fix(data-drains): address PR review (signal in deliver, S3 endpoint SSRF, unused hook)

waleedlatif1 · claude · waleedlatif1 · commit 0fd2c7f9ce4e · 2026-05-04T19:00:15.000-07:00
- webhook deliver: pass signal to secureFetchWithPinnedIP so aborts cancel the in-flight socket instead of waiting for the 30s timeout
- S3 config: SSRF-validate the optional endpoint via validateExternalUrl so an enterprise admin cannot point the AWS SDK at internal/metadata addresses
- hooks: remove unused useDataDrain (single-drain detail hook had no consumer)

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/ee/data-drains/hooks/data-drains.ts b/apps/sim/ee/data-drains/hooks/data-drains.ts
@@ -7,7 +7,6 @@ import {
   type DataDrain,
   type DataDrainRun,
   deleteDataDrainContract,
-  getDataDrainContract,
   listDataDrainRunsContract,
   listDataDrainsContract,
   runDataDrainContract,
@@ -36,18 +35,6 @@ async function fetchDataDrains(organizationId: string, signal?: AbortSignal): Pr
   return drains
 }
 
-async function fetchDataDrain(
-  organizationId: string,
-  drainId: string,
-  signal?: AbortSignal
-): Promise<DataDrain> {
-  const { drain } = await requestJson(getDataDrainContract, {
-    params: { id: organizationId, drainId },
-    signal,
-  })
-  return drain
-}
-
 async function fetchDataDrainRuns(
   organizationId: string,
   drainId: string,
@@ -72,15 +59,6 @@ export function useDataDrains(organizationId?: string) {
   })
 }
 
-export function useDataDrain(organizationId?: string, drainId?: string) {
-  return useQuery<DataDrain>({
-    queryKey: dataDrainKeys.detail(drainId),
-    queryFn: ({ signal }) => fetchDataDrain(organizationId as string, drainId as string, signal),
-    enabled: Boolean(organizationId && drainId),
-    staleTime: 60 * 1000,
-  })
-}
-
 export function useDataDrainRuns(organizationId?: string, drainId?: string, limit = 10) {
   return useQuery<DataDrainRun[]>({
     queryKey: [...dataDrainKeys.runs(drainId), limit] as const,
diff --git a/apps/sim/lib/data-drains/destinations/s3.ts b/apps/sim/lib/data-drains/destinations/s3.ts
@@ -7,6 +7,7 @@ import {
 import { createLogger } from '@sim/logger'
 import { generateShortId } from '@sim/utils/id'
 import { z } from 'zod'
+import { validateExternalUrl } from '@/lib/core/security/input-validation'
 import type { DrainDestination } from '@/lib/data-drains/types'
 
 const logger = createLogger('DataDrainS3Destination')
@@ -16,8 +17,19 @@ const s3ConfigSchema = z.object({
   region: z.string().min(1, 'region is required').max(64),
   /** Optional prefix; trailing slash is added automatically when assembling keys. */
   prefix: z.string().max(512).optional(),
-  /** Optional override for non-AWS S3-compatible providers (MinIO, R2, GCS interop, etc.). */
-  endpoint: z.string().url().optional(),
+  /**
+   * Optional override for non-AWS S3-compatible providers (MinIO, R2, GCS interop, etc.).
+   * SSRF-validated: HTTPS-only, must not resolve syntactically to a private,
+   * loopback, or cloud-metadata address. The AWS SDK will issue requests to
+   * this host, so we reject internal targets at the schema boundary.
+   */
+  endpoint: z
+    .string()
+    .url()
+    .refine((value) => validateExternalUrl(value, 'endpoint').isValid, {
+      message: 'endpoint must be HTTPS and not point at a private, loopback, or metadata address',
+    })
+    .optional(),
   /**
    * Force path-style addressing. MinIO and Ceph RGW need `true`; AWS S3 and
    * Cloudflare R2 need `false`. No auto-default — explicit choice avoids
diff --git a/apps/sim/lib/data-drains/destinations/webhook.ts b/apps/sim/lib/data-drains/destinations/webhook.ts
@@ -211,6 +211,7 @@ export const webhookDestination: DrainDestination<
               method: 'POST',
               body: new Uint8Array(body),
               headers,
+              signal,
               timeout: PER_ATTEMPT_TIMEOUT_MS,
             })
           } catch (error) {
