* feat(security): enhance file path validation and implement non-root Docker user
- Validate resolved full file paths including workspace boundaries in SecureFileStore
- Resolve paths before validation in readFile and writeFile operations
- Run Docker container as non-root flowise user (uid/gid 1001)
- Apply proper file ownership and permissions for application files
Prevents path traversal attacks and follows container security best practices
* Add sensitive system directory validation and Flowise internal file protection
* Update Dockerfile to use default node user
* update validation patterns to include additional system binary directories (/usr/bin, /usr/sbin, /usr/local/bin)
* added isSafeBrowserExecutable function to validate browser executable paths for Playwright and Puppeteer loaders
---------
Co-authored-by: taraka-vishnumolakala <taraka.vishnumolakala@workday.com>
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
Co-authored-by: Henry <hzj94@hotmail.com>
* add separate by JSON object
* add file check for Unstructured
* Enhance JSON DocumentLoader: Update label and description for 'Separate by JSON Object' option, and add type check for JSON objects in array processing.
Integrate AzureChatOpenAI into the Supervisor node to handle user requests alongside ChatOpenAI. This enhancement allows for improved multi-agent conversation management.
* implement parseWithTypeConversion - parse a value against a Zod schema with automatic type conversion for common type mismatches
* Enhance parseWithTypeConversion to include maxDepth parameter for recursion control, preventing infinite loops during parsing.
* add tools warning
* Enhance file handling tools with security features
- Introduced new input parameters: workspacePath, enforceWorkspaceBoundaries, maxFileSize, and allowedExtensions for better control over file operations.
- Added validation for file paths and sizes to prevent unsafe operations.
- Implemented workspace boundary checks to restrict file access based on user-defined settings.
feat: enhance OpenAPI Toolkit with input type options and server selection
- Updated OpenAPI Toolkit to support multiple input types: file upload or link.
- Added async options for selecting servers and endpoints from the OpenAPI specification.
- Improved error handling for loading OpenAPI specs and fetching server data.
- Updated version to 2.1.
Co-authored-by: Mehdi Chebbah <MChebbah@aas.com.sa>
* Feature: Update Loop Agentflow to include fallback message and version increment to 1.1
- Added a new input parameter 'fallbackMessage' to the Loop Agentflow for displaying a message when the loop count is exceeded.
- Incremented the version of Loop Agentflow from 1.0 to 1.1.
- Updated the processing logic to handle the fallback message appropriately when the maximum loop count is reached.
* - Introduced a new input parameter 'loopUpdateState' to allow updating the runtime state during workflow execution.
- Added a method to list runtime state keys for dynamic state management.
- Implemented logic to retrieve and utilize the current loop count in variable resolution.
- Updated the Loop Agentflow output to reflect the new state and final output content.
feat: enhance security validation for MCP configurations
- Added environment variable checks for CUSTOM_MCP_SECURITY_CHECK, CUSTOM_MCP_PROTOCOL, and HTTP_DENY_LIST across various Docker and application files.
- Implemented validation functions in MCP core to prevent command injection and ensure safe environment variable usage
* fix gsuite tool params
* custom assistant only check for mandatory fields for visible params
* azure chat openai fix for gpt5
* return raw from executeJavaScriptCode
* add json5 for parsing
* azure chatopenai use maxCompletionTokens
Henry Heng
Henry
Taraka Vishnumolakala
Lê Nam Khánh
Håvard Homb
Marko
Shashank Shekhar
Bharath
Rostyslav Borovyk
Mehdi
Kushal Bhana
vilashjagani
Jakub Drobník
toi500
anatolii burtsev