- Append missing result headers to saved column orders so newly added
response blocks stay visible.
- Reuse the normalized column order for selected-results CSV export
instead of a local missing-header fallback.
- Add regression coverage for default, saved, and legacy column orders.
- Block IPv6 unspecified addresses in the shared SSRF IP validator.
- Add validator regressions for compressed and expanded IPv6 unspecified
literals.
- Add a safeKy regression that verifies [::] requests are rejected
before reaching a local IPv6 wildcard listener.
- Prevent signed upload proxy URLs from using internal request origins
in self-hosted reverse-proxy setups.
- Resolve runtime upload proxy URLs from `NEXT_PUBLIC_VIEWER_URL` and
builder upload proxy URLs from `NEXTAUTH_URL`.
- Add regression coverage for internal container origins like
`https://2e862faf612f:3000`.
- Replace direct browser presigned PUT uploads with signed Typebot
upload proxy URLs.
- Generate or validate upload object keys server-side while preserving
legacy v1/v2/v3 file-input upload contracts.
- Keep builder slot uploads stable for replaceable assets and use
generated names for runtime file uploads.
- Store active file-input MIME types as safe attachment downloads while
keeping safe image uploads inline.
- Update upload clients and docs to support both raw PUT proxy uploads
and form-data uploads.
- Validate that WhatsApp preview webhook test sessions belong to the
authorized typebot before resuming them.
- Require the preview session to still be waiting on the requested
webhook block.
- Share WhatsApp preview phone normalization between preview creation
and test webhook execution.
- Verify Meta WhatsApp webhooks with optional app secrets while
preserving soft compatibility for existing credentials.
- Add optional 360Dialog webhook secret validation and update flows for
existing WhatsApp credentials.
- Validate Meta WABA and phone number access, then auto-subscribe the
Meta app to the WABA during setup.
- Clear and disable WhatsApp integration when the active credentials are
removed, including published bot state.
- Preserve raw webhook request bodies, document preview app secret
configuration, and add focused webhook verification tests.
- Update related tooling, Biome ignore rules, opensrc guidance, and
small formatting/type-safety cleanup.
- Add a production script to update the WhatsApp status webhook forward
URL on draft and published typebot settings.
- Register the script in `@typebot.io/scripts` and add the settings
project reference needed for typechecking.
- Ignore local `typebot-prod-db` skill folders for agent tooling.
Add chunk count and score threshold options to Ask Model, pass them to
the OpenAI file_search tool, and constrain Score threshold to the 0-1
range in the builder.
---------
Co-authored-by: ghisson <ghisson@LAPTOP-DQ8OKN2P>
Co-authored-by: ghisson <ghisson@LAPTOP-DQ8OKN2P.localdomain>
- Added `sanitizeCsvCell` helper that escapes values starting with `=`,
`+`, `-`, `@`, `\t`, or `\r` with a leading apostrophe to prevent
CSV/formula injection (CWE-1236) in spreadsheet apps.
- Applied sanitization to both server-side CSV streams
(`streamAllResultsToCsv`, `streamAllResultsToCsvV2`) for cells and
headers.
- Applied sanitization to client-side exports (`SelectionToolbar`,
`ExportAllResultsDialog`) for cells and header keys.
- Scope `result` lookup in `handleExecuteWebhook` to the authorized
`typebotId`, closing a cross-tenant IDOR where a caller with read access
to one typebot could resume another typebot's waiting webhook session by
supplying a foreign `resultId`.
- Store newly created API tokens as SHA-256 hashes while returning the
raw token once.
- Authenticate bearer tokens against both hashed and legacy plaintext
records, then lazily hash legacy records on successful use.
- Seed Playwright API tokens as hashes.
- Add Conductor setup and run scripts for local workspaces.
