From 7ec8f8ea2841db6ad7d9738ddc81f7c133dedf62 Mon Sep 17 00:00:00 2001 From: Henry Date: Sun, 16 Jul 2023 14:32:47 +0100 Subject: [PATCH] address vm2 security --- README.md | 24 +++++++------ docker/.env.example | 2 ++ docker/docker-compose.yml | 2 ++ .../components/nodes/tools/CustomTool/core.ts | 36 ++++++++++++------- packages/server/.env.example | 2 ++ packages/server/README.md | 24 +++++++------ packages/server/src/commands/start.ts | 6 +++- 7 files changed, 61 insertions(+), 35 deletions(-) diff --git a/README.md b/README.md index 5023a1b77..b4d4b860e 100644 --- a/README.md +++ b/README.md @@ -130,17 +130,19 @@ FLOWISE_PASSWORD=1234 Flowise support different environment variables to configure your instance. You can specify the following variables in the `.env` file inside `packages/server` folder. -| Variable | Description | Type | Default | -| ---------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | -| PORT | The HTTP port Flowise runs on | Number | 3000 | -| FLOWISE_USERNAME | Username to login | String | -| FLOWISE_PASSWORD | Password to login | String | -| DEBUG | Print logs from components | Boolean | -| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/logs` | -| LOG_LEVEL | Different levels of logs | Enum String: `error`, `info`, `verbose`, `debug` | `info` | -| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` | -| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` | -| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` | +| Variable | Description | Type | Default | +| -------------------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | +| PORT | The HTTP port Flowise runs on | Number | 3000 | +| FLOWISE_USERNAME | Username to login | String | +| FLOWISE_PASSWORD | Password to login | String | +| DEBUG | Print logs from components | Boolean | +| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/logs` | +| LOG_LEVEL | Different levels of logs | Enum String: `error`, `info`, `verbose`, `debug` | `info` | +| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` | +| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` | +| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` | +| TOOL_FUNCTION_BUILTIN_DEP | NodeJS built-in modules to be used for Tool Function | String | | +| TOOL_FUNCTION_EXTERNAL_DEP | External modules to be used for Tool Function | String | | You can also specify the env variables when using `npx`. For example: diff --git a/docker/.env.example b/docker/.env.example index 262e08a63..a0b1fb26f 100644 --- a/docker/.env.example +++ b/docker/.env.example @@ -6,3 +6,5 @@ PORT=3000 # APIKEY_PATH=/your_api_key_path/.flowise # LOG_PATH=/your_log_path/logs # EXECUTION_MODE=child or main +# TOOL_FUNCTION_BUILTIN_DEP=crypto,fs +# TOOL_FUNCTION_EXTERNAL_DEP=moment,lodash \ No newline at end of file diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 3077c43d3..4a8c4dbb8 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -13,6 +13,8 @@ services: - LOG_PATH=${LOG_PATH} - EXECUTION_MODE=${EXECUTION_MODE} - DEBUG=${DEBUG} + - TOOL_FUNCTION_BUILTIN_DEP=${TOOL_FUNCTION_BUILTIN_DEP} + - TOOL_FUNCTION_EXTERNAL_DEP=${TOOL_FUNCTION_EXTERNAL_DEP} ports: - '${PORT}:${PORT}' volumes: diff --git a/packages/components/nodes/tools/CustomTool/core.ts b/packages/components/nodes/tools/CustomTool/core.ts index 0d3d7bcd9..2aa06b547 100644 --- a/packages/components/nodes/tools/CustomTool/core.ts +++ b/packages/components/nodes/tools/CustomTool/core.ts @@ -51,25 +51,37 @@ export class DynamicStructuredTool< } } + const defaultAllowBuiltInDep = [ + 'assert', + 'buffer', + 'crypto', + 'events', + 'http', + 'https', + 'net', + 'path', + 'querystring', + 'timers', + 'tls', + 'url', + 'zlib' + ] + + const builtinDeps = process.env.TOOL_FUNCTION_BUILTIN_DEP + ? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(',')) + : defaultAllowBuiltInDep + const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : [] + const deps = availableDependencies.concat(externalDeps) + const options = { console: 'inherit', sandbox, require: { - external: false as boolean | { modules: string[] }, - builtin: ['*'] + external: { modules: deps }, + builtin: builtinDeps } } as any - const external = JSON.stringify(availableDependencies) - if (external) { - const deps = JSON.parse(external) - if (deps && deps.length) { - options.require.external = { - modules: deps - } - } - } - const vm = new NodeVM(options) const response = await vm.run(`module.exports = async function() {${this.code}}()`, __dirname) diff --git a/packages/server/.env.example b/packages/server/.env.example index d9b2da762..81bac2dcc 100644 --- a/packages/server/.env.example +++ b/packages/server/.env.example @@ -7,3 +7,5 @@ PORT=3000 # LOG_PATH=/your_log_path/logs # LOG_LEVEL=debug (error | warn | info | verbose | debug) # EXECUTION_MODE=main (child | main) +# TOOL_FUNCTION_BUILTIN_DEP=crypto,fs +# TOOL_FUNCTION_EXTERNAL_DEP=moment,lodash diff --git a/packages/server/README.md b/packages/server/README.md index fb3a0c123..e7aacf32e 100644 --- a/packages/server/README.md +++ b/packages/server/README.md @@ -33,17 +33,19 @@ FLOWISE_PASSWORD=1234 Flowise support different environment variables to configure your instance. You can specify the following variables in the `.env` file inside `packages/server` folder. -| Variable | Description | Type | Default | -| ---------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | -| PORT | The HTTP port Flowise runs on | Number | 3000 | -| FLOWISE_USERNAME | Username to login | String | -| FLOWISE_PASSWORD | Password to login | String | -| DEBUG | Print logs from components | Boolean | -| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/logs` | -| LOG_LEVEL | Different levels of logs | Enum String: `error`, `info`, `verbose`, `debug` | `info` | -| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` | -| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` | -| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` | +| Variable | Description | Type | Default | +| -------------------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- | +| PORT | The HTTP port Flowise runs on | Number | 3000 | +| FLOWISE_USERNAME | Username to login | String | +| FLOWISE_PASSWORD | Password to login | String | +| DEBUG | Print logs from components | Boolean | +| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/logs` | +| LOG_LEVEL | Different levels of logs | Enum String: `error`, `info`, `verbose`, `debug` | `info` | +| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` | +| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` | +| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` | +| TOOL_FUNCTION_BUILTIN_DEP | NodeJS built-in modules to be used for Tool Function | String | | +| TOOL_FUNCTION_EXTERNAL_DEP | External modules to be used for Tool Function | String | | You can also specify the env variables when using `npx`. For example: diff --git a/packages/server/src/commands/start.ts b/packages/server/src/commands/start.ts index 276a3036e..ffb6e4496 100644 --- a/packages/server/src/commands/start.ts +++ b/packages/server/src/commands/start.ts @@ -24,7 +24,9 @@ export default class Start extends Command { APIKEY_PATH: Flags.string(), LOG_PATH: Flags.string(), LOG_LEVEL: Flags.string(), - EXECUTION_MODE: Flags.string() + EXECUTION_MODE: Flags.string(), + TOOL_FUNCTION_BUILTIN_DEP: Flags.string(), + TOOL_FUNCTION_EXTERNAL_DEP: Flags.string() } async stopProcess() { @@ -65,6 +67,8 @@ export default class Start extends Command { if (flags.LOG_LEVEL) process.env.LOG_LEVEL = flags.LOG_LEVEL if (flags.EXECUTION_MODE) process.env.EXECUTION_MODE = flags.EXECUTION_MODE if (flags.DEBUG) process.env.DEBUG = flags.DEBUG + if (flags.TOOL_FUNCTION_BUILTIN_DEP) process.env.TOOL_FUNCTION_BUILTIN_DEP = flags.TOOL_FUNCTION_BUILTIN_DEP + if (flags.TOOL_FUNCTION_EXTERNAL_DEP) process.env.TOOL_FUNCTION_EXTERNAL_DEP = flags.TOOL_FUNCTION_EXTERNAL_DEP await (async () => { try {