Merge branch 'main' into stack-trace

Author: christopherholland-workday

packages/components/nodes/agentflow/Tool/Tool.ts

@@ -236,11 +236,11 @@ class Tool_Agentflow implements INode {
             // ex: \["a", "b", "c", "d", "e"\]
             let cleanedValue = value
                 .replace(/\\"/g, '"') // \" -> "
-                .replace(/\\\\/g, '\\') // \\ -> \
                 .replace(/\\\[/g, '[') // \[ -> [
                 .replace(/\\\]/g, ']') // \] -> ]
                 .replace(/\\\{/g, '{') // \{ -> {
                 .replace(/\\\}/g, '}') // \} -> }
+                .replace(/\\\\/g, '\\') // \\ -> \ (unescape backslash last)
 
             // Try to parse as JSON if it looks like JSON/array
             if (

packages/components/nodes/agents/CSVAgent/CSVAgent.ts

@@ -144,6 +144,14 @@ class CSV_Agents implements INode {
         // For example using titanic.csv: {'PassengerId': 'int64', 'Survived': 'int64', 'Pclass': 'int64', 'Name': 'object', 'Sex': 'object', 'Age': 'float64', 'SibSp': 'int64', 'Parch': 'int64', 'Ticket': 'object', 'Fare': 'float64', 'Cabin': 'object', 'Embarked': 'object'}
         let dataframeColDict = ''
         let customReadCSVFunc = _customReadCSV ? _customReadCSV : 'read_csv(csv_data)'
+        const csvReadValidation = validatePythonCodeForDataFrame(customReadCSVFunc)
+        if (!csvReadValidation.valid) {
+            throw new Error(
+                `Custom read_csv code was rejected for security reasons (${
+                    csvReadValidation.reason ?? 'unsafe construct'
+                }). Please use only safe pandas read_csv operations.`
+            )
+        }
         try {
             const code = `import pandas as pd
 import base64

packages/components/nodes/tools/MCP/core.ts

@@ -259,6 +259,90 @@ export const validateEnvironmentVariables = (env: Record<string, any>): void =>
     }
 }
 