## Summary
Fixes 18 open Dependabot alerts and migrates affected code to the new
major versions:
- `@opentelemetry/sdk-node` → `^0.217.0` (Prometheus exporter DoS,
GHSA-q7rr-3cgh-j5r3)
- `nodemailer` → `^8.0.5` across all manifests + root override
(GHSA-vvjj-xcjg-gr5g, GHSA-c7w3-x93f-qmm8)
- `ai` → `^5.0.52` (GHSA-rwvc-j5jr-mgvh); legacy 3.x dep removed from
`packages/deprecated/legacy` and replaced with a small in-tree
`OpenAIStream` + `StreamingTextResponse` shim
- Provider SDKs aligned to v5 peer: `@ai-sdk/openai`, `anthropic`,
`groq`, `mistral`, `perplexity`, `deepseek`, `togetherai`, `openRouter`,
`dify-ai-provider`
### AI SDK v4 → v5 migration
- `parseTools`: `parameters` renamed to `inputSchema`
- `runChatCompletion` / `runChatCompletionStream`: `maxSteps` replaced
by `stopWhen(stepCountIs(maxSteps))`;
`usage.{prompt,completion,total}Tokens` replaced by
`totalUsage.{input,output,total}Tokens`
- New `toLegacyDataStream` helper that re-emits the v4 data-stream
protocol (`0:text`, `3:error`, `9:tool_call`, …) so existing consumers
in `embeds/js` and the OpenAI `askAssistant` / `askModel` handlers keep
working
- `compatibility: "strict"` removed from `createOpenAI` (option dropped
in v5)
- `formatDataStreamPart` / `processDataStream` imports moved to
`@ai-sdk/ui-utils` (legacy package pinned at 1.2.11)
### E2E test follow-up
Second commit fixes Playwright tests that broke once the env-resolved
URLs / new SDK surface kicked in:
- `fileUpload`: assert exported URL contains `parseS3PublicBaseUrl()`
(not `S3_ENDPOINT`) so it works with `S3_PUBLIC_CUSTOM_DOMAIN`; verify
post-deletion via cache-busted `request.get` instead of a CDN-cached new
tab.
- `ssrf`: assert on the actual "Security validation failed" log emitted
by the pre-flight check; fixture now maps `response.statusCode` into a
`Status` variable so `Status: …` assertions resolve.
- Root `dev` script includes `@typebot.io/partykit` so the webhook
listener e2e test can hit PartyKit on `:1999`.
Also fixes a pre-existing broken anchor link in `whatsapp-ai-agent.mdx`
that blocked the landing-page link checker.
## Test plan
- [ ] `bunx nx test` passes
- [ ] `bunx nx typecheck` passes
- [ ] `bunx nx affected -t
format-and-lint,lint-repo,check-broken-links,test --parallel=4` passes
(pre-commit)
- [ ] `bun run dev` boots builder, viewer, workflows **and** PartyKit
- [ ] Viewer Playwright suite: `fileUpload.spec.ts`, `ssrf.spec.ts`,
`webhookListener.spec.ts` all green
- [ ] Manual smoke: OpenAI `askAssistant` block streams correctly in the
embed (v4 data-stream protocol preserved)
- [ ] Manual smoke: Anthropic / Mistral / Groq blocks still execute
end-to-end
- [ ] Manual smoke: send a test email through a workspace SMTP block
(nodemailer v8)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
## Summary
Self-hosted deployments often have legitimate internal corporate APIs on
RFC1918 ranges (10/8, 172.16/12, 192.168/16) — e.g., a backend chat API
exposed only on the internal cluster network. Since v3.14, the SSRF
mitigation introduced for [CVE-2025-64709 /
GHSA-8gq9-rw7v-3jpr](https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-8gq9-rw7v-3jpr)
blocks every private range unconditionally, which prevents HTTP Request
blocks (and Function blocks via fetch) from reaching those APIs without
exposing them to the public internet.
The advisory itself listed hostname allowlisting as one of the
recommended mitigations (item #5: "Implement an SSRF-safe proxy or apply
hostname allowlists for outgoing requests"), and this PR implements it
as an opt-in env var.
## What changes
- New env var `SSRF_ALLOWED_HOSTS` (comma-separated hostnames) parsed in
`packages/env`
- `validateHttpReqUrl` now accepts an `allowedHosts` parameter
(symmetric with the existing `lookupHost` injection point); the env var
is the default
- When the URL's hostname matches an entry, `validateIPAddress` is
called with `{ allowPrivateRanges: true }`, which **only** skips the
RFC1918 range checks (10/8, 172.16/12, 192.168/16)
## What the allowlist does NOT relax
Every other protection remains active even for allowlisted hosts:
- ✅ Link-local 169.254.0.0/16 — **the actual CVE vector** (AWS/GCP/Azure
metadata)
- ✅ Loopback 127.0.0.0/8 and IPv6 ::1
- ✅ 0.0.0.0/8
- ✅ IPv6 link-local fe80::/10 and unique local fc00::/7
- ✅ Cloud metadata hostnames (\`metadata.google.internal\`,
\`metadata.goog\`, \`metadata\`)
- ✅ \`localhost\` in production
- ✅ Decimal/hex/octal IP encoding bypasses
- ✅ IMDS bypass headers (\`X-aws-ec2-metadata-token*\`,
\`Metadata-Flavor\`)
This is the deliberate design: **even if an attacker controls DNS for an
allowlisted hostname and points it to 169.254.169.254, the link-local
check still fires.** The allowlist intentionally narrows what's relaxed
— corp LAN access, not metadata-service access.
