect(isInternalFileUrl('https://example.com/file.pdf')).toBe(false)
+    expect(isInternalFileUrl('data:text/plain;base64,abc')).toBe(false)
+    // @ts-expect-error verifying runtime guard
+    expect(isInternalFileUrl(undefined)).toBe(false)
+  })
+})
 
 describe('isAbortError', () => {
   it('returns true for AbortError-named errors', () => {
diff --git a/apps/sim/lib/uploads/utils/file-utils.ts b/apps/sim/lib/uploads/utils/file-utils.ts
@@ -534,10 +534,33 @@ export function extractStorageKey(filePath: string): string {
 }
 
 /**
- * Check if a URL is an internal file serve URL
+ * Whether a URL targets the internal file-serve endpoint (`/api/files/serve/`).
+ *
+ * The marker is matched only in the URL's path component, so it cannot be
+ * smuggled through a query string or fragment (e.g.
+ * `https://evil.com/x?next=/api/files/serve/...`) to skip DNS/SSRF validation.
+ *
+ * The raw path is inspected without URL normalization on purpose: callers such
+ * as the files parse route rely on traversal sequences (`..`) surviving this
+ * check so they are rejected downstream rather than collapsed away. A path-only
+ * marker still classifies any host as internal (e.g.
+ * `https://other-host/api/files/serve/<key>`); cross-tenant reads are prevented
+ * at the storage sink by {@link verifyFileAccess}, not by host matching, which
+ * would break self-hosted and multi-domain deployments.
  */
 export function isInternalFileUrl(fileUrl: string): boolean {
-  return fileUrl.includes('/api/files/serve/')
+  if (typeof fileUrl !== 'string') {
+    return false
+  }
+
+  let path = fileUrl
+  const scheme = /^[a-z][a-z0-9+.-]*:\/\/[^/?#]*/i.exec(path)
+  if (scheme) {
+    path = path.slice(scheme[0].length)
+  }
+  path = path.split(/[?#]/, 1)[0]
+
+  return path.startsWith('/api/files/serve/')
 }
 
 /**
