fix(security): pin IMAP connections to validated resolved IP

waleedlatif1 · claude · waleedlatif1 · commit c9f2a06a12c2 · 2026-03-27T17:18:11.000-07:00
Pass the resolved IP from validateDatabaseHost to ImapFlow as host,
with the original hostname as servername for TLS SNI verification.
Closes the DNS TOCTOU rebinding window.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/tools/imap/mailboxes/route.ts b/apps/sim/app/api/tools/imap/mailboxes/route.ts
@@ -37,7 +37,8 @@ export async function POST(request: NextRequest) {
     }
 
     const client = new ImapFlow({
-      host,
+      host: hostValidation.resolvedIP!,
+      servername: host,
       port: port || 993,
       secure: secure ?? true,
       auth: {
diff --git a/apps/sim/lib/webhooks/imap-polling-service.ts b/apps/sim/lib/webhooks/imap-polling-service.ts
@@ -182,7 +182,11 @@ export async function pollImapWebhooks() {
           return
         }
 
-        const fetchResult = await fetchNewEmails(config, requestId)
+        const fetchResult = await fetchNewEmails(
+          config,
+          requestId,
+          hostValidation.resolvedIP!
+        )
         const { emails, latestUidByMailbox } = fetchResult
         const pollTimestamp = new Date().toISOString()
 
@@ -200,7 +204,8 @@ export async function pollImapWebhooks() {
           emails,
           webhookData,
           config,
-          requestId
+          requestId,
+          hostValidation.resolvedIP!
         )
 
         await updateWebhookLastProcessedUids(webhookId, latestUidByMailbox, pollTimestamp)
@@ -267,9 +272,14 @@ export async function pollImapWebhooks() {
   }
 }
 
-async function fetchNewEmails(config: ImapWebhookConfig, requestId: string) {
+async function fetchNewEmails(
+  config: ImapWebhookConfig,
+  requestId: string,
+  resolvedIP: string
+) {
   const client = new ImapFlow({
-    host: config.host,
+    host: resolvedIP,
+    servername: config.host,
     port: config.port || 993,
     secure: config.secure ?? true,
     auth: {
@@ -563,13 +573,15 @@ async function processEmails(
   }>,
   webhookData: WebhookRecord,
   config: ImapWebhookConfig,
-  requestId: string
+  requestId: string,
+  resolvedIP: string
 ) {
   let processedCount = 0
   let failedCount = 0
 
   const client = new ImapFlow({
-    host: config.host,
+    host: resolvedIP,
+    servername: config.host,
     port: config.port || 993,
     secure: config.secure ?? true,
     auth: {

Original file line number	Diff line number	Diff line change
`@@ -37,7 +37,8 @@ export async function POST(request: NextRequest) {`
`37`	`37`	`}`
`38`	`38`
`39`	`39`	`const client = new ImapFlow({`
`40`		`- host,`
	`40`	`+ host: hostValidation.resolvedIP!,`
	`41`	`+ servername: host,`
`41`	`42`	`port: port \|\| 993,`
`42`	`43`	`secure: secure ?? true,`
`43`	`44`	`auth: {`