## Test plan
- [x] All existing 53 SSRF tests still pass unchanged (default behavior
preserved when env unset)
- [x] New \`describe\` block covering 14 cases:
- RFC1918 hostnames pass when listed (10/8, 172.16/12, 192.168/16,
direct IP literal)
- Link-local **still blocks** for allowlisted host (DNS hijack defense)
- Loopback **still blocks** for allowlisted host
- Direct \`169.254.169.254\` IP literal **still blocks** even when
listed
- \`metadata.google.internal\` **still blocks** even when listed
- Decimal-encoded metadata IP **still blocks** even when listed
- Default behavior preserved when \`allowedHosts\` is undefined or empty
- Hostname not in allowlist still blocks
- Case-insensitive matching (URL parser normalizes hostname)
- No subdomain wildcarding (exact match only)
- [x] \`bun test\` green: 63/63 in \`validateHttpReqUrl.test.ts\`
- [x] \`tsc --noEmit\` green for \`packages/lib\` and \`packages/env\`
- [x] Full \`nx affected\` test suite green (whatsapp, feature-flags,
spaces, rich-text, root, emails, bot-engine, results, builder, lib — all
passed)
## Use case
Currently, self-hosters facing this hit dead-ends: their internal corp
DNS resolves to 10.x, the validator rejects it, and the only escape
valves are (a) expose the API publicly (security regression — adds
attack surface), (b) downgrade to ≤ v3.13.x (re-introduces the
vulnerable code path), or (c) maintain a fork with the validator patched
(fragile, breaks on every upgrade). An opt-in env var resolves this
without weakening the core mitigation.
I'm opening a companion issue (#2475) explaining the use case in more
detail and to gather feedback if a different design is preferred — happy
to iterate.
- Revert #2487 (trigger_onepick OAuth param) and #2486 (setAppId +
NEXT_PUBLIC_GOOGLE_SHEETS_APP_ID env var) which broke the Google Sheets
picker in production.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
- Call `PickerBuilder.setAppId()` with the Cloud Project number when
building the Google Sheets picker (required by Google when the OAuth
flow uses the `drive.file` scope, otherwise the picker iframe returns
401).
- Add new optional client env var `NEXT_PUBLIC_GOOGLE_SHEETS_APP_ID` in
`packages/env`.
- Document the new variable and setup step in
`apps/docs/self-hosting/configuration.mdx`.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Delete archived results in batches of 500 before
`prisma.typebot.deleteMany` to avoid Prisma cascade wrapping the entire
delete in a single Vitess transaction that exceeds the max duration
- Use `prisma.$primary().result.findMany` for the batch lookup so read
replica lag does not exit the loop while results still exist on primary
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Added a new "Is there a status page?" entry to the FAQ pointing to
status.typebot.io.
- Added a "Definitions" section to the analytics doc explaining Views,
Starts, Completions (no input remaining + at least one answer + no
pending client-side action expecting a dedicated reply) and the
per-block drop-off rate.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
When clicking on an image in the chat preview/runtime, the X button to
close the modal appeared misplaced outside the correct area. This
happened because the button was positioned with `position: fixed`,
remaining stuck to the entire page viewport instead of being inside the
modal/chat container.