+/**
+ * Validates that command arguments don't contain flags that enable arbitrary code execution
+ * This prevents attacks where whitelisted commands are used with dangerous flags
+ * (e.g., "npx -c malicious-command" or "python -c malicious-code")
+ * @param command The command to validate
+ * @param args The arguments to validate
+ */
+export const validateCommandFlags = (command: string, args: string[]): void => {
+    // Define dangerous flags for each command that enable code execution
+    const dangerousFlagsByCommand: Record<string, string[]> = {
+        npx: [
+            '-c', // Execute shell commands
+            '--call', // Execute shell commands
+            '--shell-auto-fallback', // Shell execution fallback
+            '-y' // Auto-confirms installation prompts
+        ],
+        node: [
+            '-e', // Execute JavaScript code
+            '--eval', // Execute JavaScript code
+            '-p', // Evaluate and print JavaScript code
+            '--print', // Evaluate and print JavaScript code
+            '--inspect', // Enable remote debugging (security risk)
+            '--inspect-brk', // Enable remote debugging with breakpoint (security risk)
+            '--experimental-policy' // Could load malicious policies
+        ],
+        python: [
+            '-c', // Execute Python code
+            '-m' // Run library modules (could run malicious modules)
+        ],
+        python3: [
+            '-c', // Execute Python code
+            '-m' // Run library modules (could run malicious modules)
+        ],
+        docker: [
+            'run', // Run containers (too powerful)
+            'exec', // Execute in containers
+            '-v', // Mount host filesystems
+            '--volume', // Mount host filesystems
+            '--privileged', // Privileged mode
+            '--cap-add', // Add capabilities
+            '--security-opt', // Modify security options
+            '--network', // Host network access (catches --network=host and --network host)
+            '--pid', // Host PID namespace (catches --pid=host and --pid host)
+            '--ipc' // Host IPC namespace (catches --ipc=host and --ipc host)
+        ]
+    }
+
+    const dangerousFlags = dangerousFlagsByCommand[command] || []
+
+    // Collect single-char dangerous flags (e.g. '-c' -> 'c') for combined flag detection
+    const dangerousShortChars = new Set(dangerousFlags.filter((f) => /^-[a-zA-Z]$/.test(f)).map((f) => f[1].toLowerCase()))
+
+    for (const arg of args) {
+        if (typeof arg !== 'string') continue
+
+        const normalizedArg = arg.toLowerCase().trim()
+
+        // Check for dangerous flags in various forms (exact, =value, space-separated value)
+        for (const flag of dangerousFlags) {
+            const lowerCaseFlag = flag.toLowerCase()
+            if (normalizedArg === lowerCaseFlag) {
+                throw new Error(`Argument '${arg}' is not allowed for command '${command}'.`)
+            }
+            if (normalizedArg.startsWith(lowerCaseFlag + '=')) {
+                throw new Error(`Argument '${arg}' contains flag '${flag}' that is not allowed for command '${command}'.`)
+            }
+            if (flag.startsWith('-') && normalizedArg.startsWith(lowerCaseFlag + ' ')) {
+                throw new Error(`Argument '${arg}' contains flag '${flag}' that is not allowed for command '${command}'.`)
+            }
+        }
+
+        // Check for combined short flags (e.g. "-yc" = "-y" + "-c")
+        // A combined flag starts with a single '-', is not a long flag '--', and has multiple characters after '-'
+        if (/^-[a-zA-Z]{2,}/.test(normalizedArg)) {
+            const flagChars = normalizedArg.slice(1) // strip leading '-'
+            for (const ch of flagChars) {
+                if (dangerousShortChars.has(ch)) {
+                    throw new Error(`Argument '${arg}' contains dangerous flag '-${ch}' for command '${command}'.`)
+                }
+            }
+        }
+    }
+}
+
 export const validateMCPServerConfig = (serverParams: any): void => {
     // Validate the entire server configuration
     if (!serverParams || typeof serverParams !== 'object') {
@@ -276,6 +360,11 @@ export const validateMCPServerConfig = (serverParams: any): void => {
     if (serverParams.args && Array.isArray(serverParams.args)) {
         validateArgsForLocalFileAccess(serverParams.args)
         validateCommandInjection(serverParams.args)
+
+        // Validate command-specific dangerous flags
+        if (serverParams.command) {
+            validateCommandFlags(serverParams.command, serverParams.args)
+        }
     }
 
     // Validate environment variables

packages/components/nodes/vectorstores/Faiss/Faiss.ts

@@ -4,6 +4,7 @@ import { FaissStore } from '@langchain/community/vectorstores/faiss'
 import { Embeddings } from '@langchain/core/embeddings'
 import { INode, INodeData, INodeOutputsValue, INodeParams, IndexingResult } from '../../../src/Interface'
 import { getBaseClasses } from '../../../src/utils'
+import { validateVectorStorePath } from '../../../src/validator'
 
 class Faiss_VectorStores implements INode {
     label: string
@@ -88,7 +89,9 @@ class Faiss_VectorStores implements INode {
 
             try {
                 const vectorStore = await FaissStore.fromDocuments(finalDocs, embeddings)
-                await vectorStore.save(basePath)
+                // Validate and sanitize the base path to prevent path traversal attacks
+                const validatedPath = validateVectorStorePath(basePath)
+                await vectorStore.save(validatedPath)
 
                 // Avoid illegal invocation error
                 vectorStore.similaritySearchVectorWithScore = async (query: number[], k: number) => {
@@ -109,7 +112,9 @@ class Faiss_VectorStores implements INode {
         const topK = nodeData.inputs?.topK as string
         const k = topK ? parseFloat(topK) : 4
 
-        const vectorStore = await FaissStore.load(basePath, embeddings)
+        // Validate and sanitize the base path to prevent path traversal attacks
+        const validatedPath = validateVectorStorePath(basePath)
+        const vectorStore = await FaissStore.load(validatedPath, embeddings)
 
