Sultan
/
Flowise
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Bugfix/path traversal check on chatId (#5428) 

* path traversal check on chatId

* Update packages/server/src/utils/createAttachment.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
This commit is contained in:
Henry Heng 2025-11-06 22:19:27 +00:00 committed by GitHub
parent ec1762b10f
commit 03c1750d73
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
packages/server/src/utils/createAttachment.ts
View File

@ -27,15 +27,15 @@ export const createFileAttachment = async (req: Request) => {
const appServer = getRunningExpressApp() const appServer = getRunningExpressApp()
const chatflowid = req.params.chatflowId const chatflowid = req.params.chatflowId
const chatId = req.params.chatId
if (!chatflowid || !isValidUUID(chatflowid)) { if (!chatflowid || !isValidUUID(chatflowid)) {
throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid chatflowId format - must be a valid UUID') throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid chatflowId format - must be a valid UUID')
} }
if (isPathTraversal(chatflowid)) { if (isPathTraversal(chatflowid) || (chatId && isPathTraversal(chatId))) {
throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid path characters detected') throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid path characters detected')
} }
const chatId = req.params.chatId
// Validate chatflow exists and check API key // Validate chatflow exists and check API key
const chatflow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({ const chatflow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({
id: chatflowid id: chatflowid