fix(aws): add validateAwsRegion to all AWS route schemas to prevent SSRF

Author: waleedlatif1

apps/sim/app/api/tools/cloudwatch/describe-alarms/route.ts

@@ -9,12 +9,19 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('CloudWatchDescribeAlarms')
 
 const DescribeAlarmsSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   alarmNamePrefix: z.string().optional(),

apps/sim/app/api/tools/cloudwatch/describe-log-groups/route.ts

@@ -4,13 +4,20 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { createCloudWatchLogsClient } from '@/app/api/tools/cloudwatch/utils'
 
 const logger = createLogger('CloudWatchDescribeLogGroups')
 
 const DescribeLogGroupsSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   prefix: z.string().optional(),

apps/sim/app/api/tools/cloudwatch/describe-log-streams/route.ts

@@ -3,13 +3,20 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkSessionOrInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { createCloudWatchLogsClient, describeLogStreams } from '@/app/api/tools/cloudwatch/utils'
 
 const logger = createLogger('CloudWatchDescribeLogStreams')
 
 const DescribeLogStreamsSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   logGroupName: z.string().min(1, 'Log group name is required'),

apps/sim/app/api/tools/cloudwatch/get-log-events/route.ts

@@ -3,13 +3,20 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { createCloudWatchLogsClient, getLogEvents } from '@/app/api/tools/cloudwatch/utils'
 
 const logger = createLogger('CloudWatchGetLogEvents')
 
 const GetLogEventsSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   logGroupName: z.string().min(1, 'Log group name is required'),

apps/sim/app/api/tools/cloudwatch/get-metric-statistics/route.ts

@@ -4,12 +4,19 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('CloudWatchGetMetricStatistics')
 
 const GetMetricStatisticsSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   namespace: z.string().min(1, 'Namespace is required'),

apps/sim/app/api/tools/cloudwatch/list-metrics/route.ts

@@ -4,12 +4,19 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('CloudWatchListMetrics')
 
 const ListMetricsSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   namespace: z.string().optional(),

apps/sim/app/api/tools/cloudwatch/put-metric-data/route.ts

@@ -8,6 +8,7 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 
 const logger = createLogger('CloudWatchPutMetricData')
@@ -43,7 +44,13 @@ const VALID_UNITS = [
 ] as const
 
 const PutMetricDataSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   namespace: z.string().min(1, 'Namespace is required'),

apps/sim/app/api/tools/cloudwatch/query-logs/route.ts

@@ -4,13 +4,20 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { createCloudWatchLogsClient, pollQueryResults } from '@/app/api/tools/cloudwatch/utils'
 
 const logger = createLogger('CloudWatchQueryLogs')
 
 const QueryLogsSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   logGroupNames: z.array(z.string().min(1)).min(1, 'At least one log group name is required'),

apps/sim/app/api/tools/dynamodb/delete/route.ts

@@ -3,13 +3,20 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { createDynamoDBClient, deleteItem } from '@/app/api/tools/dynamodb/utils'
 
 const logger = createLogger('DynamoDBDeleteAPI')
 
 const DeleteSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   tableName: z.string().min(1, 'Table name is required'),

apps/sim/app/api/tools/dynamodb/get/route.ts

@@ -3,13 +3,20 @@ import { toError } from '@sim/utils/errors'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { checkInternalAuth } from '@/lib/auth/hybrid'
+import { validateAwsRegion } from '@/lib/core/security/input-validation'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { createDynamoDBClient, getItem } from '@/app/api/tools/dynamodb/utils'
 
 const logger = createLogger('DynamoDBGetAPI')
 
 const GetSchema = z.object({
-  region: z.string().min(1, 'AWS region is required'),
+  region: z
+    .string()
+    .min(1, 'AWS region is required')
+    .refine(
+      (v) => validateAwsRegion(v).isValid,
+      (v) => validateAwsRegion(v).error ?? 'Invalid AWS region'
+    ),
   accessKeyId: z.string().min(1, 'AWS access key ID is required'),
   secretAccessKey: z.string().min(1, 'AWS secret access key is required'),
   tableName: z.string().min(1, 'Table name is required'),