moved utils

Author: waleedlatif1

apps/sim/background/webhook-execution.ts

@@ -17,7 +17,7 @@ import { getWorkflowById } from '@/lib/workflows/utils'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type { ExecutionMetadata } from '@/executor/execution/types'
 import type { ExecutionResult } from '@/executor/types'
-import { safeAssign } from '@/tools/utils'
+import { safeAssign } from '@/tools/safe-assign'
 import { getTrigger, isTriggerValid } from '@/triggers'
 
 const logger = createLogger('TriggerWebhookExecution')

apps/sim/executor/utils/start-block.ts

@@ -8,7 +8,7 @@ import {
 import type { InputFormatField } from '@/lib/workflows/types'
 import type { NormalizedBlockOutput, UserFile } from '@/executor/types'
 import type { SerializedBlock } from '@/serializer/types'
-import { safeAssign } from '@/tools/utils'
+import { safeAssign } from '@/tools/safe-assign'
 
 type ExecutionKind = 'chat' | 'manual' | 'api'
 

apps/sim/tools/firecrawl/scrape.ts

@@ -1,6 +1,6 @@
 import type { ScrapeParams, ScrapeResponse } from '@/tools/firecrawl/types'
+import { safeAssign } from '@/tools/safe-assign'
 import type { ToolConfig } from '@/tools/types'
-import { safeAssign } from '@/tools/utils'
 
 export const scrapeTool: ToolConfig<ScrapeParams, ScrapeResponse> = {
   id: 'firecrawl_scrape',

apps/sim/tools/params.ts

@@ -5,9 +5,10 @@ import {
   type SubBlockCondition,
 } from '@/lib/workflows/subblocks/visibility'
 import type { SubBlockConfig as BlockSubBlockConfig } from '@/blocks/types'
+import { safeAssign } from '@/tools/safe-assign'
 import { isEmptyTagValue } from '@/tools/shared/tags'
 import type { ParameterVisibility, ToolConfig } from '@/tools/types'
-import { getTool, safeAssign } from '@/tools/utils'
+import { getTool } from '@/tools/utils'
 
 const logger = createLogger('ToolsParams')
 type ToolParamDefinition = ToolConfig['params'][string]

apps/sim/tools/safe-assign.test.ts

@@ -0,0 +1,94 @@
+import { describe, expect, it } from 'vitest'
+import { isSafeKey, safeAssign } from '@/tools/safe-assign'
+
+describe('isSafeKey', () => {
+  it.concurrent('should return false for __proto__', () => {
+    expect(isSafeKey('__proto__')).toBe(false)
+  })
+
+  it.concurrent('should return false for constructor', () => {
+    expect(isSafeKey('constructor')).toBe(false)
+  })
+
+  it.concurrent('should return false for prototype', () => {
+    expect(isSafeKey('prototype')).toBe(false)
+  })
+
+  it.concurrent('should return true for normal keys', () => {
+    expect(isSafeKey('name')).toBe(true)
+    expect(isSafeKey('email')).toBe(true)
+    expect(isSafeKey('customField')).toBe(true)
+    expect(isSafeKey('data')).toBe(true)
+    expect(isSafeKey('__internal')).toBe(true)
+  })
+})
+
+describe('safeAssign', () => {
+  it.concurrent('should assign safe properties', () => {
+    const target = { a: 1 }
+    const source = { b: 2, c: 3 }
+    const result = safeAssign(target, source)
+
+    expect(result).toEqual({ a: 1, b: 2, c: 3 })
+    expect(result).toBe(target)
+  })
+
+  it.concurrent('should filter out __proto__ key', () => {
+    const target = { a: 1 }
+    const source = { b: 2, __proto__: { polluted: true } } as Record<string, unknown>
+    const result = safeAssign(target, source)
+
+    expect(result).toEqual({ a: 1, b: 2 })
+    expect((result as any).__proto__).toBe(Object.prototype)
+    expect((Object.prototype as any).polluted).toBeUndefined()
+  })
+
+  it.concurrent('should filter out constructor key', () => {
+    const target = { a: 1 }
+    const source = { b: 2, constructor: { prototype: { polluted: true } } }
+    const result = safeAssign(target, source)
+
+    expect(result).toEqual({ a: 1, b: 2 })
+    expect((Object.prototype as any).polluted).toBeUndefined()
+  })
+
+  it.concurrent('should filter out prototype key', () => {
+    const target = { a: 1 }
+    const source = { b: 2, prototype: { polluted: true } }
+    const result = safeAssign(target, source)
+
+    expect(result).toEqual({ a: 1, b: 2 })
+    expect((Object.prototype as any).polluted).toBeUndefined()
+  })
+
+  it.concurrent('should handle null source', () => {
+    const target = { a: 1 }
+    const result = safeAssign(target, null as any)
+
+    expect(result).toEqual({ a: 1 })
+  })
+
+  it.concurrent('should handle undefined source', () => {
+    const target = { a: 1 }
+    const result = safeAssign(target, undefined as any)
+
+    expect(result).toEqual({ a: 1 })
+  })
+
+  it.concurrent('should handle non-object source', () => {
+    const target = { a: 1 }
+    const result = safeAssign(target, 'string' as any)
+
+    expect(result).toEqual({ a: 1 })
+  })
+
+  it.concurrent('should prevent prototype pollution attack', () => {
+    const maliciousPayload = JSON.parse('{"__proto__": {"isAdmin": true}, "normal": "value"}')
+    const target = {}
+    safeAssign(target, maliciousPayload)
+
+    const newObj = {}
+    expect((newObj as any).isAdmin).toBeUndefined()
+    expect((target as any).normal).toBe('value')
+  })
+})

