fix(data-drains): DNS-resolve S3 endpoint for SSRF defense

The schema-level validateExternalUrl only catches private/metadata IP
literals — a hostname like evil.example.com that resolves to 169.254.169.254
or a VPC IP would slip past, and the AWS SDK then resolves the host itself
(bypassing the guard). Run validateUrlWithDNS at test() time and once per
session at the start of each run, matching the webhook destination's
DNS-aware check.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/lib/data-drains/destinations/s3.ts

@@ -8,6 +8,7 @@ import { createLogger } from '@sim/logger'
 import { generateShortId } from '@sim/utils/id'
 import { z } from 'zod'
 import { validateExternalUrl } from '@/lib/core/security/input-validation'
+import { validateUrlWithDNS } from '@/lib/core/security/input-validation.server'
 import type { DrainDestination } from '@/lib/data-drains/types'
 
 const logger = createLogger('DataDrainS3Destination')
@@ -101,6 +102,22 @@ function isS3ServiceException(error: unknown): error is S3ServiceException {
  * (`AccessDenied`, `NoSuchBucket`, `InvalidAccessKeyId`,
  * `SignatureDoesNotMatch`, ...) instead of opaque "UnknownError".
  */
+/**
+ * Resolves the optional custom endpoint and confirms it does not point at a
+ * private, loopback, or cloud-metadata address. The schema-level
+ * `validateExternalUrl` only catches IP literals, so a hostname like
+ * `evil.example.com` resolving to `169.254.169.254` would slip past it; the
+ * AWS SDK then resolves the host itself, bypassing the SSRF guard. This is
+ * the same DNS-aware check used by the webhook destination.
+ */
+async function assertEndpointIsPublic(endpoint: string | undefined): Promise<void> {
+  if (!endpoint) return
+  const result = await validateUrlWithDNS(endpoint, 'endpoint')
+  if (!result.isValid) {
+    throw new Error(result.error ?? 'S3 endpoint failed SSRF validation')
+  }
+}
+
 async function withS3ErrorContext<T>(action: string, fn: () => Promise<T>): Promise<T> {
   try {
     return await fn()
@@ -128,6 +145,7 @@ export const s3Destination: DrainDestination<S3DestinationConfig, S3DestinationC
   credentialsSchema: s3CredentialsSchema,
 
   async test({ config, credentials, signal }) {
+    await assertEndpointIsPublic(config.endpoint)
     const client = buildClient(config, credentials)
     // Probe with an actual write — HeadBucket only checks read/list and
     // produces both false positives (read-only creds pass, deliver later
@@ -166,8 +184,14 @@ export const s3Destination: DrainDestination<S3DestinationConfig, S3DestinationC
 
   openSession({ config, credentials }) {
     const client = buildClient(config, credentials)
+    // Cache the DNS-aware endpoint check across all chunks in a run so we
+    // pay the lookup once. The SDK creates its own connections, so we can't
+    // pin the IP — but doing the check before any S3 call still rejects
+    // hostnames that resolve to internal targets at the start of the run.
+    const endpointCheck = assertEndpointIsPublic(config.endpoint)
     return {
       async deliver({ body, contentType, metadata, signal }) {
+        await endpointCheck
         const key = buildKey(config, metadata)
         await withS3ErrorContext('put-object', () =>
           client.send(