Sultan
/
Flowise
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Chore/allow axios node fetch (#5264) 

* disable available dependencies by default, only allow when ALLOW_BUILTIN_DEP is set to true

* update contributing.md

* update pnpm lock

* Enhance security by adding secure wrappers for Axios and Node Fetch in utils.ts, and update dependency handling to include default external dependencies.

* Fix formatting in pnpm-lock.yaml
This commit is contained in:
Henry Heng 2025-09-28 13:51:17 +01:00 committed by GitHub
parent 84a0a45ff7
commit 31434e52ce
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 36 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
packages/components/src/utils.ts
View File

@ -18,7 +18,7 @@ import { TextSplitter } from 'langchain/text_splitter'
import { DocumentLoader } from 'langchain/document_loaders/base'
import { NodeVM } from '@flowiseai/nodevm'
import { Sandbox } from '@e2b/code-interpreter'
import { secureFetch, checkDenyList } from './httpSecurity'
import { secureFetch, checkDenyList, secureAxiosRequest } from './httpSecurity'
import JSON5 from 'json5'
export const numberOrExpressionRegex = '^(\\d+\\.?\\d*|{{.*}})$' //return true if string consists only numbers OR expression {{}}
@ -85,7 +85,6 @@ export const availableDependencies = [
'@upstash/redis',
'@zilliz/milvus2-sdk-node',
'apify-client',
'axios',
'cheerio',
'chromadb',
'cohere-ai',
@ -103,10 +102,8 @@ export const availableDependencies = [
'linkifyjs',
'lunary',
'mammoth',
'moment',
'mongodb',
'mysql2',
'node-fetch',
'node-html-markdown',
'notion-to-md',
'openai',
@ -122,6 +119,8 @@ export const availableDependencies = [
'weaviate-ts-client'
]
const defaultAllowExternalDependencies = ['axios', 'moment', 'node-fetch']
export const defaultAllowBuiltInDep = [
'assert',
'buffer',
@ -1547,14 +1546,44 @@ export const executeJavaScriptCode = async (
? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))
: defaultAllowBuiltInDep
const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []
const deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps
let deps = process.env.ALLOW_BUILTIN_DEP === 'true' ? availableDependencies.concat(externalDeps) : externalDeps
deps.push(...defaultAllowExternalDependencies)
deps = [...new Set(deps)]
// Create secure wrappers for HTTP libraries
const secureWrappers: ICommonObject = {}
// Axios
const secureAxiosWrapper = async (config: any) => {
return await secureAxiosRequest(config)
}
secureAxiosWrapper.get = async (url: string, config: any = {}) => secureAxiosWrapper({ ...config, method: 'GET', url })
secureAxiosWrapper.post = async (url: string, data: any, config: any = {}) =>
secureAxiosWrapper({ ...config, method: 'POST', url, data })
secureAxiosWrapper.put = async (url: string, data: any, config: any = {}) =>
secureAxiosWrapper({ ...config, method: 'PUT', url, data })
secureAxiosWrapper.delete = async (url: string, config: any = {}) => secureAxiosWrapper({ ...config, method: 'DELETE', url })
secureAxiosWrapper.patch = async (url: string, data: any, config: any = {}) =>
secureAxiosWrapper({ ...config, method: 'PATCH', url, data })
secureWrappers['axios'] = secureAxiosWrapper
// Node Fetch
const secureNodeFetch = async (url: string, options: any = {}) => {
return await secureFetch(url, options)
}
secureWrappers['node-fetch'] = secureNodeFetch
const defaultNodeVMOptions: any = {
console: 'inherit',
sandbox,
require: {
external: { modules: deps },
builtin: builtinDeps
external: {
modules: deps,
transitive: false // Prevent transitive dependencies
},
builtin: builtinDeps,
mock: secureWrappers // Replace HTTP libraries with secure wrappers
},
eval: false,
wasm: false,