apps/sim/tools/safe-assign.ts

@@ -0,0 +1,25 @@
+const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype'])
+
+/**
+ * Checks if a key is safe to use in object assignment (not a prototype pollution vector)
+ */
+export function isSafeKey(key: string): boolean {
+  return !DANGEROUS_KEYS.has(key)
+}
+
+/**
+ * Safely assigns properties from source to target, filtering out prototype pollution keys.
+ * Use this instead of Object.assign() when the source may contain user-controlled data.
+ */
+export function safeAssign<T extends object>(target: T, source: Record<string, unknown>): T {
+  if (!source || typeof source !== 'object') {
+    return target
+  }
+
+  for (const key of Object.keys(source)) {
+    if (isSafeKey(key)) {
+      ;(target as Record<string, unknown>)[key] = source[key]
+    }
+  }
+  return target
+}

apps/sim/tools/sendgrid/add_contact.ts

@@ -1,11 +1,11 @@
+import { safeAssign } from '@/tools/safe-assign'
 import type {
   AddContactParams,
   ContactResult,
   SendGridContactObject,
   SendGridContactRequest,
 } from '@/tools/sendgrid/types'
 import type { ToolConfig } from '@/tools/types'
-import { safeAssign } from '@/tools/utils'
 
 export const sendGridAddContactTool: ToolConfig<AddContactParams, ContactResult> = {
   id: 'sendgrid_add_contact',

apps/sim/tools/utils.test.ts

@@ -8,8 +8,6 @@ import {
   executeRequest,
   formatRequestParams,
   getClientEnvVars,
-  isSafeKey,
-  safeAssign,
   validateRequiredParametersAfterMerge,
 } from '@/tools/utils'
 
@@ -41,98 +39,6 @@ afterEach(() => {
   vi.clearAllMocks()
 })
 