before:
<img width="490" height="542" alt="image"
src="https://github.com/user-attachments/assets/ed17cf29-6397-46c7-9779-01aec89c3c5b"
/>
after:
<img width="502" height="523" alt="image"
src="https://github.com/user-attachments/assets/8ac64782-6af4-4417-bad1-971450e0f66c"
/>
---------
Co-authored-by: Baptiste Arnaud <baptiste@typebot.io>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Add `skipDisplayConditionCheck` option to
`injectVariableValuesInButtonsInputBlock` and
`injectVariableValuesInPictureChoiceBlock` to skip runtime
display-condition filtering
- Propagate the flag from `validateAndParseInputMessage` when
`skipValidation` is true, so transcript compute no longer filters out
the item the user actually chose
- Show an error state in `ResultDialog` when the transcript query fails
instead of rendering an empty container
- Add a unit test reproducing the bug (choice item with
`displayCondition` on an unset session variable)
- Add `bunfig.toml` + `test-preload.ts` for `bot-engine` to mock
`isolated-vm` and set `SKIP_ENV_CHECK` at test time
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- Fix `validatingLookup` to handle `{ all: true }` DNS lookup mode that
undici passes, which returns an array of addresses instead of a single
string
- Add localhost bypass in development mode to match existing
`validateHttpReqUrl` behavior
- Without this fix, `fetch()` in Set Variable code blocks silently
failed for external URLs
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Add `createSafeDispatcher` with a `validatingLookup` that checks
resolved IPs at TCP connection time, preventing DNS rebinding TOCTOU
attacks (GHSA-hgqq-whf5-mrrf)
- Pass the safe undici dispatcher in `safeFetchWithoutChunkedEncoding`
(`ky.ts`) and in the isolated VM fetch wrapper (`executeFunction.ts`)
- Export `parseIPAddress`, `validateIPAddress` and `ParsedIP` from
`validateHttpReqUrl.ts` for reuse in the dispatcher
- Add unit tests for `validatingLookup` and E2E test bot/spec for SSRF
scenarios
- Add `@types/bun` to `packages/lib` tsconfig
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Bind credential updates to workspace ownership in
`handleUpdateOAuthCredentials` to prevent cross-workspace OAuth
credential takeover (GHSA-3788-7276-x4j4)
- Require write access in `handleGetAccessToken` to prevent guest
members from obtaining Google Sheets OAuth tokens (GHSA-qjpp-9cqc-jhh8)
- Require write access in `handleListModels` to prevent guest members
from exfiltrating OpenAI API keys (GHSA-gc3v-9whw-6wjh)
- Remove deprecated unauthenticated upload endpoint that allowed
arbitrary S3 object writes (GHSA-m7f5-3wcm-x2c4)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- **New "Ask Model" action** in the OpenAI block using the Responses API
(`openai.responses.stream()`), supporting multi-turn conversations via
`previous_response_id`, built-in tools (file search with vector store
IDs, web search, code interpreter), custom function calling, and
streaming.
- **Deprecated "Ask Assistant"** action: hidden from the action dropdown
(still functional for existing typebots), with Sentry tracking for
production usage monitoring.
- **Updated template** (`openai-assistant-chat.json`) to use the new Ask
Model action with `gpt-5.4`.
- **Merged `chatModels` + `reasoningModels`** into a single `models`
list in constants.
- **Updated docs** replacing Ask Assistant documentation with Ask Model.
## Test plan
- [ ] Create a typebot with OpenAI → "Ask Model", configure model +
message + instructions, verify streaming works
- [ ] Test multi-turn: verify Response ID variable persists across
exchanges
- [ ] Test built-in tools: web search toggle, vector store IDs tag
input, code interpreter toggle
- [ ] Test custom function calling loop
- [ ] Verify "Ask Assistant" still works for existing typebots but is
hidden from the dropdown for new ones
- [ ] Verify the template loads correctly in the builder
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The package imports date-fns and date-fns-tz but didn't declare them,
causing Docker builds with --filter to fail on resolution.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Move time filter logic from builder analytics to a shared
`@typebot.io/results` package so both analytics and results export can
use it
- Add time filter support to the results export workflow, allowing users
to export only filtered results
- Fix CSV files opening in the browser instead of downloading on R2 by
adding `Content-Type` and `Content-Disposition` metadata to S3 uploads
- Add `metadata` parameter to `S3UploadClient.uploadObject()` for
passing object metadata to R2/S3
## Test plan
- [ ] Export results with a time filter applied and verify only filtered
results are exported
- [ ] Verify the exported CSV file downloads directly instead of opening
in the browser
- [ ] Check that analytics time filter still works correctly after the
shared module refactor
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Update `DEFAULT_COOKIE_DOMAIN` from `typebot.io` to `typebot.com` in
telemetry constants
- Fixes "Failed to execute 'set' on 'CookieStore': Cookie domain must
domain-match current host" error that was preventing all PostHog
pageview tracking since the domain migration
## Test plan
- [ ] Verify PostHog pageviews are being recorded on typebot.com
- [ ] Confirm no cookie domain mismatch errors in browser console
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Add `script.onerror` handler in `initGoogleAnalytics` so the promise
resolves even when the GA script fails to load (ad blockers, network
errors), preventing the bot from hanging indefinitely.
