feat: enhance security validation for MCP configurations
- Added environment variable checks for CUSTOM_MCP_SECURITY_CHECK, CUSTOM_MCP_PROTOCOL, and HTTP_DENY_LIST across various Docker and application files.
- Implemented validation functions in MCP core to prevent command injection and ensure safe environment variable usage
- Added `secureFetch` and `checkDenyList` functions from `httpSecurity` to enhance security in web crawling and link fetching processes.
- Updated relevant functions to utilize these new security measures, ensuring safer data handling.
* fix gsuite tool params
* custom assistant only check for mandatory fields for visible params
* azure chat openai fix for gpt5
* return raw from executeJavaScriptCode
* add json5 for parsing
* azure chatopenai use maxCompletionTokens
* feat: add CometAPI integration with ChatCometAPI node and credential support
* feat: remove timeout and stop sequence parameters from ChatCometAPI node
* fix upser api for file loader
* - Introduced loaderName property in IDocumentStoreUpsertData interface.
- Updated upsertDocStore function to utilize loaderName if provided.
- Enhanced DocStoreAPIDialog to allow loaderName customization in API requests.
- Modified DocumentStoreDetail to display file names when available, improving source formatting logic.
* feat: add JSONPathExtractor tool with lodash-based path extraction
- Implement JSONPathExtractor tool for extracting values from JSON using path notation
- Use lodash.get for robust path extraction supporting edge cases (numeric string keys, array indexing)
- Add configurable error handling with returnNullOnError parameter
- Include comprehensive test suite with 34 tests covering all scenarios
- Support JSON strings, objects, and arrays as input
* fix lint
* Update pnpm-lock.yaml
* fix: exclude test files from TypeScript compilation
Prevents test files from being included in the dist folder which was causing
"jest is not defined" errors during server startup.
---------
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
* feature/bugfix: added otpional css selector to puppeteer web scraper, fixed error when puppeteerLoader does not work.
* feature: added button to add empty link in web scraper tools
* feature: added custom executable file path as an input to puppeteer to fix issues when puppeteer can not find/launch the browser.
* feature: added new puppeteer features to playwright aswell.
* fixed review comments
* Fixes the lossy-replace when a new state assignment contains the {{ output }} variable
* Replaces replace with replaceAll
---------
Co-authored-by: Corentin <corentin.hoareau@sogeti.com>
* - Added support for built-in OpenAI tools including web search, code interpreter, and image generation.
- Enhanced file handling by extracting artifacts and file annotations from response metadata.
- Implemented download functionality for file annotations in the UI.
- Updated chat history management to include additional kwargs for artifacts, file annotations, and used tools.
- Improved UI components to display used tools and file annotations effectively.
* remove redundant currentContainerId
* update comment
- Updated `validateMCPServerSecurity` to only allow whitelisted commands, removing the extensive list of dangerous commands.
- Introduced `validateArgsForLocalFileAccess` to check for potential local file access patterns and null byte injections.
- Updated `Supergateway_MCP` to utilize the new argument validation function.
- Added a warning in `CustomMCP` regarding upcoming changes to Remote MCP support.
* - Implemented a validation function to check for banned commands and dangerous patterns.
- Added checks for potential shell injection attempts in command and arguments.
- Security validation is conditionally enabled based on environment variable CUSTOM_MCP_SECURITY_CHECK.
* Enhance security by implementing command and argument validation in SupergatewayMCP. Added checks for banned commands, dangerous patterns, and potential shell injection attempts. Security validation is conditionally enabled based on the CUSTOM_MCP_SECURITY_CHECK environment variable.
* add validateMCPServerSecurity
refactor: Update code execution sandbox implementation across components
- Replaced NodeVM usage with a new createCodeExecutionSandbox function for improved sandbox management.
- Enhanced JavaScript code execution with executeJavaScriptCode function, allowing for better handling of libraries and output streaming.
- Updated multiple components to utilize the new sandboxing approach, ensuring consistent execution environment.
- Added validation for UUIDs and URLs in various tools to enhance input safety.
- Refactored input handling in CustomFunction and IfElseFunction to streamline variable management.
* refactor: Implement SecureZodSchemaParser for safe Zod schema handling and add FilterParser for Supabase filters
* Replaced direct Zod schema evaluation with SecureZodSchemaParser in StructuredOutputParserAdvanced and CustomTool.
* Introduced FilterParser to safely handle Supabase filter strings, preventing arbitrary code execution.
* Added new filterParser.ts file to encapsulate filter parsing logic.
* Updated Supabase vector store to utilize the new FilterParser for RPC filters.
* Created secureZodParser.ts for secure parsing of Zod schemas.