-describe('isSafeKey', () => {
-  it.concurrent('should return false for __proto__', () => {
-    expect(isSafeKey('__proto__')).toBe(false)
-  })
-
-  it.concurrent('should return false for constructor', () => {
-    expect(isSafeKey('constructor')).toBe(false)
-  })
-
-  it.concurrent('should return false for prototype', () => {
-    expect(isSafeKey('prototype')).toBe(false)
-  })
-
-  it.concurrent('should return true for normal keys', () => {
-    expect(isSafeKey('name')).toBe(true)
-    expect(isSafeKey('email')).toBe(true)
-    expect(isSafeKey('customField')).toBe(true)
-    expect(isSafeKey('data')).toBe(true)
-    expect(isSafeKey('__internal')).toBe(true)
-  })
-})
-
-describe('safeAssign', () => {
-  it.concurrent('should assign safe properties', () => {
-    const target = { a: 1 }
-    const source = { b: 2, c: 3 }
-    const result = safeAssign(target, source)
-
-    expect(result).toEqual({ a: 1, b: 2, c: 3 })
-    expect(result).toBe(target)
-  })
-
-  it.concurrent('should filter out __proto__ key', () => {
-    const target = { a: 1 }
-    const source = { b: 2, __proto__: { polluted: true } } as Record<string, unknown>
-    const result = safeAssign(target, source)
-
-    expect(result).toEqual({ a: 1, b: 2 })
-    expect((result as any).__proto__).toBe(Object.prototype)
-    expect((Object.prototype as any).polluted).toBeUndefined()
-  })
-
-  it.concurrent('should filter out constructor key', () => {
-    const target = { a: 1 }
-    const source = { b: 2, constructor: { prototype: { polluted: true } } }
-    const result = safeAssign(target, source)
-
-    expect(result).toEqual({ a: 1, b: 2 })
-    expect((Object.prototype as any).polluted).toBeUndefined()
-  })
-
-  it.concurrent('should filter out prototype key', () => {
-    const target = { a: 1 }
-    const source = { b: 2, prototype: { polluted: true } }
-    const result = safeAssign(target, source)
-
-    expect(result).toEqual({ a: 1, b: 2 })
-    expect((Object.prototype as any).polluted).toBeUndefined()
-  })
-
-  it.concurrent('should handle null source', () => {
-    const target = { a: 1 }
-    const result = safeAssign(target, null as any)
-
-    expect(result).toEqual({ a: 1 })
-  })
-
-  it.concurrent('should handle undefined source', () => {
-    const target = { a: 1 }
-    const result = safeAssign(target, undefined as any)
-
-    expect(result).toEqual({ a: 1 })
-  })
-
-  it.concurrent('should handle non-object source', () => {
-    const target = { a: 1 }
-    const result = safeAssign(target, 'string' as any)
-
-    expect(result).toEqual({ a: 1 })
-  })
-
-  it.concurrent('should prevent prototype pollution attack', () => {
-    const maliciousPayload = JSON.parse('{"__proto__": {"isAdmin": true}, "normal": "value"}')
-    const target = {}
-    safeAssign(target, maliciousPayload)
-
-    const newObj = {}
-    expect((newObj as any).isAdmin).toBeUndefined()
-    expect((target as any).normal).toBe('value')
-  })
-})
-
 describe('transformTable', () => {
   it.concurrent('should return empty object for null input', () => {
     const result = transformTable(null)

apps/sim/tools/utils.ts

@@ -9,32 +9,6 @@ import type { ToolConfig, ToolResponse } from '@/tools/types'
 
 const logger = createLogger('ToolsUtils')
 
-const DANGEROUS_KEYS = new Set(['__proto__', 'constructor', 'prototype'])
-
-/**
- * Checks if a key is safe to use in object assignment (not a prototype pollution vector)
- */
-export function isSafeKey(key: string): boolean {
-  return !DANGEROUS_KEYS.has(key)
-}
-
-/**
- * Safely assigns properties from source to target, filtering out prototype pollution keys.
- * Use this instead of Object.assign() when the source may contain user-controlled data.
- */
-export function safeAssign<T extends object>(target: T, source: Record<string, unknown>): T {
-  if (!source || typeof source !== 'object') {
-    return target
-  }
-
-  for (const key of Object.keys(source)) {
-    if (isSafeKey(key)) {
-      ;(target as Record<string, unknown>)[key] = source[key]
-    }
-  }
-  return target
-}
-
 /**
  * Strips version suffix (_v2, _v3, etc.) from a tool ID or name
  * @example stripVersionSuffix('notion_search_v2') => 'notion_search'