fix(security): harden SSO domain registration, webhook path isolation, and CSV export

apps/sim/app/api/auth/sso/register/route.test.ts

@@ -0,0 +1,196 @@
+/**
+ * @vitest-environment node
+ */
+import { createEnvMock, createMockRequest } from '@sim/testing'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const {
+  mockGetSession,
+  mockRegisterSSOProvider,
+  mockHasSSOAccess,
+  mockValidateUrlWithDNS,
+  dbState,
+  memberTable,
+  ssoProviderTable,
+} = vi.hoisted(() => ({
+  mockGetSession: vi.fn(),
+  mockRegisterSSOProvider: vi.fn(),
+  mockHasSSOAccess: vi.fn(),
+  mockValidateUrlWithDNS: vi.fn(),
+  dbState: { members: [] as any[], providers: [] as any[] },
+  memberTable: {
+    userId: 'member.userId',
+    organizationId: 'member.organizationId',
+    role: 'member.role',
+  },
+  ssoProviderTable: {
+    id: 'sso.id',
+    providerId: 'sso.providerId',
+    domain: 'sso.domain',
+    issuer: 'sso.issuer',
+    userId: 'sso.userId',
+    organizationId: 'sso.organizationId',
+    oidcConfig: 'sso.oidcConfig',
+    samlConfig: 'sso.samlConfig',
+  },
+}))
+
+function makeBuilder(rows: any[]): any {
+  const thenable: any = Promise.resolve(rows)
+  thenable.where = (condition: any) => {
+    const values = condition?.values
+    if (Array.isArray(values) && values.length > 0) {
+      const target = String(values[values.length - 1]).toLowerCase()
+      return makeBuilder(rows.filter((r) => String(r.domain ?? '').toLowerCase() === target))
+    }
+    return makeBuilder(rows)
+  }
+  thenable.limit = () => Promise.resolve(rows)
+  thenable.orderBy = () => Promise.resolve(rows)
+  return thenable
+}
+
+vi.mock('@sim/db', () => ({
+  db: {
+    select: () => ({
+      from: (table: unknown) =>
+        makeBuilder(table === memberTable ? dbState.members : dbState.providers),
+    }),
+  },
+  member: memberTable,
+  ssoProvider: ssoProviderTable,
+}))
+
+vi.mock('@/lib/auth', () => ({
+  getSession: mockGetSession,
+  auth: { api: { registerSSOProvider: mockRegisterSSOProvider } },
+}))
+
+vi.mock('@/lib/billing', () => ({
+  hasSSOAccess: mockHasSSOAccess,
+}))
+
+vi.mock('@/lib/auth/sso/domain', () => ({
+  normalizeSSODomain: (input: unknown): string | null => {
+    if (typeof input !== 'string') return null
+    const value = input.trim().toLowerCase()
+    return /^[a-z0-9-]+(\.[a-z0-9-]+)+$/.test(value) ? value : null
+  },
+}))
+
+vi.mock('@/lib/core/security/input-validation.server', () => ({
+  validateUrlWithDNS: mockValidateUrlWithDNS,
+  secureFetchWithPinnedIP: vi.fn(),
+}))
+
+vi.mock('@/lib/core/config/env', () => createEnvMock({ SSO_ENABLED: 'true' }))
+
+import { POST } from '@/app/api/auth/sso/register/route'
+
+const OIDC_BODY = {
+  providerType: 'oidc' as const,
+  providerId: 'acme-oidc',
+  issuer: 'https://idp.acme.com',
+  domain: 'acme.com',
+  clientId: 'client-id',
+  clientSecret: 'client-secret',
+  authorizationEndpoint: 'https://idp.acme.com/authorize',
+  tokenEndpoint: 'https://idp.acme.com/token',
+  userInfoEndpoint: 'https://idp.acme.com/userinfo',
+  jwksEndpoint: 'https://idp.acme.com/jwks',
+}
+
+function request(body: Record<string, unknown>) {
+  return createMockRequest('POST', body)
+}
+
+describe('POST /api/auth/sso/register', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    dbState.members = []
+    dbState.providers = []
+    mockGetSession.mockResolvedValue({ user: { id: 'u1' } })
+    mockHasSSOAccess.mockResolvedValue(true)
+    mockValidateUrlWithDNS.mockResolvedValue({ isValid: true, resolvedIP: '1.2.3.4' })
