fix: validate mime type list when updating chatflow configuration

[0xi4o]

No description provided.

[gemini-code-assist]

Summary of Changes

Hello @0xi4o, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the security of chatflow configurations by introducing robust validation and sanitization for allowed file upload MIME types. It prevents the configuration of potentially malicious or dangerous file types by filtering user-provided MIME type lists against a predefined safe list during chatflow updates. This ensures that only approved file types can be uploaded, mitigating security risks associated with arbitrary file uploads.

Highlights

• MIME Type Validation Utilities: Introduced a new constant ALLOWED_UPLOAD_MIME_TYPES listing safe MIME types and a utility function isAllowedUploadMimeType to check if a given MIME type is permitted for file uploads and has a valid extension mapping.
• MIME Type Filtering Logic: Added filterAllowedUploadMimeTypes in the components package to filter an array of MIME types against the predefined allowed list, ensuring only safe types are processed.
• Server-Side Configuration Sanitization: Implemented sanitizeAllowedUploadMimeTypesFromConfig in the server utilities to process comma-separated MIME type strings from chatflow configurations, removing any types not present in the server's allow list.
• Chatflow Update Security Enhancement: Integrated the new sanitization logic into the updateChatflow service, ensuring that fullFileUpload.allowedUploadFileTypes in the chatbotConfig is validated and sanitized before being saved, preventing malicious or dangerous file types from being configured.

Changelog

• packages/components/src/utils.ts
  • Added ALLOWED_UPLOAD_MIME_TYPES constant defining safe MIME types for file uploads.
  • Introduced isAllowedUploadMimeType function to validate if a MIME type is allowed and has a valid extension mapping.
• packages/components/src/validator.ts
  • Imported isAllowedUploadMimeType for use in validation.
  • Added filterAllowedUploadMimeTypes function to filter an array of MIME types against the allowed list.
• packages/server/src/services/chatflows/index.ts
  • Imported sanitizeAllowedUploadMimeTypesFromConfig for use in chatflow updates.
  • Modified updateChatflow to sanitize fullFileUpload.allowedUploadFileTypes within chatbotConfig using the new validation logic.
• packages/server/src/utils/fileValidation.ts
  • Imported filterAllowedUploadMimeTypes from flowise-components.
  • Added sanitizeAllowedUploadMimeTypesFromConfig function to process and filter comma-separated MIME type strings from configuration.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an important security enhancement by validating the list of allowed MIME types for file uploads in chatflow configurations. A server-side allowlist (ALLOWED_UPLOAD_MIME_TYPES) is added, and the chatbotConfig is sanitized upon updates to ensure only permitted file types are configured.

My review includes two main points:

1. A suggestion to use a Set instead of an array for the ALLOWED_UPLOAD_MIME_TYPES list in packages/components/src/utils.ts for better performance and code clarity.
2. A high-severity issue in packages/server/src/services/chatflows/index.ts where an empty catch block could allow bypassing the new sanitization logic if a malformed chatbotConfig is provided.

The overall approach is solid, and with the suggested changes, the implementation will be more robust and secure.