fix(tools): add validation for ids in tool routes

[waleedlatif1]

Summary

• add validation for ids in tool routes

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Review	Updated (UTC)
docs	Skipped		Dec 14, 2025 3:40am

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds input validation for user-provided IDs in several API routes to prevent path traversal and injection attacks. The changes use the existing validateAlphanumericId and validateNumericId functions from the security library.

• Added voiceId validation in TTS unified proxy for ElevenLabs provider (used in URL path)
• Added channelId validation in Discord send-message route (Discord channel IDs are numeric)
• Replaced basic presence checks with validateAlphanumericId for siteId in Webflow collections route
• Replaced basic presence checks with validateAlphanumericId for collectionId in Webflow items route

These security hardening changes are straightforward and follow existing patterns in the codebase.

Confidence Score: 5/5

• This PR is safe to merge - it adds security validation without changing existing functionality.
• The changes are straightforward security improvements that add input validation to prevent path traversal attacks. The validation functions are already well-tested in the codebase, and the implementation follows established patterns.
• No files require special attention.

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/app/api/proxy/tts/unified/route.ts	5/5	Added validation for voiceId in ElevenLabs TTS provider using validateAlphanumericId to prevent path traversal attacks in the API URL.
apps/sim/app/api/tools/discord/send-message/route.ts	5/5	Added validation for channelId using validateNumericId to ensure it's a valid numeric Discord channel ID before using it in the API URL.
apps/sim/app/api/tools/webflow/collections/route.ts	5/5	Replaced simple presence check with validateAlphanumericId for siteId validation, providing both existence and format validation.
apps/sim/app/api/tools/webflow/items/route.ts	5/5	Replaced simple presence check with validateAlphanumericId for collectionId validation, providing both existence and format validation.

Sequence Diagram

sequenceDiagram
    participant Client
    participant API Routes
    participant Input Validation
    participant External APIs

    Client->>API Routes: Request with ID (voiceId/channelId/siteId/collectionId)
    API Routes->>Input Validation: validateAlphanumericId() / validateNumericId()
    
    alt Validation Fails
        Input Validation-->>API Routes: { isValid: false, error }
        API Routes-->>Client: 400 Bad Request
    else Validation Passes
        Input Validation-->>API Routes: { isValid: true }
        API Routes->>External APIs: Request with validated ID
        External APIs-->>API Routes: Response
        API Routes-->>Client: Success Response
    end

Loading

[greptile-apps]

_{4 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}