- Bump `@typebot.io/js` and `@typebot.io/react` versions to `0.10.2`.
## Test plan
- [ ] Enable a Google Analytics integration block in a bot
- [ ] Block `googletagmanager.com` (e.g. via ad blocker) and verify the
bot still loads
- [ ] Check that `"Failed to load Google Analytics script"` appears in
the console
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Update the default embed library version from `0.3` to `0.x` across
the WordPress plugin and builder instructions, so it auto-resolves to
the latest `0.x.x` via jsdelivr
- Update the lib_version validation regex to accept version ranges like
`0.x`
## Test plan
- [ ] Verify
`https://cdn.jsdelivr.net/npm/@typebot.io/js@0.x/dist/web.js` resolves
correctly
- [ ] Check WordPress admin panel shows `0.x` as default
- [ ] Verify builder Popup/Bubble instructions show `0.x` for cloud
users
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Fix stored XSS vulnerability where `javascript:` URIs in text bubble
links, image click links, and toast popup links could execute arbitrary
JS in visitors' browsers
- Add `sanitizeUrl` utility that allowlists only `http:`, `https:`,
`mailto:`, and `tel:` protocols
- Add explicit `typecheck` Nx targets for `builder` and `viewer`
(Next.js projects don't get one inferred by `@nx/js/typescript`)
- Bump `@typebot.io/js` and `@typebot.io/react` to `0.10.1`
## Test plan
- [ ] Create a bot with a text bubble link set to `javascript:alert(1)`
and verify it renders as `#`
- [ ] Same test with an image click link
- [ ] Verify normal `https://` links still work
- [ ] Run `bunx nx typecheck builder` and `bunx nx typecheck viewer`
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- **Fix SSRF via open redirect bypass** (GHSA-jxv3-m939-w95c): HTTP
Request block now uses `safeKy` instead of `ky`, and Code block's
sandboxed `fetch` now follows redirects manually with `redirect:
"manual"` + re-validation of each `Location` hop via
`validateHttpReqUrl`.
- **Improved safeKy tests**: redirect bypass tests now run end-to-end
through `safeKy` (not just indirect Location header checks), including
chained redirect scenarios.
- **Skip Vercel preview builds**: `nx-ignore` now exits early with code
0 when `VERCEL_ENV=preview`.
## Test plan
- [x] `bunx nx test @typebot.io/lib` — 76 tests pass (0 fail, 6 skip)
- [x] `NODE_ENV=development bun test packages/lib/src/safeKy.test.ts` —
8 tests pass (redirect bypass verified end-to-end)
- [x] `bunx nx typecheck @typebot.io/bot-engine` — passes
- [x] `bunx nx typecheck @typebot.io/variables` — passes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- **Fixes
[GHSA-cq66-9cwr-x8jr](https://github.com/baptisteArno/typebot.io/security/advisories/GHSA-cq66-9cwr-x8jr)**
— the previous fix for GHSA-4xc5-wfwc-jw47 was incomplete: the
bot-engine runtime still allowed any authenticated user to exfiltrate
credentials from any workspace via the preview endpoint by passing
`workspaceId: ""`
- Invert the falsy check in `getCredentials()` so that missing or empty
`workspaceId` **denies** access instead of skipping validation
- Add `z.string().min(1)` on the typebot schema's `workspaceId` to
reject empty strings at the Zod validation layer
- Tighten `getGoogleSpreadsheet` param type from `string | undefined` to
`string`
## Test plan
- [x] Typecheck passes on `credentials`, `bot-engine`, `whatsapp`
- [x] All tests pass (lint, bot-engine, whatsapp, results, lib,
rich-text, emails, builder)
- [ ] Verify that preview mode still works correctly with valid
workspaceId
- [ ] Verify that forged blocks, Google Sheets, and streaming endpoints
still load credentials for legitimate users
🤖 Generated with [Claude Code](https://claude.com/claude-code)
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Adds a `typebotId` filter to the `findResult` Prisma query, preventing
a user from loading result data (answers, variables) belonging to a
different typebot via a foreign `resultId` in the `startChat` endpoint.
- Addresses security advisory GHSA-f475-7m4x-m6mx.
## Test plan
- [x] Typecheck passes (`bunx nx typecheck bot-engine`)
- [x] All affected tests pass (bot-engine, results, builder, etc.)
