Merge branch 'main' into path-traversal-fix

Author: HenryHengZJ

.eslintrc.js

@@ -14,7 +14,7 @@ module.exports = {
         }
     },
     parser: '@typescript-eslint/parser',
-    ignorePatterns: ['**/node_modules', '**/dist', '**/build', '**/package-lock.json'],
+    ignorePatterns: ['**/node_modules', '**/dist', '**/build', '**/coverage', '**/package-lock.json'],
     plugins: ['unused-imports'],
     rules: {
         '@typescript-eslint/explicit-module-boundary-types': 'off',
@@ -24,6 +24,6 @@ module.exports = {
         'no-undef': 'off',
         'no-console': [process.env.CI ? 'error' : 'warn', { allow: ['warn', 'error', 'info'] }],
         'prettier/prettier': 'error',
-        'no-control-regex': 0 // Disable no-control-regex to allow control characters in regex patterns, which is required for vector store path validation
+        'no-control-regex': 0 // Used to match control regex's in user input
     }
 }

.github/workflows/docker-image-ecr.yml

@@ -24,6 +24,10 @@ on:
                 required: true
                 default: 'latest'
 
+permissions:
+    contents: read  # Required for checkout
+    id-token: write # Required for AWS OIDC
+
 jobs:
     docker:
         runs-on: ubuntu-latest
@@ -45,12 +49,22 @@ jobs:
               uses: docker/setup-buildx-action@v3.0.0
 
             - name: Configure AWS Credentials
+              if: ${{ inputs.environment != 'prod' }}
               uses: aws-actions/configure-aws-credentials@v3
               with:
                   aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
                   aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
                   aws-region: ${{ secrets.AWS_REGION }}
 
+            - name: Configure AWS OIDC Credentials
+              if: ${{ inputs.environment == 'prod' }}
+              uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7 # v6.0.0
+              with:
+                  aws-region: ${{ secrets.AWS_REGION }}
+                  role-to-assume: ${{ secrets.AWS_OIDC_IAM_ROLE }}
+                  mask-aws-account-id: true
+                  unset-current-credentials: true
+
             - name: Login to Amazon ECR
               uses: aws-actions/amazon-ecr-login@v1
 

.github/workflows/main.yml

@@ -31,6 +31,7 @@ jobs:
                   cache-dependency-path: 'pnpm-lock.yaml'
             - run: pnpm install
             - run: pnpm lint
+            - run: pnpm test:coverage
             - run: pnpm build
               env:
                   NODE_OPTIONS: '--max_old_space_size=4096'

.gitignore

@@ -5,6 +5,7 @@
 # dependencies
 **/node_modules
 **/package-lock.json
+!**/examples/package-lock.json
 **/yarn.lock
 
 ## logs

.husky/pre-commit

@@ -4,3 +4,4 @@ prefer-workspace-packages = true
 link-workspace-packages = deep
 hoist = true
 shamefully-hoist = true
+engine-strict = false

.npmrc

@@ -0,0 +1 @@
+v20.19.2

.nvmrc

@@ -2,37 +2,85 @@
 
 At Flowise, we prioritize security and continuously work to safeguard our systems. However, vulnerabilities can still exist. If you identify a security issue, please report it to us so we can address it promptly. Your cooperation helps us better protect our platform and users.
 
+### Scope
+-   Flowise Cloud: cloud.flowiseai.com
+-   Public Flowise Repositories
+
 ### Out of scope vulnerabilities
 
--   Clickjacking on pages without sensitive actions
--   CSRF on unauthenticated/logout/login pages
+-   Hypothetical issues that do not have a demonstrable, practical impact
+-   Vulnerabilities that affect out-of-date browsers
+-   ClickjackingCSRF on unauthenticated/logout/login pages
+-   Banner disclosure on common/public services
+-   Disclosure of known public files or directories (e.g. robots.txt)
 -   Attacks requiring MITM (Man-in-the-Middle) or physical device access
 -   Social engineering attacks
--   Activities that cause service disruption (DoS)
+-   Denial service via bruteforce attack
 -   Content spoofing and text injection without a valid attack vector
+-   Username enumeration via Login Page error message
+-   Username enumeration via Forgot password error message
+-   Bruteforce attacks
 -   Email spoofing
 -   Absence of DNSSEC, CAA, CSP headers
 -   Missing Secure or HTTP-only flag on non-sensitive cookies
 -   Deadlinks
 -   User enumeration
+-   Social Engineering
+-   Version Disclosure
+-   Vulnerabilities that can only affect the attacker (e.g. self-XSS)
+-   Known vulnerabilities in used libraries (unless exploitability can be proven)
+-   Static application security testing findings
+
 
