From 81699a1e569e4ddd467bd7271df2feab177915c3 Mon Sep 17 00:00:00 2001 From: Henry Heng Date: Wed, 25 Jun 2025 14:26:16 +0100 Subject: [PATCH] Bugfix/validate chatflow uuid (#4730) * validate chatflow uuid * validate chatflow uuid --- packages/components/src/storageUtils.ts | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/packages/components/src/storageUtils.ts b/packages/components/src/storageUtils.ts index ab79f7b02..54c6b5822 100644 --- a/packages/components/src/storageUtils.ts +++ b/packages/components/src/storageUtils.ts @@ -12,6 +12,7 @@ import { import { Storage } from '@google-cloud/storage' import { Readable } from 'node:stream' import { getUserHome } from './utils' +import { isValidUUID, isPathTraversal } from './validator' import sanitize from 'sanitize-filename' const dirSize = async (directoryPath: string) => { @@ -40,6 +41,16 @@ export const addBase64FilesToStorage = async ( fileNames: string[], orgId: string ): Promise<{ path: string; totalSize: number }> => { + // Validate chatflowid + if (!chatflowid || !isValidUUID(chatflowid)) { + throw new Error('Invalid chatflowId format - must be a valid UUID') + } + + // Check for path traversal attempts + if (isPathTraversal(chatflowid)) { + throw new Error('Invalid path characters detected in chatflowId') + } + const storageType = getStorageType() if (storageType === 's3') { const { s3Client, Bucket } = getS3Config() @@ -730,6 +741,16 @@ export const streamStorageFile = async ( fileName: string, orgId: string ): Promise => { + // Validate chatflowId + if (!chatflowId || !isValidUUID(chatflowId)) { + throw new Error('Invalid chatflowId format - must be a valid UUID') + } + + // Check for path traversal attempts + if (isPathTraversal(chatflowId)) { + throw new Error('Invalid path characters detected in chatflowId') + } + const storageType = getStorageType() const sanitizedFilename = sanitize(fileName) if (storageType === 's3') {