Skip to content

fix(confluence): add input validation for SSRF-flagged parameters#3351

Merged
waleedlatif1 merged 1 commit intostagingfrom
waleedlatif1/tool-input-validation
Feb 26, 2026
Merged

fix(confluence): add input validation for SSRF-flagged parameters#3351
waleedlatif1 merged 1 commit intostagingfrom
waleedlatif1/tool-input-validation

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Feb 26, 2026

Summary

  • Add validatePaginationCursor utility to input-validation for opaque cursor tokens
  • Validate cursor param in page-descendants, page-versions, space-permissions, space-properties, and tasks routes
  • Validate versionNumber with validateNumericId in page-versions route
  • Validate pageId, spaceId, assignedTo query params in tasks list endpoint
  • Use encodeURIComponent for propertyId in space-properties delete path
  • Fix accountId pattern to match official Atlassian format (^[a-zA-Z0-9_|:-]{1,128}$) in user and tasks routes

Type of Change

  • Bug fix

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@vercel
Copy link

vercel bot commented Feb 26, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Feb 26, 2026 7:24am

Request Review

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Feb 26, 2026

Greptile Summary

This PR adds comprehensive input validation to prevent SSRF (Server-Side Request Forgery) vulnerabilities in Confluence API endpoints. The changes introduce a new validatePaginationCursor utility and apply validation to previously unvalidated parameters.

Key Security Improvements:

  • Validates pagination cursor tokens to prevent URL manipulation attacks
  • Validates numeric version IDs with range constraints
  • Validates Atlassian account IDs with updated pattern matching (now supports _ and | characters per official spec)
  • Adds proper URL encoding for path segments (e.g., propertyId in delete operations)
  • Validates query parameters (pageId, spaceId, assignedTo) in task listing endpoint

Implementation Quality:

  • Consistent error handling with 400 status codes for validation failures
  • Proper use of existing validation utilities (validateAlphanumericId, validateNumericId, validatePathSegment)
  • Defensive programming with encodeURIComponent for user-controlled path segments
  • URLSearchParams automatically handles query parameter encoding

Note: Tests were not added/updated per the PR checklist, which would be beneficial for security-critical validation logic to prevent regressions.

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - it adds important security protections without changing existing functionality
  • Score reflects well-implemented input validation following established patterns, proper error handling, and defensive security practices. The changes are focused on preventing SSRF attacks through strict parameter validation. All validation patterns are appropriate for their use cases and align with Atlassian API specifications. The only minor concern is missing test coverage, but the implementation quality is high.
  • No files require special attention - all changes follow consistent security patterns

Important Files Changed

Filename Overview
apps/sim/lib/core/security/input-validation.ts Added validatePaginationCursor utility for validating opaque cursor tokens with proper pattern matching and length constraints
apps/sim/app/api/tools/confluence/page-descendants/route.ts Added cursor validation before appending to query parameters to prevent SSRF attacks
apps/sim/app/api/tools/confluence/page-versions/route.ts Added cursor and versionNumber validation with proper sanitization before URL construction
apps/sim/app/api/tools/confluence/space-permissions/route.ts Added cursor validation before appending to query parameters
apps/sim/app/api/tools/confluence/space-properties/route.ts Added cursor validation and encodeURIComponent for propertyId in delete path to prevent URL injection
apps/sim/app/api/tools/confluence/tasks/route.ts Added comprehensive validation for cursor, pageId, spaceId, and assignedTo query parameters
apps/sim/app/api/tools/confluence/user/route.ts Updated accountId pattern to include underscore and pipe characters, reduced maxLength from 255 to 128 per Atlassian spec

Last reviewed commit: eb8acdb

greptile-apps[bot]
greptile-apps bot reviewed Feb 26, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

7 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1 waleedlatif1 mentioned this pull request Feb 26, 2026
Draft
@waleedlatif1 waleedlatif1 merged commit fbafe20 into staging Feb 26, 2026
12 checks passed
@waleedlatif1 waleedlatif1 deleted the waleedlatif1/tool-input-validation branch February 26, 2026 07:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1