* remove console log
Enhance file upload capabilities by adding support for additional file types (html, css, js, xml, md, excel, powerpoint) and updating related MIME type mappings. Improve user interface for file type selection in FileUpload component.
feat: Implement caching for MCP toolkit in CachePool
- Added methods to CachePool for managing MCP toolkit cache.
- Integrated caching logic in CustomMCP to store and retrieve toolkit data based on workspaceId and configuration.
- Updated node service to pass cachePool to CustomMCP for enhanced performance.
* Added region support to chatGoogleVertexAi
* Added region to the vertex ai embeddings loader too
* Updated the available vertex text embedding models to be valid
* Update ChatGoogleVertexAI.ts
* Update GoogleVertexAIEmbedding.ts
---------
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
Feature/Add remove-markdown dependency and integrate into Condition node for text processing
- Added `remove-markdown` package to `packages/components/package.json`.
- Integrated `removeMarkdown` function in `Condition.ts` to sanitize string inputs by removing markdown formatting.
* Enhancement: Introduce prepended chat history handling in Agent and LLM nodes.
- Added support for `prependedChatHistory` in both `Agent` and `LLM` classes to allow for initial message context.
- Implemented validation for history schema in execution flow to ensure proper format.
- Refactored utility functions to include JSON sanitization and validation methods for improved data handling.
* update prediction swagger
Enhancement: Add JSON sanitization and parsing methods to HTTP agentflow.
- Introduced `sanitizeJsonString` to clean problematic escape sequences and fix common JSON formatting issues.
- Added `parseJsonBody` to attempt parsing JSON directly, with fallback to sanitization if parsing fails, providing clearer error messages for invalid JSON.
- Updated request handling to utilize the new parsing method for JSON and x-www-form-urlencoded body types.
* Enhancement: Update issue templates and add new tools
- Updated bug report template to include a default label of 'bug'.
- Updated feature request template to include a default label of 'enhancement'.
- Added new credential class for Agentflow API.
- Enhanced Agent and HTTP nodes to improve tool management and error handling.
- Added deprecation badges to several agent and chain classes.
- Introduced new tools for handling requests (GET, POST, DELETE, PUT) with improved error handling.
- Added new chatflows and agentflows for various use cases, including document QnA and translation.
- Updated UI components for better handling of agent flows and marketplace interactions.
- Refactored utility functions for improved functionality and clarity.
* Refactor: Remove beta badge and streamline template title assignment
- Removed the 'BETA' badge from the ExtractMetadataRetriever class.
- Simplified the title assignment in the agentflowv2 generator by using a variable instead of inline string manipulation.
* feat: Add configurable system prompt to Condition Agent
* Update system prompt to HTML for UI readability
* fix: Remove invalid default routing and sync hardcoded role-based examples
* Update ConditionAgent.ts
* Update ConditionAgent.ts
---------
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
* New Feature: Evaluations for AgentFlow v2
* New Feature: Evaluations for Assistants and minor tweaks on other evaluations.
* do not store messages during evaluation for agent flows.
* common cost formatting
* moving the category names to description (in create dialog) and adjusting the side drawer label
* lint fixes
* Enhancement: Add auto-refresh toggle for evaluations with 5-second interval and adjust grid item size for metrics display.
* 1) chatflow types are stored in additional config
2) messages are now stored with type "Evaluations"
3) Message Dialog has a new Type in the ChatType Filter Dropdown
4) Chatflow badges on the view page, have the right canvas URL
5) outdated API returns chatflow type along with the stale indicator.
6) UI - Flow Indicator Icons are shown in the Chatflows Used chips & side drawer
* Refactor JWT error handling to return 401 status for expired refresh tokens. Update chat message ID assignment to remove UUID fallback. Enhance ViewMessagesDialog to set default chat type filters and implement a new method for determining chat type sources. Modify EvalsResultDialog to open links in a new tab and adjust icon sizes for better consistency. Clean up unused imports in EvaluationResultSideDrawer.
* handling on Click for deleted flows and minor code cleanup
* evals ui fix
* Refactor evaluation service to improve error handling and data parsing. Update additionalConfig handling to default to an empty object if not present. Enhance type definitions for better clarity. Adjust MetricsItemCard to prevent overflow and improve layout consistency.
---------
Co-authored-by: Henry <hzj94@hotmail.com>
Henry Heng
vilashjagani
Jakub Drobník
toi500
Marvelous Ikponmwosa
anatolii burtsev
TensorNull
Karl Stoney
Rostyslav Borovyk
Ali Saleh
Rogério Chaves
Henry
Luis Felipe Salazar Ucros
Ong Chung Yau
Purshotam Bohra
russelj1
Mewyii
corentin-hoareau
Ilango
kpj2006
Philip I. Thomas
Amr Aly
Kang Nahoon
Karl Stoney
Rick Ryan
Yuki
Abdullatif
toi500
Vinod Kiran