feat: add NetScaler PKI sync

[carlosmonastyrski]

Context

This PR contains a new PKI sync dedicated to NetScaler, allowing users to sync their certificates to this platform under the SSL inventory, and allowing them to also bind these to a virtual server as well.

Screenshots

Steps to verify the change

Type

• Fix
• Feature
• Improvement
• Breaking
• Docs
• Chore

Checklist

• Title follows the conventional commit format: type(scope): short description (scope is optional, e.g., fix: prevent crash on sync or fix(api): handle null response).
• Tested locally
• Updated docs (if needed)
• Updated CLAUDE.md files (if needed)
• Read the contributing guide

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
infisical	🟢 Ready	View Preview	Apr 1, 2026, 4:42 AM

[maidul98]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[greptile-apps]

Greptile Summary

This PR adds a new NetScaler PKI sync integration, allowing Infisical to push certificates to Citrix/NetScaler appliances and optionally bind them to an SSL virtual server. It follows the existing App Connection + PKI Sync patterns with proper gateway v2 support, RE2 regex in most server-side code, and thorough documentation.

Key issues found:

• SSRF — missing IP block on direct path (netscaler-connection-fns.ts): blockLocalAndPrivateIpAddresses is called only inside the if (gatewayId && gatewayV2Service) branch. On the direct connection path no IP validation occurs, enabling requests to internal/private addresses (e.g., 169.254.169.254, RFC-1918 ranges). Affects both requestWithNetScalerGateway and executeNetScalerOperationWithGateway.
• Potential login response mis-parse (netscaler-pki-sync-fns.ts, netscaler-connection-fns.ts): The NITRO v1 API wraps its payload under the resource name ({ \"login\": { \"sessionid\": \"...\" } }). The code reads loginData?.sessionid at the top level, which would always be undefined. If confirmed, this would cause every sync and connection-validation attempt to fail immediately.
• Native JS regex in server-side code (netscaler-pki-sync-fns.ts line 412): .replace(/-/g, \"\") uses a native regex literal; should use RE2 per project policy.
• Native RegExp in frontend validation schema (netscaler-pki-sync-destination-schema.ts): new RegExp(...) and regex literals used; should be RE2.
• No hostname format validation (netscaler-connection-schemas.ts): The hostname field allows arbitrary strings up to 512 chars with no pattern check, leaving room for URL-injection payloads like user@host or host/path.

Confidence Score: 3/5

Not safe to merge until the SSRF (missing IP validation on the direct path) and the potential login session-ID mis-parse are resolved.

Two P1 issues block merge: (1) a real SSRF attack surface where any org member with connection-creation privileges can point the backend at internal IPs/metadata endpoints without a gateway, and (2) the NITRO API session-ID response key appears to be parsed at the wrong level, which would cause all sync and validation calls to fail in production. The remaining findings are P2 style/policy items that do not block merge on their own.

backend/src/services/app-connection/netscaler/netscaler-connection-fns.ts (SSRF), backend/src/services/pki-sync/netscaler/netscaler-pki-sync-fns.ts (session ID parsing + native regex)

Important Files Changed

Filename	Overview
backend/src/services/app-connection/netscaler/netscaler-connection-fns.ts	Core connection logic; missing blockLocalAndPrivateIpAddresses call on the direct (non-gateway) path in both request helpers, creating an SSRF vector.
backend/src/services/pki-sync/netscaler/netscaler-pki-sync-fns.ts	Main sync logic; uses native JS regex in server-side code and the login session ID is parsed from the wrong key in the NITRO API response.
backend/src/services/app-connection/netscaler/netscaler-connection-schemas.ts	Credential validation schemas; hostname field accepts any string without format/pattern validation beyond length constraints.
frontend/src/components/pki-syncs/forms/schemas/netscaler-pki-sync-destination-schema.ts	Frontend validation schema; uses native JS RegExp which violates the project's RE2 policy.
backend/src/services/pki-sync/pki-sync-fns.ts	Integrates NetScaler into the PKI sync dispatch; uses native JS regex in one place.
backend/src/server/routes/v1/app-connection-routers/netscaler-connection-router.ts	Router registration for NetScaler app connection endpoints; straightforward and follows existing patterns.
backend/src/server/routes/v1/pki-sync-routers/netscaler-pki-sync-router.ts	Router registration for NetScaler PKI sync endpoints; follows existing patterns.
backend/src/services/pki-sync/netscaler/netscaler-pki-sync-constants.ts	Naming constants and list option; uses RE2 correctly for the pattern.
frontend/src/pages/organization/AppConnections/AppConnectionsPage/components/AppConnectionForm/NetScalerConnectionForm.tsx	Frontend connection form; well-structured with gateway support, SSL config tabs, and proper validation.

_{Reviews (1): Last reviewed commit: "Add NetScaler PKI sync" | Re-trigger Greptile}

[saifsmailbox98]

Looks good, just a couple of suggestions:

1. the net scaler logo looks a bit squished. Let's see what works best here: if we should make all logos always have the width correct, or if we should find a different logo of a different dimension for netscaler. Feel feel to ignore this comment as well if the effort is not worth it.

2. The delete call to sslcertkey takes the following param according to their docs: deletefromdevice and deletecertkeyfilesonremoval, could this come in handy?