From d081221a977947306b41132c4877fe5d03ddcf45 Mon Sep 17 00:00:00 2001
From: Henry Heng <henryheng@flowiseai.com>
Date: Wed, 23 Jul 2025 14:33:06 +0100
Subject: [PATCH] Chore/Add Deny List URLs (#4933)

Refactor URL filtering logic in App class

- Introduced a denylist for URLs using the DENYLIST_URLS environment variable.
- Updated the whitelist logic to filter out denylisted URLs, ensuring improved request validation.
---
 packages/server/src/index.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts
index 26d06c8f3..7968f8bf1 100644
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -197,7 +197,8 @@ export class App {
             if (next) next()
         })
 
-        const whitelistURLs = WHITELIST_URLS
+        const denylistURLs = process.env.DENYLIST_URLS ? process.env.DENYLIST_URLS.split(',') : []
+        const whitelistURLs = WHITELIST_URLS.filter((url) => !denylistURLs.includes(url))
         const URL_CASE_INSENSITIVE_REGEX: RegExp = /\/api\/v1\//i
         const URL_CASE_SENSITIVE_REGEX: RegExp = /\/api\/v1\//
 
@@ -209,7 +210,7 @@ export class App {
                 // Step 2: Check if the req path is casesensitive
                 if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
                     // Step 3: Check if the req path is in the whitelist
-                    const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
+                    const isWhitelisted = whitelistURLs.includes(req.path)
                     if (isWhitelisted) {
                         next()
                     } else if (req.headers['x-request-from'] === 'internal') {