fix: better url validation and prevent arbitrary url injection into the sandbox

0xi4o · 0xi4o · commit 999e0887646c · 2026-05-21T13:41:25.000+05:30
diff --git a/packages/components/nodes/agentflow/ExecuteFlow/ExecuteFlow.ts b/packages/components/nodes/agentflow/ExecuteFlow/ExecuteFlow.ts
@@ -10,6 +10,7 @@ import {
 import { AxiosRequestConfig } from 'axios'
 import { secureAxiosRequest } from '../../../src/httpSecurity'
 import { getCredentialData, getCredentialParam, processTemplateVariables, parseJsonBody } from '../../../src/utils'
+import { isValidURL } from '../../../src/validator'
 import { DataSource } from 'typeorm'
 import { BaseMessageLike } from '@langchain/core/messages'
 import { updateFlowState } from '../utils'
@@ -183,6 +184,8 @@ class ExecuteFlow_Agentflow implements INode {
             const credentialData = await getCredentialData(nodeData.credential ?? '', options)
             const chatflowApiKey = getCredentialParam('chatflowApiKey', credentialData, nodeData)
 
+            if (baseURL && !isValidURL(baseURL)) throw new Error('Invalid base URL: must be a valid URL')
+
             if (selectedFlowId === options.chatflowid) throw new Error('Cannot call the same agentflow!')
 
             let headers: Record<string, string> = {
diff --git a/packages/components/nodes/sequentialagents/ExecuteFlow/ExecuteFlow.ts b/packages/components/nodes/sequentialagents/ExecuteFlow/ExecuteFlow.ts
@@ -239,19 +239,20 @@ class ExecuteFlow_SeqAgents implements INode {
             // Create additional sandbox variables
             const additionalSandbox: ICommonObject = {
                 $callOptions: callOptions,
-                $callBody: body
+                $callBody: body,
+                $apiURL: `${baseURL}/api/v1/prediction/${selectedFlowId}`
             }
 
             const sandbox = createCodeExecutionSandbox(flowInput, variables, flow, additionalSandbox)
 
             const code = `
     const fetch = require('node-fetch');
-    const url = "${baseURL}/api/v1/prediction/${selectedFlowId}";
-    
+    const url = $apiURL;
+
     const body = $callBody;
-    
+
     const options = $callOptions;
-    
+
     try {
         const response = await fetch(url, options);
         const resp = await response.json();
diff --git a/packages/components/nodes/tools/AgentAsTool/AgentAsTool.ts b/packages/components/nodes/tools/AgentAsTool/AgentAsTool.ts
@@ -345,7 +345,7 @@ class AgentflowTool extends StructuredTool {
 
         const code = `
 const fetch = require('node-fetch');
-const url = "${this.baseURL}/api/v1/prediction/${this.agentflowid}";
+const url = $apiURL;
 
 const body = $callBody;
 
@@ -364,7 +364,8 @@ try {
         // Create additional sandbox variables
         const additionalSandbox: ICommonObject = {
             $callOptions: options,
-            $callBody: body
+            $callBody: body,
+            $apiURL: `${this.baseURL}/api/v1/prediction/${this.agentflowid}`
         }
 
         const sandbox = createCodeExecutionSandbox('', [], {}, additionalSandbox)
diff --git a/packages/components/nodes/tools/ChatflowTool/ChatflowTool.ts b/packages/components/nodes/tools/ChatflowTool/ChatflowTool.ts
@@ -353,7 +353,7 @@ class ChatflowTool extends StructuredTool {
 
         const code = `
 const fetch = require('node-fetch');
-const url = "${this.baseURL}/api/v1/prediction/${this.chatflowid}";
+const url = $apiURL;
 
 const body = $callBody;
 
