feat/platform-v3

[emir-karabeg]

Summary

Brief description of what this PR does and why.

Fixes #(issue)

Type of Change

• Bug fix
• New feature
• Breaking change
• Documentation
• Other: ___________

Testing

How has this been tested? What should reviewers focus on?

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Screenshots/Videos

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Nov 3, 2025 9:36am

To fix the problem, replace the use of Math.random() when generating a random string component for storage keys with a cryptographically secure alternative. In Node.js, the best method is to use crypto.randomBytes to generate random bytes and encode them in base36 or hex for inclusion in file keys.

Specifically, update the generateWorkspaceFileKey function in apps/sim/lib/uploads/contexts/workspace/workspace-file-manager.ts so that, instead of:

const random = Math.random().toString(36).substring(2, 9)

you use:

const random = require('crypto').randomBytes(6).toString('base64url')

or, if you prefer to avoid requiring non-standard encodings:

const random = require('crypto').randomBytes(5).toString('hex')

This will make the random string cryptographically secure and suitable for security-sensitive identifiers.

You will need to import the crypto module (import * as crypto from 'crypto') at the top of the file, or use require('crypto') if the style is consistent. Only the region around generateWorkspaceFileKey needs to change.

---

To ensure predictable keys are not generated, replace Math.random() with a cryptographically secure alternative. For Node.js, the best choice is crypto.randomBytes. We'll generate enough randomness to preserve or improve the entropy previously present. Since Math.random().toString(36).substring(2, 9) generates a 7-character base36 string, we can generate a similar-length base36 string from random bytes.

Steps:

• In apps/sim/lib/uploads/contexts/workspace/workspace-file-manager.ts:
  • Import Node's crypto module (from "crypto").
  • In generateWorkspaceFileKey, replace the assignment to random with one that uses crypto.randomBytes(n) (for sufficient entropy) and encodes using base36, slicing as needed to maintain the 7-character output.
• No functional changes otherwise.
• No changes are needed elsewhere for this error.

---

To fix this issue, we should replace the insecure ID generation using Math.random and Date.now() with the generation of a cryptographically secure unique identifier. The most standard and widely-adopted practice is to use a UUID v4, which is specifically designed for this use-case and is not susceptible to the prediction weaknesses of Math.random. This should be implemented where the IDs are generated—in this case, in apps/sim/lib/uploads/contexts/workspace/workspace-file-manager.ts, specifically on line 74 (the definition of fileId). Instead of constructing the ID with Math.random, import a secure UUID generator (such as the uuid library's v4 function) and use it to generate a unique ID, optionally preserving the wf_ prefix if desired for namespacing.

What is needed:

• Add an import for the uuid library's v4 method in apps/sim/lib/uploads/contexts/workspace/workspace-file-manager.ts.
• Change the assignment to fileId at line 74 so that it uses this secure ID (e.g., fileId = 'wf_' + v4();).
• Remove the use of Math.random in the construction of fileId.
• No changes are required in apps/sim/lib/uploads/server/metadata.ts because the handling of id there is already secure, but the taint comes from the fileId being generated insecurely upstream.

---

To fix the problem, enforce an upper bound for the timeoutMs parameter to downloadFileFromUrl.

• Add an upper limit (e.g., 3 minutes or a reasonable application-specific maximum, say 300,000ms = 5 minutes) to timeoutMs.
• If the provided value exceeds this maximum (or is not a number or is negative), set it to the default or clamp it within the legitimate range.
• This can be accomplished by inserting logic at the start of the function to coerce or clamp timeoutMs to the accepted range (e.g., using Math.min, Math.max).
• These changes should be placed at the top of the downloadFileFromUrl function, before the value is used in setTimeout.
• No new dependencies are needed.

---

To mitigate SSRF, we must validate that the fileUrl either matches an explicit allow-list of trusted domains or at least restricts protocols and hostname patterns before it can be fetched. The ideal fix will:

• Parse fileUrl and ensure it is an external URL (i.e., not internal: loopback, private, or link-local IPs, and not dangerous protocols).
• Reject or throw an error if the URL fails validation.
• Optionally implement an allow-list of domains if business logic permits.
• Should not alter the behavior for valid, allowed, external URLs.

The proper place for the fix is just before using fetch(fileUrl, ...), specifically after internal URLs are handled and before any fetch for external URLs. We need to:

• Add a parsing and verification block between lines 43 and 44 to ensure fileUrl is strictly an http(s) URL and not a local or private address.
• Import (if permitted) a well-known package such as is-ip or net, but since we can only add standard Node.js imports, use the built-in url and net libraries for IP verification.
• If host is an IP, verify it is not a loopback or private address (using net.isIP, net.isIPv4, and a helper to check RFC1918).
• If host is a name, optionally use a simple allow-list, or at minimum ensure it's not "localhost" or similar.

All code changes must be in apps/sim/lib/uploads/utils/file-utils.server.ts.

---