- [ ] Verify that `startChat` with a `resultId` from another typebot no
longer returns that result's data
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Changes
- **Presigned POST → PUT**: Replace `generatePresignedPostPolicy` with
`generatePresignedPutUrl` across all upload endpoints (builder + viewer
v1/v2/v3). This makes uploads compatible with Cloudflare R2 which
doesn't support the S3 POST Object API. Frontend consumers now use `PUT`
with raw file body + `Content-Type`/`Cache-Control` headers instead of
`POST` with FormData.
- **XSS mitigation**: Block dangerous content types (SVG, HTML, XML, JS)
in the builder `generateUploadUrl` endpoint. Restrict frontend `accept`
attributes from `image/*` to an explicit list of safe raster types
(`png, jpeg, gif, webp, avif, bmp, tiff`). Addresses
GHSA-jj87-c343-26vp.
- **Fix file upload URL validation**: `isURL` with `require_tld: true`
rejected `localhost` and `NEXTAUTH_URL` proxy URLs for private files.
Now uses a trusted host allowlist (`localhost`, `NEXTAUTH_URL`,
`S3_PUBLIC_CUSTOM_DOMAIN`) to skip TLD requirement.
- **Docs**: Update S3 CORS policy from `POST` to `PUT`, add Cloudflare
R2 to supported providers list.
- **Bump**: `@typebot.io/js` and `@typebot.io/react` → `0.10.0`
## Verification
- Tested avatar upload on builder with R2 bucket (PUT succeeds, image
displays)
- Verified CORS preflight passes after R2 bucket config
- Confirmed `generateUploadUrl` rejects `image/svg+xml` with 400
- All unit tests pass (`nx affected -t test`)
- Typecheck passes on all affected packages
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
Introduces `safeKy` — a `ky` instance with built-in SSRF validation
(`validateHttpReqUrl`) — and applies it to all server-side fetch calls
where the URL originates from user input.
## Changes
- **`packages/lib/src/ky.ts`**: Added `safeKy` export — a `ky` instance
that validates URLs against private IPs, loopback, cloud metadata
endpoints, and other SSRF vectors before making the request. The
existing `ky` instance is unchanged for trusted internal API calls.
-
**`packages/forge/blocks/openai/src/handlers/createTranscriptionHandler.ts`**:
Replaced raw `fetch(options.url)` with `safeKy.get(options.url)` — this
was the vulnerability reported in GHSA-h3v3-c6cq-q763.
- **`packages/forge/blocks/gmail/src/helpers/buildEmail.ts`**: `ky.get`
→ `safeKy.get` for attachment URL downloads.
-
**`packages/forge/blocks/openai/src/helpers/splitUserTextMessageIntoOpenAIBlocks.ts`**:
`ky.get` → `safeKy.get` for image URL detection.
-
**`packages/forge/blocks/blink/src/handlers/sendFeedEventHandler.ts`**:
`ky.head` → `safeKy.head` for attachment metadata fetching (keeps `ky`
for the Blink API call).
- **`packages/ai/src/splitUserTextMessageIntoBlocks.ts`**: `ky.get` →
`safeKy.get` for image URL detection.
- **`packages/whatsapp/src/getOrUploadMedia.ts`**: `ky.get` →
`safeKy.get` for media downloads (keeps `ky` for WhatsApp API uploads).
- **`packages/lib/src/safeKy.test.ts`**: Tests verifying `safeKy` blocks
loopback, private IPs, cloud metadata, and non-HTTP protocols.
## Verification
- `bunx nx typecheck` passes on all affected packages
(`@typebot.io/openai-block`, `@typebot.io/gmail-block`,
`@typebot.io/blink-block`, `@typebot.io/ai`, `@typebot.io/whatsapp`)
- `bunx nx test @typebot.io/lib` — 70 tests pass (66 existing + 4 new
`safeKy` tests)
- All pre-commit hook tests pass
- Manual QA: test with public URLs to confirm functionality is
preserved, then test with `http://127.0.0.1` or `http://169.254.169.254`
to confirm SSRF is blocked
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
## Summary
- Add `generateUploadUrlProcedure` to the `fileUploadBuilderRouter` so
the builder's API exposes the `/v3/generate-upload-url` endpoint
- Since `apiHost` now points to the builder origin, file upload requests
from the bot preview were hitting a missing endpoint (previously routed
to the viewer)
## Verification
- Test a bot in the builder preview that has a file upload block
- Confirm the upload request to `/api/v3/generate-upload-url` succeeds
and file uploads work
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
