fix(security): supabase rpc path validation, ssh stream byte cap, storage quota coverage

Author: waleedlatif1

apps/sim/app/api/files/multipart/route.ts

@@ -22,7 +22,7 @@ import {
   type UploadTokenPayload,
   verifyUploadToken,
 } from '@/lib/uploads/core/upload-token'
-import type { StorageConfig } from '@/lib/uploads/shared/types'
+import { QUOTA_EXEMPT_STORAGE_CONTEXTS, type StorageConfig } from '@/lib/uploads/shared/types'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('MultipartUploadAPI')
@@ -135,6 +135,22 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
         const config = getStorageConfig(storageContext)
 
+        // Apply storage quota to all user-driven upload contexts (not system/metadata contexts)
+        if (
+          !QUOTA_EXEMPT_STORAGE_CONTEXTS.has(context as StorageContext) &&
+          typeof fileSize === 'number' &&
+          fileSize > 0
+        ) {
+          const { checkStorageQuota } = await import('@/lib/billing/storage')
+          const quotaCheck = await checkStorageQuota(userId, fileSize)
+          if (!quotaCheck.allowed) {
+            return NextResponse.json(
+              { error: quotaCheck.error || 'Storage limit exceeded' },
+              { status: 413 }
+            )
+          }
+        }
+
         let customKey: string | undefined
         if (context === 'workspace' || context === 'mothership') {
           const { MAX_WORKSPACE_FILE_SIZE } = await import('@/lib/uploads/shared/types')
@@ -149,15 +165,6 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
             '@/lib/uploads/contexts/workspace/workspace-file-manager'
           )
           customKey = generateWorkspaceFileKey(workspaceId, fileName)
-
-          const { checkStorageQuota } = await import('@/lib/billing/storage')
-          const quotaCheck = await checkStorageQuota(userId, fileSize)
-          if (!quotaCheck.allowed) {
-            return NextResponse.json(
-              { error: quotaCheck.error || 'Storage limit exceeded' },
-              { status: 413 }
-            )
-          }
         } else if (context === 'execution') {
           const workflowId = (data as { workflowId?: unknown }).workflowId
           const executionId = (data as { executionId?: unknown }).executionId

apps/sim/app/api/tools/ssh/read-file-content/route.ts

@@ -73,9 +73,16 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
       const content = await new Promise<string>((resolve, reject) => {
         const chunks: Buffer[] = []
+        let totalBytes = 0
         const readStream = sftp.createReadStream(filePath)
 
         readStream.on('data', (chunk: Buffer) => {
+          totalBytes += chunk.length
+          if (totalBytes > maxBytes) {
+            readStream.destroy()
+            reject(new Error(`File exceeds maximum allowed size of ${params.maxSize}MB`))
+            return
+          }
           chunks.push(chunk)
         })
 

apps/sim/lib/uploads/shared/types.ts

@@ -23,6 +23,17 @@ export type StorageContext =
   | 'logs'
   | 'workspace-logos'
 
+/**
+ * Contexts exempt from storage quota checks — small metadata assets not managed
+ * by the user (profile pictures, logos, OG images). All other contexts represent
+ * user-driven uploads and must pass quota validation before upload is initiated.
+ */
+export const QUOTA_EXEMPT_STORAGE_CONTEXTS = new Set<StorageContext>([
+  'profile-pictures',
+  'workspace-logos',
+  'og-images',
+])
+
 export interface FileInfo {
   path: string
   key: string

apps/sim/tools/supabase/vector_search.ts

@@ -1,3 +1,4 @@
+import { validateDatabaseIdentifier } from '@/lib/core/security/input-validation'
 import type {
   SupabaseVectorSearchParams,
   SupabaseVectorSearchResponse,
@@ -56,8 +57,9 @@ export const vectorSearchTool: ToolConfig<
 
   request: {
     url: (params) => {
-      // Use RPC endpoint for calling PostgreSQL functions
-      return `${supabaseBaseUrl(params.projectId)}/rest/v1/rpc/${params.functionName}`
+      const fnValidation = validateDatabaseIdentifier(params.functionName, 'functionName')
+      if (!fnValidation.isValid) throw new Error(fnValidation.error)
+      return `${supabaseBaseUrl(params.projectId)}/rest/v1/rpc/${encodeURIComponent(params.functionName)}`
     },
     method: 'POST',
     headers: (params) => ({

biome.json

@@ -6,7 +6,7 @@
     "includes": [
       "**",
       "!**/.next",
-      "!**/.next/**",
+      "!**/.next",
       "!**/next-env.d.ts",
       "!**/out",
       "!**/dist",
@@ -69,8 +69,7 @@
     "rules": {
       "recommended": true,
       "nursery": {
-        "useSortedClasses": "warn",
-        "noNestedComponentDefinitions": "off"
+        "useSortedClasses": "warn"
       },
       "a11y": {
         "noSvgWithoutTitle": "off",