Fix Mass Assignment in Variables Endpoints (#5955)

* Fix Mass Assignment in Variables Endpoints

* Update packages/server/src/services/variables/index.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

* Fix Mass Assignment in Variables Endpoints

---------

Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: yau-wd <yau.ong@workday.com>

Author: 4 people

packages/server/src/controllers/variables/index.ts

@@ -22,9 +22,12 @@ const createVariable = async (req: Request, res: Response, next: NextFunction) =
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.createTool - workspace ${workspaceId} not found!`)
         }
         const body = req.body
-        body.workspaceId = workspaceId
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
         const newVariable = new Variable()
-        Object.assign(newVariable, body)
+        if (body.name !== undefined) newVariable.name = body.name
+        if (body.value !== undefined) newVariable.value = body.value
+        if (body.type !== undefined) newVariable.type = body.type
+        newVariable.workspaceId = workspaceId
         const apiResponse = await variablesService.createVariable(newVariable, orgId)
         return res.json(apiResponse)
     } catch (error) {
@@ -91,8 +94,11 @@ const updateVariable = async (req: Request, res: Response, next: NextFunction) =
             return res.status(404).send('Variable not found in the database')
         }
         const body = req.body
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
         const updatedVariable = new Variable()
-        Object.assign(updatedVariable, body)
+        if (body.name !== undefined) updatedVariable.name = body.name
+        if (body.value !== undefined) updatedVariable.value = body.value
+        if (body.type !== undefined) updatedVariable.type = body.type
         const apiResponse = await variablesService.updateVariable(variable, updatedVariable)
         return res.json(apiResponse)
     } catch (error) {

packages/server/src/services/variables/index.ts

@@ -103,7 +103,9 @@ const updateVariable = async (variable: Variable, updatedVariable: Variable) =>
     if (appServer.identityManager.getPlatformType() === Platform.CLOUD && updatedVariable.type === 'runtime')
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Cloud platform does not support runtime variables!')
     try {
+        const originalWorkspaceId = variable.workspaceId
         const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable)
+        tmpUpdatedVariable.workspaceId = originalWorkspaceId
         const dbResponse = await appServer.AppDataSource.getRepository(Variable).save(tmpUpdatedVariable)
         return dbResponse
     } catch (error) {