fix(sap_s4hana): reject percent-encoded path traversal; widen Set-Cookie split

waleedlatif1 · claude · waleedlatif1 · commit cd2fdf71a004 · 2026-04-27T12:30:58.000-07:00
- ServicePath now also rejects %2e/%2E, %2f/%2F, %5c/%5C, %3f/%3F, %23
  so a caller cannot smuggle ".." / "." / "/" / "\" / "?" / "#" past the
  validator and have SAP's ABAP/ICM gateway decode them server-side.
- joinSetCookies fallback regex now allows the ", " separator that's
  used when multiple Set-Cookie values are folded onto one header line
  (older runtimes without Headers.getSetCookie). Prevents CSRF cookies
  from being concatenated into a single value during write operations.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/tools/sap_s4hana/proxy/route.ts b/apps/sim/app/api/tools/sap_s4hana/proxy/route.ts
@@ -30,9 +30,11 @@ const ServicePath = z
     (p) =>
       !p.split(/[/\\]/).some((seg) => seg === '..' || seg === '.') &&
       !p.includes('?') &&
-      !p.includes('#'),
+      !p.includes('#') &&
+      !/%(?:2[eEfF]|5[cC]|3[fF]|23)/.test(p),
     {
-      message: 'path must not contain ".." or "." segments, "?", or "#"',
+      message:
+        'path must not contain ".." or "." segments, "?", "#", or percent-encoded path/query/fragment characters',
     }
   )
 
@@ -353,7 +355,7 @@ function joinSetCookies(headers: Headers): string {
   const cookies =
     typeof (headers as { getSetCookie?: () => string[] }).getSetCookie === 'function'
       ? (headers as { getSetCookie: () => string[] }).getSetCookie()
-      : (headers.get('set-cookie') ?? '').split(/,(?=[^ ;]+=)/)
+      : (headers.get('set-cookie') ?? '').split(/,\s*(?=[^=,;\s]+=)/)
   return cookies
     .map((c) => c.split(';')[0]?.trim())
     .filter(Boolean)
