v0.5.15: add tools, revert subblock prop change

[icecrasher321]

feat(tools): added rds, dynamodb, background color gradient (#2150)
fix(selector): remove subblock state prop for subblock component (#2151)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Dec 1, 2025 9:48pm

[greptile-apps]

Greptile Overview

Greptile Summary

This PR adds RDS and DynamoDB tool integrations, updates gradient backgrounds for AWS blocks, and reverts a subblock prop change. The implementations include comprehensive CRUD operations with proper AWS SDK integration and parameterized queries.

Major Changes:

• Added RDS Data API integration with query, insert, update, delete, and execute operations using parameterized queries
• Added DynamoDB integration with get, put, query, scan, update, and delete operations
• Reverted subblock component to only pass previewContextValues when in preview mode, preventing format mismatches
• Updated S3, RDS, and DynamoDB blocks to use gradient backgrounds instead of solid colors
• Changed template card to use background CSS property instead of backgroundColor to support gradients

Critical Issue Found:

• The RDS execute endpoint (apps/sim/app/api/tools/rds/execute/route.ts) is missing query validation that exists in the query endpoint, allowing unrestricted SQL execution including dangerous DDL operations

Positive Notes:

• AWS credentials correctly use user-only visibility as per custom rules
• Parameterized queries prevent SQL injection in insert/update/delete operations
• Proper error handling and logging throughout
• Comprehensive tool definitions with appropriate input/output schemas

Confidence Score: 2/5

• This PR contains a critical security vulnerability in the RDS execute endpoint that must be fixed before merging
• Score of 2/5 reflects one critical security issue: the RDS execute endpoint bypasses query validation, allowing unrestricted SQL operations including DROP DATABASE, CREATE USER, and GRANT statements. While the rest of the implementation is solid with proper parameterized queries, correct credential visibility, and good error handling, this single vulnerability poses significant security risk and must be addressed
• apps/sim/app/api/tools/rds/execute/route.ts requires immediate attention to add query validation

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/app/api/tools/rds/execute/route.ts	1/5	New RDS execute endpoint - CRITICAL: missing query validation, allows unrestricted SQL execution including DDL statements
apps/sim/app/api/tools/rds/query/route.ts	4/5	New RDS query endpoint with proper validation using validateQuery function
apps/sim/app/api/tools/rds/utils.ts	4/5	RDS utility functions with parameterized queries and validateQuery function for security
apps/sim/blocks/blocks/rds.ts	5/5	New RDS block configuration with proper user-only visibility for credentials
apps/sim/blocks/blocks/dynamodb.ts	5/5	New DynamoDB block configuration with proper user-only visibility for credentials
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/sub-block.tsx	5/5	Reverted subblock prop change - only passes previewContextValues when in preview mode

Sequence Diagram

sequenceDiagram
    participant User
    participant BlockUI as Block UI
    participant ToolInput as Tool Input Component
    participant API as API Route
    participant Utils as Utils Layer
    participant AWS as AWS SDK

    User->>BlockUI: Select operation (e.g., RDS Query)
    BlockUI->>ToolInput: Configure params (credentials, query)
    ToolInput->>API: POST /api/tools/rds/query
    API->>API: Validate schema with Zod
    API->>API: validateQuery() check
    API->>Utils: createRdsClient(config)
    Utils->>AWS: new RDSDataClient()
    API->>Utils: executeStatement(client, params)
    Utils->>AWS: ExecuteStatementCommand
    AWS-->>Utils: Response with records
    Utils->>Utils: parseRdsResponse()
    Utils-->>API: { rows, rowCount }
    API-->>ToolInput: JSON response
    ToolInput-->>BlockUI: Display results
    BlockUI-->>User: Show output

    Note over API,Utils: DynamoDB follows similar pattern
    Note over API: Execute endpoint bypasses validateQuery()!

Loading

[greptile-apps]

_{52 files reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Missing query validation allows unrestricted SQL execution. The execute endpoint doesn't call validateQuery() unlike the query endpoint (apps/sim/app/api/tools/rds/query/route.ts:29), allowing dangerous operations like DROP DATABASE, CREATE USER, GRANT, etc.

Suggested change

	logger.info(`[${requestId}] Executing raw SQL on RDS database ${params.database}`)
	const client = createRdsClient({
	region: params.region,
	accessKeyId: params.accessKeyId,
	secretAccessKey: params.secretAccessKey,
	resourceArn: params.resourceArn,
	secretArn: params.secretArn,
	database: params.database,
	})
	try {
	const result = await executeStatement(
	client,
	params.resourceArn,
	params.secretArn,
	params.database,
	params.query
	)
	logger.info(`[${requestId}] Executing raw SQL on RDS database ${params.database}`)
	// Validate the query
	const validation = validateQuery(params.query)
	if (!validation.isValid) {
	logger.warn(`[${requestId}] Query validation failed: ${validation.error}`)
	return NextResponse.json({ error: validation.error }, { status: 400 })
	}
	const client = createRdsClient({

Prompt To Fix With AI

This is a comment left during a code review.
Path: apps/sim/app/api/tools/rds/execute/route.ts
Line: 26:44

Comment:
**logic:** Missing query validation allows unrestricted SQL execution. The `execute` endpoint doesn't call `validateQuery()` unlike the `query` endpoint (`apps/sim/app/api/tools/rds/query/route.ts:29`), allowing dangerous operations like `DROP DATABASE`, `CREATE USER`, `GRANT`, etc.

```suggestion
    logger.info(`[${requestId}] Executing raw SQL on RDS database ${params.database}`)

    // Validate the query
    const validation = validateQuery(params.query)
    if (!validation.isValid) {
      logger.warn(`[${requestId}] Query validation failed: ${validation.error}`)
      return NextResponse.json({ error: validation.error }, { status: 400 })
    }

    const client = createRdsClient({
```

How can I resolve this? If you propose a fix, please make it concise.