+    mockRegisterSSOProvider.mockResolvedValue({ providerId: 'acme-oidc' })
+  })
+
+  it('rejects callers without an Enterprise plan', async () => {
+    mockHasSSOAccess.mockResolvedValue(false)
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(403)
+    expect(mockRegisterSSOProvider).not.toHaveBeenCalled()
+  })
+
+  it('rejects callers who are not an admin/owner of the target org', async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'member' }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(403)
+    expect(mockRegisterSSOProvider).not.toHaveBeenCalled()
+  })
+
+  it('rejects an invalid domain', async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    const res = await POST(request({ ...OIDC_BODY, domain: 'not-a-domain', orgId: 'org1' }))
+    expect(res.status).toBe(400)
+    expect(mockRegisterSSOProvider).not.toHaveBeenCalled()
+  })
+
+  it('rejects a domain already registered by another organization', async () => {
+    dbState.members = [{ organizationId: 'org-attacker', role: 'owner' }]
+    dbState.providers = [{ domain: 'acme.com', userId: 'u-victim', organizationId: 'org-victim' }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org-attacker' }))
+    const json = await res.json()
+    expect(res.status).toBe(409)
+    expect(json.code).toBe('SSO_DOMAIN_ALREADY_REGISTERED')
+    expect(mockRegisterSSOProvider).not.toHaveBeenCalled()
+  })
+
+  it('matches conflicts across casing variants', async () => {
+    dbState.members = [{ organizationId: 'org-attacker', role: 'owner' }]
+    dbState.providers = [{ domain: 'ACME.com', userId: 'u-victim', organizationId: 'org-victim' }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org-attacker' }))
+    expect(res.status).toBe(409)
+    expect(mockRegisterSSOProvider).not.toHaveBeenCalled()
+  })
+
+  it('registers when the domain is unclaimed', async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(200)
+    expect(mockRegisterSSOProvider).toHaveBeenCalledTimes(1)
+  })
+
+  it('allows the owning tenant to update its own provider for the same domain', async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    dbState.providers = [{ domain: 'acme.com', userId: 'u1', organizationId: 'org1' }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(200)
+    expect(mockRegisterSSOProvider).toHaveBeenCalledTimes(1)
+  })
+
+  it('lets an org admin adopt their own user-scoped provider for the same domain', async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    dbState.providers = [{ domain: 'acme.com', userId: 'u1', organizationId: null }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(200)
+    expect(mockRegisterSSOProvider).toHaveBeenCalledTimes(1)
+  })
+
+  it("still blocks an org admin from claiming another user's user-scoped domain", async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    dbState.providers = [{ domain: 'acme.com', userId: 'someone-else', organizationId: null }]
+    const res = await POST(request({ ...OIDC_BODY, orgId: 'org1' }))
+    expect(res.status).toBe(409)
+    expect(mockRegisterSSOProvider).not.toHaveBeenCalled()
+  })
+
+  it('normalizes the domain before persisting it', async () => {
+    dbState.members = [{ organizationId: 'org1', role: 'owner' }]
+    const res = await POST(request({ ...OIDC_BODY, domain: 'ACME.com', orgId: 'org1' }))
+    expect(res.status).toBe(200)
+    expect(mockRegisterSSOProvider).toHaveBeenCalledTimes(1)
+    const config = mockRegisterSSOProvider.mock.calls[0][0].body
+    expect(config.domain).toBe('acme.com')
+  })
+})

