use helper for internal route check

Author: icecrasher321

apps/sim/app/api/tools/mistral/parse/route.ts

@@ -5,7 +5,11 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -47,13 +51,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Mistral parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
+      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (validatedData.filePath?.includes('/api/files/serve/')) {
+    if (isInternalFileUrl(validatedData.filePath)) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
 

apps/sim/app/api/tools/pulse/parse/route.ts

@@ -5,7 +5,11 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -48,13 +52,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Pulse parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
+      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (validatedData.filePath?.includes('/api/files/serve/')) {
+    if (isInternalFileUrl(validatedData.filePath)) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
         const context = inferContextFromKey(storageKey)

apps/sim/app/api/tools/reducto/parse/route.ts

@@ -5,7 +5,11 @@ import { checkHybridAuth } from '@/lib/auth/hybrid'
 import { generateRequestId } from '@/lib/core/utils/request'
 import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -44,13 +48,13 @@ export async function POST(request: NextRequest) {
 
     logger.info(`[${requestId}] Reducto parse request`, {
       filePath: validatedData.filePath,
-      isWorkspaceFile: validatedData.filePath.includes('/api/files/serve/'),
+      isWorkspaceFile: isInternalFileUrl(validatedData.filePath),
       userId,
     })
 
     let fileUrl = validatedData.filePath
 
-    if (validatedData.filePath?.includes('/api/files/serve/')) {
+    if (isInternalFileUrl(validatedData.filePath)) {
       try {
         const storageKey = extractStorageKey(validatedData.filePath)
         const context = inferContextFromKey(storageKey)

apps/sim/app/api/tools/textract/parse/route.ts

@@ -9,9 +9,12 @@ import {
   validateS3BucketName,
 } from '@/lib/core/security/input-validation'
 import { generateRequestId } from '@/lib/core/utils/request'
-import { getBaseUrl } from '@/lib/core/utils/urls'
 import { StorageService } from '@/lib/uploads'
-import { extractStorageKey, inferContextFromKey } from '@/lib/uploads/utils/file-utils'
+import {
+  extractStorageKey,
+  inferContextFromKey,
+  isInternalFileUrl,
+} from '@/lib/uploads/utils/file-utils'
 import { verifyFileAccess } from '@/app/api/files/authorization'
 
 export const dynamic = 'force-dynamic'
@@ -423,10 +426,7 @@ export async function POST(request: NextRequest) {
 
     let fileUrl = validatedData.filePath
 
-    const isInternalFilePath =
-      validatedData.filePath?.startsWith('/api/files/serve/') ||
-      (validatedData.filePath?.startsWith('/') &&
-        validatedData.filePath?.includes('/api/files/serve/'))
+    const isInternalFilePath = validatedData.filePath && isInternalFileUrl(validatedData.filePath)
 
     if (isInternalFilePath) {
       try {
@@ -463,21 +463,18 @@ export async function POST(request: NextRequest) {
         )
       }
     } else if (validatedData.filePath?.startsWith('/')) {
-      if (!validatedData.filePath.startsWith('/api/files/serve/')) {
-        logger.warn(`[${requestId}] Invalid internal path`, {
-          userId,
-          path: validatedData.filePath.substring(0, 50),
-        })
-        return NextResponse.json(
-          {
-            success: false,
-            error: 'Invalid file path. Only uploaded files are supported for internal paths.',
-          },
-          { status: 400 }
-        )
-      }
-      const baseUrl = getBaseUrl()
-      fileUrl = `${baseUrl}${validatedData.filePath}`
+      // Reject arbitrary absolute paths that don't contain /api/files/serve/
+      logger.warn(`[${requestId}] Invalid internal path`, {
+        userId,
+        path: validatedData.filePath.substring(0, 50),
+      })
+      return NextResponse.json(
+        {
+          success: false,
+          error: 'Invalid file path. Only uploaded files are supported for internal paths.',
+        },
+        { status: 400 }
+      )
     } else {
       const urlValidation = validateExternalUrl(fileUrl, 'Document URL')
       if (!urlValidation.isValid) {

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/file-upload/file-upload.tsx

@@ -90,8 +90,9 @@ export function FileUpload({
    * Checks if a file's MIME type matches the accepted types
    * Supports exact matches, wildcard patterns (e.g., 'image/*'), and '*' for all types
    */
-  const isFileTypeAccepted = (fileType: string, accepted: string): boolean => {
+  const isFileTypeAccepted = (fileType: string | undefined, accepted: string): boolean => {
     if (accepted === '*') return true
+    if (!fileType) return false
 
     const acceptedList = accepted.split(',').map((t) => t.trim().toLowerCase())
     const normalizedFileType = fileType.toLowerCase()

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/editor.tsx

@@ -129,9 +129,7 @@ export function Editor() {
     blockSubBlockValues,
     canonicalIndex
   )
-  const displayAdvancedOptions = userPermissions.canEdit
-    ? advancedMode
-    : advancedMode || advancedValuesPresent
+  const displayAdvancedOptions = advancedMode || advancedValuesPresent
 
   const hasAdvancedOnlyFields = useMemo(() => {
     for (const subBlock of subBlocksForCanonical) {