 ### Reporting Guidelines
 
 -   Submit your findings to https://github.com/FlowiseAI/Flowise/security
 -   Provide clear details to help us reproduce and fix the issue quickly.
 
-### Disclosure Guidelines
+### Reporting Guidelines
+
+-   Submit your findings to https://github.com/FlowiseAI/Flowise/security
+-   Ensure that the vulnerability is exploitable. Theoretical or static application security testing reports are subject to dismissal.
+-   Submit the report with CVSS vector and calculated severity.
+-   Provide a clear detailed report with proof of concept to help us reproduce and remediate the vulnerability.
+
+### Disclosure Terms
+
+The Flowise team believes that transparency is important and public bug bounty reports are a valuable source of knowledge for bug bounty researchers. However, the Flowise team may have legitimate reasons not to disclose vulnerabilities. 
 
--   Do not publicly disclose vulnerabilities until we have assessed, resolved, and notified affected users.
--   If you plan to present your research (e.g., at a conference or in a blog), share a draft with us at least **30 days in advance** for review.
--   Avoid including:
-    -   Data from any Flowise customer projects
-    -   Flowise user/customer information
-    -   Details about Flowise employees, contractors, or partners
+Do not discuss or disclose vulnerability information without prior written consent. If you plan on presenting your research, please share a draft with us at least 45 days in advance for review. Avoid including:
+-   Data from any Flowise customer projects
+-   Flowise user/customer information
+-   Details about Flowise employees, contractors, or partners
 
-### Response to Reports
+### Report Validation Times
 
--   We will acknowledge your report within **5 business days** and provide an estimated resolution timeline.
--   Your report will be kept **confidential**, and your details will not be shared without your consent.
+We will validate submissions within the below timelines.
+| Vulnerability Severity | Time to Validate |
+| ---------------------- | ---------------- |
+| Critical | 5 business days |
+| High | 5 business days |
+| Medium | 15 business days |
+| Low | 15 business days |
 
+Your report will be kept *confidential*, and your details will not be shared without your consent. The Flowise team will triage and adjust severity or CVSS score if necessary.
 We appreciate your efforts in helping us maintain a secure platform and look forward to working together to resolve any issues responsibly.
+
+### Remediation
+
+Once the report has been verified, the Flowise team will plan the remediation steps.
+Below is the estimated time to remediate the triaged security reports.
+
+| Triaged Severity | Estimated Time to Remediate |
+| ---------------------- | ---------------- |
+| Critical | 30 business days |
+| High | 60 business days |
+| Medium | 90 business days |
+
+### Public Disclosure Timeline
+
+Public Disclosure occurs exactly 30 days after the next official release that includes the security patch. This period gives Flowise users a time to adopt the patched version before technical vulnerability details are made public, mitigating the risk of immediate post-disclosure exploitation.
+
+#### Reaching out to the Security team
+To report a new vulnerability, please submit a Github security Security Advisory report.
+If you have any questions or concerns about the existing Security Advisory, please contact security-team@flowiseai.com.

SECURITY.md

@@ -24,6 +24,7 @@
         "user:windows": "cd packages/server/bin && run user",
         "user:default": "cd packages/server/bin && ./run user",
         "test": "turbo run test",
+        "test:coverage": "turbo run test:coverage",
         "clean": "pnpm --filter \"./packages/**\" clean",
         "nuke": "pnpm --filter \"./packages/**\" nuke && rimraf node_modules .turbo",
         "format": "prettier --write \"**/*.{ts,tsx,md}\"",

package.json

@@ -0,0 +1,9 @@
+dist
+node_modules
+build
+coverage
+*.config.ts
+*.config.js
+vite.config.ts
+examples/dist
+examples/vite.config.ts