From 6fd72ba1062a4eaf4a9a41e1e20d1c1359e4912a Mon Sep 17 00:00:00 2001
From: Vikhyath Mondreti <vikhyath@simstudio.ai>
Date: Wed, 21 Jan 2026 01:27:46 -0800
Subject: [PATCH 1/3] fix(http): options not parsed accurately

---
 .../sim/lib/core/security/input-validation.ts | 28 +++++++++++++------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
index 5632761a54..b83a364338 100644
--- a/apps/sim/lib/core/security/input-validation.ts
+++ b/apps/sim/lib/core/security/input-validation.ts
@@ -1,3 +1,4 @@
+import type { LookupAddress, LookupOptions } from 'dns'
 import dns from 'dns/promises'
 import http from 'http'
 import https from 'https'
@@ -907,26 +908,37 @@ export async function secureFetchWithPinnedIP(
     const isIPv6 = resolvedIP.includes(':')
     const family = isIPv6 ? 6 : 4
 
-    const agentOptions = {
+    const agentOptions: http.AgentOptions = {
       lookup: (
         _hostname: string,
-        _options: unknown,
-        callback: (err: NodeJS.ErrnoException | null, address: string, family: number) => void
+        options: LookupOptions,
+        callback: (
+          err: NodeJS.ErrnoException | null,
+          address: string | LookupAddress[],
+          family?: number
+        ) => void
       ) => {
-        callback(null, resolvedIP, family)
+        if (options.all) {
+          callback(null, [{ address: resolvedIP, family }])
+        } else {
+          callback(null, resolvedIP, family)
+        }
       },
     }
 
-    const agent = isHttps
-      ? new https.Agent(agentOptions as https.AgentOptions)
-      : new http.Agent(agentOptions as http.AgentOptions)
+    const agent = isHttps ? new https.Agent(agentOptions) : new http.Agent(agentOptions)
+
+    // Remove accept-encoding since Node.js http/https doesn't auto-decompress
+    // Headers are lowercase due to Web Headers API normalization in executeToolRequest
+    const sanitizedHeaders = { ...options.headers }
+    sanitizedHeaders['accept-encoding'] = undefined
 
     const requestOptions: http.RequestOptions = {
       hostname: parsed.hostname,
       port,
       path: parsed.pathname + parsed.search,
       method: options.method || 'GET',
-      headers: options.headers || {},
+      headers: sanitizedHeaders,
       agent,
       timeout: options.timeout || 30000,
     }

From 3eb46c5a5b6496bfd9277b9f4e88434381053d4d Mon Sep 17 00:00:00 2001
From: Vikhyath Mondreti <vikhyath@simstudio.ai>
Date: Wed, 21 Jan 2026 01:30:12 -0800
Subject: [PATCH 2/3] fix lint

---
 apps/sim/lib/core/security/input-validation.ts | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
index b83a364338..c59e49710b 100644
--- a/apps/sim/lib/core/security/input-validation.ts
+++ b/apps/sim/lib/core/security/input-validation.ts
@@ -930,8 +930,7 @@ export async function secureFetchWithPinnedIP(
 
     // Remove accept-encoding since Node.js http/https doesn't auto-decompress
     // Headers are lowercase due to Web Headers API normalization in executeToolRequest
-    const sanitizedHeaders = { ...options.headers }
-    sanitizedHeaders['accept-encoding'] = undefined
+    const { 'accept-encoding': _, ...sanitizedHeaders } = options.headers ?? {}
 
     const requestOptions: http.RequestOptions = {
       hostname: parsed.hostname,

From 2a3f8208e96dd7e1c02a2c5366b0468f821ec777 Mon Sep 17 00:00:00 2001
From: Vikhyath Mondreti <vikhyath@simstudio.ai>
Date: Wed, 21 Jan 2026 01:34:57 -0800
Subject: [PATCH 3/3] remove boilerplate code'

---
 .../sim/lib/core/security/input-validation.ts | 26 +++++++------------
 1 file changed, 9 insertions(+), 17 deletions(-)

diff --git a/apps/sim/lib/core/security/input-validation.ts b/apps/sim/lib/core/security/input-validation.ts
index c59e49710b..abeb8f6bda 100644
--- a/apps/sim/lib/core/security/input-validation.ts
+++ b/apps/sim/lib/core/security/input-validation.ts
@@ -1,7 +1,7 @@
-import type { LookupAddress, LookupOptions } from 'dns'
 import dns from 'dns/promises'
 import http from 'http'
 import https from 'https'
+import type { LookupFunction } from 'net'
 import { createLogger } from '@sim/logger'
 import * as ipaddr from 'ipaddr.js'
 
@@ -908,24 +908,16 @@ export async function secureFetchWithPinnedIP(
     const isIPv6 = resolvedIP.includes(':')
     const family = isIPv6 ? 6 : 4
 
-    const agentOptions: http.AgentOptions = {
-      lookup: (
-        _hostname: string,
-        options: LookupOptions,
-        callback: (
-          err: NodeJS.ErrnoException | null,
-          address: string | LookupAddress[],
-          family?: number
-        ) => void
-      ) => {
-        if (options.all) {
-          callback(null, [{ address: resolvedIP, family }])
-        } else {
-          callback(null, resolvedIP, family)
-        }
-      },
+    const lookup: LookupFunction = (_hostname, options, callback) => {
+      if (options.all) {
+        callback(null, [{ address: resolvedIP, family }])
+      } else {
+        callback(null, resolvedIP, family)
+      }
     }
 
+    const agentOptions: http.AgentOptions = { lookup }
+
     const agent = isHttps ? new https.Agent(agentOptions) : new http.Agent(agentOptions)
 
     // Remove accept-encoding since Node.js http/https doesn't auto-decompress