Bugfix/add path traversal check to chatId (#5208)

* add path traversal check to chatId

* update axios

package.json

@@ -66,7 +66,7 @@
             "sqlite3"
         ],
         "overrides": {
-            "axios": "1.10.0",
+            "axios": "1.12.0",
             "body-parser": "2.0.2",
             "braces": "3.0.3",
             "cross-spawn": "7.0.6",

packages/components/package.json

@@ -83,7 +83,7 @@
         "@zilliz/milvus2-sdk-node": "^2.2.24",
         "apify-client": "^2.7.1",
         "assemblyai": "^4.2.2",
-        "axios": "1.7.9",
+        "axios": "1.12.0",
         "cheerio": "^1.0.0-rc.12",
         "chromadb": "^1.10.0",
         "cohere-ai": "^7.7.5",

packages/components/src/storageUtils.ts

@@ -753,8 +753,8 @@ export const streamStorageFile = async (
     }
 
     // Check for path traversal attempts
-    if (isPathTraversal(chatflowId)) {
-        throw new Error('Invalid path characters detected in chatflowId')
+    if (isPathTraversal(chatflowId) || isPathTraversal(chatId)) {
+        throw new Error('Invalid path characters detected in chatflowId or chatId')
     }
 
     const storageType = getStorageType()

packages/server/package.json

@@ -87,7 +87,7 @@
         "@types/passport-local": "^1.0.38",
         "@types/uuid": "^9.0.7",
         "async-mutex": "^0.4.0",
-        "axios": "1.7.9",
+        "axios": "1.12.0",
         "bcryptjs": "^2.4.3",
         "bullmq": "5.45.2",
         "cache-manager": "^6.3.2",

packages/ui/package.json

@@ -34,7 +34,7 @@
         "@uiw/codemirror-theme-sublime": "^4.21.21",
         "@uiw/codemirror-theme-vscode": "^4.21.21",
         "@uiw/react-codemirror": "^4.21.21",
-        "axios": "1.7.9",
+        "axios": "1.12.0",
         "clsx": "^1.1.1",
         "dompurify": "^3.2.6",
         "dotenv": "^16.0.0",