apps/sim/app/api/auth/sso/register/route.ts

@@ -1,11 +1,12 @@
 import { db, member, ssoProvider } from '@sim/db'
 import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
-import { and, eq } from 'drizzle-orm'
+import { and, eq, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { ssoRegistrationContract } from '@/lib/api/contracts/auth'
 import { getValidationErrorMessage, parseRequest } from '@/lib/api/server'
 import { auth, getSession } from '@/lib/auth'
+import { normalizeSSODomain } from '@/lib/auth/sso/domain'
 import { hasSSOAccess } from '@/lib/billing'
 import { env } from '@/lib/core/config/env'
 import {
@@ -51,7 +52,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     if (!parsed.success) return parsed.response
 
     const body = parsed.data.body
-    const { providerId, issuer, domain, providerType, mapping, orgId } = body
+    const { providerId, issuer, providerType, mapping, orgId } = body
 
     if (orgId) {
       const [membership] = await db
@@ -67,6 +68,43 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       }
     }
 
+    const domain = normalizeSSODomain(body.domain)
+    if (!domain) {
+      return NextResponse.json({ error: 'Enter a valid domain like company.com' }, { status: 400 })
+    }
+
+    const isOwnedByCaller = (provider: {
+      userId: string | null
+      organizationId: string | null
+    }): boolean => {
+      if (provider.userId === session.user.id && !provider.organizationId) return true
+      return orgId ? provider.organizationId === orgId : false
+    }
+
+    const existingProviders = await db
+      .select({
+        userId: ssoProvider.userId,
+        organizationId: ssoProvider.organizationId,
+      })
+      .from(ssoProvider)
+      .where(sql`lower(${ssoProvider.domain}) = ${domain}`)
+    const conflictingProvider = existingProviders.find((provider) => !isOwnedByCaller(provider))
+
+    if (conflictingProvider) {
+      logger.warn('Rejected SSO registration for domain owned by another tenant', {
+        domain,
+        orgId,
+        userId: session.user.id,
+      })
+      return NextResponse.json(
+        {
+          error: 'This domain is already registered for SSO by another organization.',
+          code: 'SSO_DOMAIN_ALREADY_REGISTERED',
+        },
+        { status: 409 }
+      )
+    }
+
     const headers: Record<string, string> = {}
     request.headers.forEach((value, key) => {
       headers[key] = value

apps/sim/app/api/table/[tableId]/export/route.ts

@@ -53,7 +53,9 @@ export const GET = withRouteHandler(async (request: NextRequest, { params }: Rou
       const encoder = new TextEncoder()
       try {
         if (format === 'csv') {
-          controller.enqueue(encoder.encode(`${toCsvRow(columns.map((c) => c.name))}\n`))
+          controller.enqueue(
+            encoder.encode(`${toCsvRow(columns.map((c) => neutralizeCsvFormula(c.name)))}\n`)
+          )
         } else {
           controller.enqueue(encoder.encode('['))
         }
@@ -111,10 +113,23 @@ function sanitizeFilename(name: string): string {
   return cleaned || 'table'
 }
 
+/**
+ * Prefixes a single quote to values starting with a spreadsheet formula trigger
+ * (`=`, `+`, `-`, `@`, tab, CR), neutralizing CSV injection in Excel/Sheets.
+ */
+function neutralizeCsvFormula(value: string): string {
+  return /^[=+\-@\t\r]/.test(value) ? `'${value}` : value
+}
+
+/**
+ * Serializes a cell for CSV. Only string cells are formula-neutralized; numbers,
+ * booleans, dates, and JSON objects can never form a trigger and pass through verbatim.
+ */
 function formatCsvValue(value: unknown): string {
   if (value === null || value === undefined) return ''
   if (value instanceof Date) return value.toISOString()
   if (typeof value === 'object') return JSON.stringify(value)
+  if (typeof value === 'string') return neutralizeCsvFormula(value)
   return String(value)
 }
 

apps/sim/app/api/webhooks/route.ts

@@ -27,7 +27,10 @@ import {
 } from '@/lib/webhooks/provider-subscriptions'
 import { getProviderHandler } from '@/lib/webhooks/providers'
 import { mergeNonUserFields } from '@/lib/webhooks/utils'
-import { syncWebhooksForCredentialSet } from '@/lib/webhooks/utils.server'
+import {
+  findConflictingWebhookPathOwner,
+  syncWebhooksForCredentialSet,
+} from '@/lib/webhooks/utils.server'
 import { extractCredentialSetId, isCredentialSetValue } from '@/executor/constants'
 
 const logger = createLogger('WebhooksAPI')
@@ -330,21 +333,31 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       }
     }
     if (!targetWebhookId) {
-      const existingByPath = await db
-        .select({ id: webhook.id, workflowId: webhook.workflowId })
+      const conflictingOwner = await findConflictingWebhookPathOwner({
+        path: finalPath,
+        workflowId,
+      })
+      if (conflictingOwner) {
+        logger.warn(`[${requestId}] Webhook path conflict: ${finalPath}`)
+        return NextResponse.json(
+          { error: 'Webhook path already exists.', code: 'PATH_EXISTS' },
+          { status: 409 }
+        )
+      }
+
+      const ownExisting = await db
+        .select({ id: webhook.id })
         .from(webhook)
-        .where(and(eq(webhook.path, finalPath), isNull(webhook.archivedAt)))
-        .limit(1)
-      if (existingByPath.length > 0) {
-        // If a webhook with the same path exists but belongs to a different workflow, return an error
-        if (existingByPath[0].workflowId !== workflowId) {
-          logger.warn(`[${requestId}] Webhook path conflict: ${finalPath}`)
-          return NextResponse.json(
-            { error: 'Webhook path already exists.', code: 'PATH_EXISTS' },
-            { status: 409 }
+        .where(
+          and(
+            eq(webhook.path, finalPath),
+            eq(webhook.workflowId, workflowId),
+            isNull(webhook.archivedAt)
           )
-        }
-        targetWebhookId = existingByPath[0].id
+        )
+        .limit(1)
+      if (ownExisting.length > 0) {
+        targetWebhookId = ownExisting[0].id
       }
     }