From ae2d3db7214865090515f71d9c4e7af9fcd89491 Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Wed, 25 Mar 2026 12:48:58 -0700 Subject: [PATCH] Fix Mass Assignment on Save Custom Template --- .../src/controllers/marketplaces/index.ts | 22 ++++++++++++++----- .../server/src/services/marketplaces/index.ts | 8 ++++++- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/packages/server/src/controllers/marketplaces/index.ts b/packages/server/src/controllers/marketplaces/index.ts index 55233685526..1500697bf77 100644 --- a/packages/server/src/controllers/marketplaces/index.ts +++ b/packages/server/src/controllers/marketplaces/index.ts @@ -46,21 +46,31 @@ const getAllCustomTemplates = async (req: Request, res: Response, next: NextFunc const saveCustomTemplate = async (req: Request, res: Response, next: NextFunction) => { try { - if ((!req.body && !(req.body.chatflowId || req.body.tool)) || !req.body.name) { + const body = req.body + if (!body || !(body.chatflowId || body.tool) || !body.name) { throw new InternalFlowiseError( StatusCodes.PRECONDITION_FAILED, `Error: marketplacesService.saveCustomTemplate - body not provided!` ) } - const body = req.body - body.workspaceId = req.user?.activeWorkspaceId - if (!body.workspaceId) { + const workspaceId = req.user?.activeWorkspaceId + if (!workspaceId) { throw new InternalFlowiseError( StatusCodes.NOT_FOUND, - `Error: marketplacesController.saveCustomTemplate - workspace ${body.workspaceId} not found!` + `Error: marketplacesController.saveCustomTemplate - workspace ${workspaceId} not found!` ) } - const apiResponse = await marketplacesService.saveCustomTemplate(body) + // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client + const templateBody: Record = {} + if (body.name !== undefined) templateBody.name = body.name + if (body.description !== undefined) templateBody.description = body.description + if (body.badge !== undefined) templateBody.badge = body.badge + if (body.usecases !== undefined) templateBody.usecases = body.usecases + if (body.type !== undefined) templateBody.type = body.type + if (body.chatflowId !== undefined) templateBody.chatflowId = body.chatflowId + if (body.tool !== undefined) templateBody.tool = body.tool + templateBody.workspaceId = workspaceId + const apiResponse = await marketplacesService.saveCustomTemplate(templateBody) return res.json(apiResponse) } catch (error) { next(error) diff --git a/packages/server/src/services/marketplaces/index.ts b/packages/server/src/services/marketplaces/index.ts index ef50ad687a9..56f19e43c0e 100644 --- a/packages/server/src/services/marketplaces/index.ts +++ b/packages/server/src/services/marketplaces/index.ts @@ -208,7 +208,13 @@ const saveCustomTemplate = async (body: any): Promise => { let flowDataStr = '' let derivedFramework = '' const customTemplate = new CustomTemplate() - Object.assign(customTemplate, body) + // Explicit assignment — never use Object.assign with untrusted body + customTemplate.name = body.name + customTemplate.workspaceId = body.workspaceId + if (body.description !== undefined) customTemplate.description = body.description + if (body.badge !== undefined) customTemplate.badge = body.badge + if (body.usecases !== undefined) customTemplate.usecases = body.usecases + if (body.type !== undefined) customTemplate.type = body.type if (body.chatflowId) { const chatflow = await chatflowsService.getChatflowById(body.chatflowId, body.workspaceId)