Merge branch 'main' into feat/fix-agentflow-windows-system-build-issue

Author: ginna-baker

packages/components/src/storageUtils.ts

@@ -13,7 +13,7 @@ import { Readable } from 'node:stream'
 import path from 'path'
 import sanitize from 'sanitize-filename'
 import { getUserHome } from './utils'
-import { isPathTraversal, isValidUUID } from './validator'
+import { isPathTraversal, isUnsafeFilePath, isValidUUID } from './validator'
 
 const dirSize = async (directoryPath: string) => {
     let totalSize = 0
@@ -752,13 +752,26 @@ export const streamStorageFile = async (
         throw new Error('Invalid chatflowId format - must be a valid UUID')
     }
 
+    if (!chatId) {
+        throw new Error('chatId is missing')
+    }
+
     // Check for path traversal attempts
     if (isPathTraversal(chatflowId) || isPathTraversal(chatId)) {
         throw new Error('Invalid path characters detected in chatflowId or chatId')
     }
 
+    if (!fileName || isUnsafeFilePath(fileName)) {
+        throw new Error('Invalid or unsafe fileName detected')
+    }
+
     const storageType = getStorageType()
     const sanitizedFilename = sanitize(fileName)
+
+    if (!sanitizedFilename || sanitizedFilename.includes('/') || sanitizedFilename.includes('\\')) {
+        throw new Error('Invalid filename after sanitization')
+    }
+
     if (storageType === 's3') {
         const { s3Client, Bucket } = getS3Config()
 

packages/server/src/controllers/get-upload-file/index.ts

@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from 'express'
 import fs from 'fs'
 import contentDisposition from 'content-disposition'
-import { streamStorageFile } from 'flowise-components'
+import { isUnsafeFilePath, isValidUUID, streamStorageFile } from 'flowise-components'
 import { StatusCodes } from 'http-status-codes'
 import { InternalFlowiseError } from '../../errors/internalFlowiseError'
 import { getRunningExpressApp } from '../../utils/getRunningExpressApp'
@@ -18,6 +18,20 @@ const streamUploadedFile = async (req: Request, res: Response, next: NextFunctio
         const fileName = req.query.fileName as string
         const download = req.query.download === 'true' // Check if download parameter is set
 
+        // Validate input formats to prevent path traversal attacks
+        if (!chatflowId || !isValidUUID(chatflowId)) {
+            return res.status(400).send(`Invalid chatflowId format`)
+        }
+
+        if (!chatId) {
+            return res.status(400).send(`chatId is missing`)
+        }
+
+        // Check for path traversal and unsafe characters in fileName
+        if (isUnsafeFilePath(fileName)) {
+            return res.status(400).send(`Invalid path characters detected in filename`)
+        }
+
         const appServer = getRunningExpressApp()
 
         // This can be public API, so we can only get orgId from the chatflow