Validate filepaths in file utilities#5778
Validate filepaths in file utilities#5778christopherholland-workday wants to merge 34 commits intomainfrom
Conversation
Summary of ChangesHello @christopherholland-workday, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly enhances the security of file utility functions by introducing robust input validation for identifiers and filenames. The changes prevent potential path traversal vulnerabilities and ensure that all file-related operations are performed with validated and sanitized inputs, thereby safeguarding the system against malicious file access attempts. Highlights
Changelog
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances security by adding validation for file path components like chatId, chatflowId, and fileName to prevent path traversal vulnerabilities. My review includes a critical fix to prevent a potential server crash from unhandled undefined inputs and a suggestion to remove a redundant check for improved code clarity and maintainability.
| if (isPathTraversal(chatflowId) || isPathTraversal(chatId)) { | ||
| throw new Error('Invalid path characters detected in chatflowId or chatId') | ||
| } |
There was a problem hiding this comment.
This isPathTraversal check for chatflowId and chatId is redundant. Both variables are already validated as UUIDs in the preceding lines (line 751 for chatflowId and line 755 for chatId). A valid UUID cannot contain path traversal characters, so this check is unnecessary. Removing it will improve code clarity and remove dead code.
There was a problem hiding this comment.
This is more of a logical "backup" if things were moved around unknowingly later on
christopherholland-workday
requested review from
0xi4o,
HenryHengZJ,
igor-magun-wd and
yau-wd
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
* Update SECURITY.md ---------
* feat(agentflow): update canvas add node drag and drop behaviour - fix style issues and refactor components using design token with dark mode theme support - add and update tests with additional jest config to mock canvas and libs * fix lint error on test * address gemini review comments * update README Props to match actual implementation
…5789) * refactor(agentflow): update import paths and clean up test utilities - Refactor import paths to use absolute paths (alias) for better readability and maintainability. - Remove unused function `initializeDefaultNodeData` from `nodeFactory` and its related tests. - Update `TESTS.md` to reflect the current testing status of various modules. - Minor adjustments to Vite configuration for improved development experience. * fix markdown format
…5806) * feat(agentflow): enhance typography and improve node palette drawer functionality - Add typography settings for h4, h5, and h6 in the theme configuration. - Implement tests for typography to ensure consistency across light and dark modes. - Refactor AddNodesDrawer to improve drag-and-drop functionality and integrate new NodeListItem component. - Introduce useDrawerMaxHeight hook to dynamically calculate drawer height based on viewport. - Clean up unused imports and optimize component structure for better performance. * fix lint issues * address review feeddback
* WIP: wiring editnode * End to end flow * Fixed comments * test case added for agent flow reducer * FIxed changes after syncing with main * Changes to uodate interface NodeData to be in line with restapi response api/v1/nodes * Fixed es-lint errors * Clean code * Fix for making failed testcase * eslint error fixed * fix test coverage * Revert config.ts and vite.config.ts to main * Fix gemini comments * Update imports to use alias * fix alias
Build without sourcemaps for production Co-authored-by: Ginna Baker <ginna.baker@workday.com>
Updated all references in documentation, examples, and source files to reflect the new package name. This change ensures consistency across the project and aligns with the rebranding effort.
Co-authored-by: Natan Hoppe <natan.hoppe@evisort.com> Co-authored-by: yau-wd <yau.ong@workday.com>
* Fix biderectional sync * addede utility function to sync states * Fix comment * Normalize nodes before updating states
* fix: auth for read loginmethod endpoint * fix: review feedback * fix: lint issues * fix: validate auth0 domain * fix: lint issues * fix: wrong loginmethod endpoint in org setup page --------- Co-authored-by: yau-wd <yau.ong@workday.com>
… examples - Introduced FlowStatePanel to display live flow data and saved snapshots in a resizable side panel. - Updated BasicExample and CustomUIExample to integrate FlowStatePanel for improved user experience. - Enhanced keyboard shortcuts for saving flow data with Cmd+S and Ctrl+S functionality. - Updated coverage thresholds in jest.config.js to include new FlowStatePanel hooks. - Revised TESTS.md to reflect changes in testing status for useFlowHandlers and related components.
… enhance examples" This reverts commit 021cd20.
* Always include default deny list in deny list values * Update packages/components/src/httpSecurity.ts Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Always include default deny list in deny list values --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: yau-wd <yau.ong@workday.com>
* Stop axios from throwing error on non-2xx response * Sanitize Code Ran in Pyodide in CSVAgents --------- Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>
* Validate command flags in MCP server config * Validate command flag in MCP server config * Validate MCP server config command flags * Validate flags used in MCP server config commands * Validate flags used in MCP server config commands
Co-authored-by: Henry Heng <henryheng@flowiseai.com>
…caping (#5747) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
| } | ||
|
|
||
| // Check for path traversal attempts | ||
| if (!chatId || !isValidUUID(chatId)) { |
There was a problem hiding this comment.
We didnt include chatID uuid check is because in some cases, chatID can be overriden from the API call.
For example, users can override like this:
{
question: how are you?
chatId: sessionABC
}
| return res.status(400).send(`Invalid chatflowId format`) | ||
| } | ||
|
|
||
| if (!chatId || !isValidUUID(chatId)) { |
* Fix test coverage failures * Fix test coverage failures * Fix test coverage failures * Fix test coverage failures --------- Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>
Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>
… of sensitive cookie (#5809) Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
#5833) * feat(agentflow): update flow date change & save handlings and enhance examples - Introduced FlowStatePanel to display live flow data and saved snapshots in a resizable side panel. - Updated BasicExample and CustomUIExample to integrate FlowStatePanel for improved user experience. - Enhanced keyboard shortcuts for saving flow data with Cmd+S and Ctrl+S functionality. - Updated coverage thresholds in jest.config.js to include new FlowStatePanel hooks. - Revised TESTS.md to reflect changes in testing status for useFlowHandlers and related components. * address gemini review comment * address review comment (on example app)
* Sanitize text from DOM node * Update packages/ui/src/views/assistants/openai/AssistantDialog.jsx Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * Update AssistantDialog.jsx --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
10 participants
chatIdandchatflowIdare valid UUID'sfilenamedoes not contain path traversal patternsfilenamedoes not contain path traversal patternsAddresses CodeQL findings 45-50
Moved to #5842 because this PR got polluted by mistake