         // Avoid illegal invocation error
         vectorStore.similaritySearchVectorWithScore = async (query: number[], k: number) => {

packages/components/nodes/vectorstores/SimpleStore/SimpleStore.ts

@@ -1,9 +1,8 @@
-import path from 'path'
 import { flatten } from 'lodash'
 import { storageContextFromDefaults, serviceContextFromDefaults, VectorStoreIndex, Document } from 'llamaindex'
 import { Document as LCDocument } from 'langchain/document'
 import { INode, INodeData, INodeOutputsValue, INodeParams, IndexingResult } from '../../../src/Interface'
-import { getUserHome } from '../../../src'
+import { validateVectorStorePath } from '../../../src/validator'
 
 class SimpleStoreUpsert_LlamaIndex_VectorStores implements INode {
     label: string
@@ -89,10 +88,6 @@ class SimpleStoreUpsert_LlamaIndex_VectorStores implements INode {
             const embeddings = nodeData.inputs?.embeddings
             const model = nodeData.inputs?.model
 
-            let filePath = ''
-            if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
-            else filePath = basePath
-
             const flattenDocs = docs && docs.length ? flatten(docs) : []
             const finalDocs = []
             for (let i = 0; i < flattenDocs.length; i += 1) {
@@ -105,6 +100,8 @@ class SimpleStoreUpsert_LlamaIndex_VectorStores implements INode {
             }
 
             const serviceContext = serviceContextFromDefaults({ llm: model, embedModel: embeddings })
+            // Validate and sanitize the base path to prevent path traversal attacks
+            const filePath = validateVectorStorePath(basePath)
             const storageContext = await storageContextFromDefaults({ persistDir: filePath })
 
             try {
@@ -123,9 +120,8 @@ class SimpleStoreUpsert_LlamaIndex_VectorStores implements INode {
         const topK = nodeData.inputs?.topK as string
         const k = topK ? parseFloat(topK) : 4
 
-        let filePath = ''
-        if (!basePath) filePath = path.join(getUserHome(), '.flowise', 'llamaindex')
-        else filePath = basePath
+        // Validate and sanitize the base path to prevent path traversal attacks
+        const filePath = validateVectorStorePath(basePath)
 
         const serviceContext = serviceContextFromDefaults({ llm: model, embedModel: embeddings })
         const storageContext = await storageContextFromDefaults({ persistDir: filePath })

packages/components/src/httpSecurity.ts

@@ -27,12 +27,19 @@ const DEFAULT_DENY_LIST = [
 ]
 
 /**
- * Gets the HTTP deny list from environment variable or returns default
- * @returns Array of denied IP addresses/CIDR ranges
+ * Gets the HTTP deny list, always including default protections plus any custom entries
+ * @returns Array of denied IP addresses/CIDR ranges (always includes DEFAULT_DENY_LIST)
  */
 function getHttpDenyList(): string[] {
     const httpDenyListString = process.env.HTTP_DENY_LIST
-    return httpDenyListString ? httpDenyListString.split(',').map((s) => s.trim()) : DEFAULT_DENY_LIST
+    if (httpDenyListString) {
+        const customList = httpDenyListString
+            .split(',')
+            .map((s) => s.trim())
+            .filter(Boolean)
+        return [...new Set([...DEFAULT_DENY_LIST, ...customList])]
+    }
+    return DEFAULT_DENY_LIST
 }
 
 /**
@@ -97,7 +104,7 @@ export async function secureAxiosRequest(config: AxiosRequestConfig, maxRedirect
     }
 
     let redirects = 0
-    let currentConfig = { ...config, maxRedirects: 0 } // Disable automatic redirects
+    let currentConfig = { ...config, maxRedirects: 0, validateStatus: () => true } // Disable automatic redirects, accept all status codes
 
     while (redirects <= maxRedirects) {
         const target = await resolveAndValidate(currentUrl)