@@ -372,7 +372,8 @@ try {
         // Create additional sandbox variables
         const additionalSandbox: ICommonObject = {
             $callOptions: options,
-            $callBody: body
+            $callBody: body,
+            $apiURL: `${this.baseURL}/api/v1/prediction/${this.chatflowid}`
         }
 
         const sandbox = createCodeExecutionSandbox('', [], {}, additionalSandbox)
diff --git a/packages/components/src/validator.test.ts b/packages/components/src/validator.test.ts
@@ -1,4 +1,4 @@
-import { isPathTraversal, isUnsafeFilePath, validateMimeTypeAndExtensionMatch, validateVectorStorePath } from './validator'
+import { isPathTraversal, isUnsafeFilePath, isValidURL, validateMimeTypeAndExtensionMatch, validateVectorStorePath } from './validator'
 import path from 'path'
 import { getUserHome } from './utils'
 
@@ -466,3 +466,60 @@ describe('validateVectorStorePath', () => {
         })
     })
 })
+
+describe('isValidURL', () => {
+    describe('accepts valid http/https URLs', () => {
+        it.each([
+            ['bare http host', 'http://localhost:3000'],
+            ['https with path', 'https://flowise.example.com/api'],
+            ['http with port and path', 'http://192.168.1.1:3000/api/v1'],
+            ['https with query string', 'https://example.com/search?q=hello']
+        ])('should accept %s', (_desc, url) => {
+            expect(isValidURL(url)).toBe(true)
+        })
+    })
+
+    describe('rejects non-http(s) protocols', () => {
+        it.each([
+            ['file protocol', 'file:///etc/passwd'],
+            ['javascript protocol', 'javascript:alert(1)'],
+            ['ftp protocol', 'ftp://example.com'],
+            ['data URI', 'data:text/html,<script>alert(1)</script>']
+        ])('should reject %s', (_desc, url) => {
+            expect(isValidURL(url)).toBe(false)
+        })
+    })
+
+    describe('rejects URLs with hash fragments (CVE-2022-24785 bypass entry point)', () => {
+        it.each([
+            ['plain hash', 'http://localhost:3000/#section'],
+            ['hash with injection payload', 'https://evil.com/#";\nrequire("child_process").exec("id");//'],
+            ['hash with quote escape', 'http://localhost:3000/#";malicious;//']
+        ])('should reject %s', (_desc, url) => {
+            expect(isValidURL(url)).toBe(false)
+        })
+    })
+
+    describe('rejects URLs containing JS string-breaking characters', () => {
+        it.each([
+            ['double quote', 'http://localhost:3000/path"suffix'],
+            ['single quote', "http://localhost:3000/path'suffix"],
+            ['backslash', 'http://localhost:3000/path\\suffix'],
+            ['newline', 'http://localhost:3000/path\nsuffix'],
+            ['carriage return', 'http://localhost:3000/path\rsuffix'],
+            ['tab', 'http://localhost:3000/path\tsuffix']
+        ])('should reject URL with %s', (_desc, url) => {
+            expect(isValidURL(url)).toBe(false)
+        })
+    })
+
+    describe('rejects malformed or empty inputs', () => {
+        it.each([
+            ['empty string', ''],
+            ['not a URL', 'not-a-url'],
+            ['relative path', '/api/v1/prediction/abc']
+        ])('should reject %s', (_desc, url) => {
+            expect(isValidURL(url)).toBe(false)
+        })
+    })
+})
diff --git a/packages/components/src/validator.ts b/packages/components/src/validator.ts
@@ -14,13 +14,16 @@ export const isValidUUID = (uuid: string): boolean => {
 }
 
 /**
- * Validates if a string is a valid URL
- * @param {string} url The string to validate
- * @returns {boolean} True if valid URL, false otherwise
+ * Validates if a string is a valid URL safe for interpolation into JS code.
+ * Rejects hash fragments (the exploit entry point), non-http(s) protocols,
+ * and characters that can break out of a JS double-quoted string literal.
  */
 export const isValidURL = (url: string): boolean => {
     try {
-        new URL(url)
+        const parsed = new URL(url)
+        if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') return false
+        if (parsed.hash) return false
+        if (/["'\\\n\r\t]/.test(url)) return false
         return true
     } catch {
         return false
