* implement parseWithTypeConversion - parse a value against a Zod schema with automatic type conversion for common type mismatches
* Enhance parseWithTypeConversion to include maxDepth parameter for recursion control, preventing infinite loops during parsing.
* add tools warning
* Enhance file handling tools with security features
- Introduced new input parameters: workspacePath, enforceWorkspaceBoundaries, maxFileSize, and allowedExtensions for better control over file operations.
- Added validation for file paths and sizes to prevent unsafe operations.
- Implemented workspace boundary checks to restrict file access based on user-defined settings.
feat: enhance OpenAPI Toolkit with input type options and server selection
- Updated OpenAPI Toolkit to support multiple input types: file upload or link.
- Added async options for selecting servers and endpoints from the OpenAPI specification.
- Improved error handling for loading OpenAPI specs and fetching server data.
- Updated version to 2.1.
Co-authored-by: Mehdi Chebbah <MChebbah@aas.com.sa>
feat: enhance security validation for MCP configurations
- Added environment variable checks for CUSTOM_MCP_SECURITY_CHECK, CUSTOM_MCP_PROTOCOL, and HTTP_DENY_LIST across various Docker and application files.
- Implemented validation functions in MCP core to prevent command injection and ensure safe environment variable usage
* fix gsuite tool params
* custom assistant only check for mandatory fields for visible params
* azure chat openai fix for gpt5
* return raw from executeJavaScriptCode
* add json5 for parsing
* azure chatopenai use maxCompletionTokens
* feat: add JSONPathExtractor tool with lodash-based path extraction
- Implement JSONPathExtractor tool for extracting values from JSON using path notation
- Use lodash.get for robust path extraction supporting edge cases (numeric string keys, array indexing)
- Add configurable error handling with returnNullOnError parameter
- Include comprehensive test suite with 34 tests covering all scenarios
- Support JSON strings, objects, and arrays as input
* fix lint
* Update pnpm-lock.yaml
* fix: exclude test files from TypeScript compilation
Prevents test files from being included in the dist folder which was causing
"jest is not defined" errors during server startup.
---------
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
- Updated `validateMCPServerSecurity` to only allow whitelisted commands, removing the extensive list of dangerous commands.
- Introduced `validateArgsForLocalFileAccess` to check for potential local file access patterns and null byte injections.
- Updated `Supergateway_MCP` to utilize the new argument validation function.
- Added a warning in `CustomMCP` regarding upcoming changes to Remote MCP support.
* - Implemented a validation function to check for banned commands and dangerous patterns.
- Added checks for potential shell injection attempts in command and arguments.
- Security validation is conditionally enabled based on environment variable CUSTOM_MCP_SECURITY_CHECK.
* Enhance security by implementing command and argument validation in SupergatewayMCP. Added checks for banned commands, dangerous patterns, and potential shell injection attempts. Security validation is conditionally enabled based on the CUSTOM_MCP_SECURITY_CHECK environment variable.
* add validateMCPServerSecurity
refactor: Update code execution sandbox implementation across components
- Replaced NodeVM usage with a new createCodeExecutionSandbox function for improved sandbox management.
- Enhanced JavaScript code execution with executeJavaScriptCode function, allowing for better handling of libraries and output streaming.
- Updated multiple components to utilize the new sandboxing approach, ensuring consistent execution environment.
- Added validation for UUIDs and URLs in various tools to enhance input safety.
- Refactored input handling in CustomFunction and IfElseFunction to streamline variable management.
* refactor: Implement SecureZodSchemaParser for safe Zod schema handling and add FilterParser for Supabase filters
* Replaced direct Zod schema evaluation with SecureZodSchemaParser in StructuredOutputParserAdvanced and CustomTool.
* Introduced FilterParser to safely handle Supabase filter strings, preventing arbitrary code execution.
* Added new filterParser.ts file to encapsulate filter parsing logic.
* Updated Supabase vector store to utilize the new FilterParser for RPC filters.
* Created secureZodParser.ts for secure parsing of Zod schemas.
* remove console log
feat: Implement caching for MCP toolkit in CachePool
- Added methods to CachePool for managing MCP toolkit cache.
- Integrated caching logic in CustomMCP to store and retrieve toolkit data based on workspaceId and configuration.
- Updated node service to pass cachePool to CustomMCP for enhanced performance.
* Enhancement: Update issue templates and add new tools
- Updated bug report template to include a default label of 'bug'.
- Updated feature request template to include a default label of 'enhancement'.
- Added new credential class for Agentflow API.
- Enhanced Agent and HTTP nodes to improve tool management and error handling.
- Added deprecation badges to several agent and chain classes.
- Introduced new tools for handling requests (GET, POST, DELETE, PUT) with improved error handling.
- Added new chatflows and agentflows for various use cases, including document QnA and translation.
- Updated UI components for better handling of agent flows and marketplace interactions.
- Refactored utility functions for improved functionality and clarity.
* Refactor: Remove beta badge and streamline template title assignment
- Removed the 'BETA' badge from the ExtractMetadataRetriever class.
- Simplified the title assignment in the agentflowv2 generator by using a variable instead of inline string manipulation.
* add teams, gmail, outlook tools
* update docs link
* update credentials for oauth2
* add jira tool
* add google drive, google calendar, google sheets tools, powerpoint, excel, word doc loader
* update jira logo
* Refactor Gmail and Outlook tools to remove maxOutputLength parameter and enhance request handling. Update response formatting to include parameters in the output. Adjust Google Drive tools to simplify success messages by removing unnecessary parameter details.
* Update pnpm-lock.yaml
* add google docs
* add teams, gmail, outlook tools
* update docs link
* update credentials for oauth2
* add jira tool
* add google drive, google calendar, google sheets tools, powerpoint, excel, word doc loader
* update jira logo
* Refactor Gmail and Outlook tools to remove maxOutputLength parameter and enhance request handling. Update response formatting to include parameters in the output. Adjust Google Drive tools to simplify success messages by removing unnecessary parameter details.
* Allows 'x-strict' attribute in OpenAPI spec tool and other json spec objects, this allows the OpenAI Assistant to have function calls with 'strict' mode. Also allows the OpenAI assistant to call several tools in the same run. And adds a checkbox 'remove Nulls' for the OpenAPI toolkit so that parameters with null values are not passed to the backend api.
* fix lint errors
---------
Co-authored-by: Olivier Schiavo <olivier.schiavo@wengo.com>
The previous code incorrectly assigned `toolInput` to an empty string when `customInput` was non-empty. Corrected the logic to ensure that `toolInput` is assigned `customInput` when `useQuestionFromChat` is false and `customInput` is non-empty.
Henry Heng
Lê Nam Khánh
Mehdi
Kushal Bhana
vilashjagani
anatolii burtsev
Ilango
Rick Ryan
toi500
May Ramati Kroitero
Zero Gu
Asharib Ali
owengo
Thanos Kontokostas
Yi-Cheng Wang