Fix Mass Assignment in Variables Endpoints

christopherholland-workday · christopherholland-workday · commit 1464fdb691bd · 2026-03-11T14:10:27.000-07:00
diff --git a/packages/server/src/controllers/variables/index.ts b/packages/server/src/controllers/variables/index.ts
@@ -22,9 +22,12 @@ const createVariable = async (req: Request, res: Response, next: NextFunction) =
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.createTool - workspace ${workspaceId} not found!`)
         }
         const body = req.body
-        body.workspaceId = workspaceId
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
         const newVariable = new Variable()
-        Object.assign(newVariable, body)
+        if (body.name !== undefined) newVariable.name = body.name
+        if (body.value !== undefined) newVariable.value = body.value
+        if (body.type !== undefined) newVariable.type = body.type
+        newVariable.workspaceId = workspaceId
         const apiResponse = await variablesService.createVariable(newVariable, orgId)
         return res.json(apiResponse)
     } catch (error) {
@@ -91,8 +94,11 @@ const updateVariable = async (req: Request, res: Response, next: NextFunction) =
             return res.status(404).send('Variable not found in the database')
         }
         const body = req.body
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
         const updatedVariable = new Variable()
-        Object.assign(updatedVariable, body)
+        if (body.name !== undefined) updatedVariable.name = body.name
+        if (body.value !== undefined) updatedVariable.value = body.value
+        if (body.type !== undefined) updatedVariable.type = body.type
         const apiResponse = await variablesService.updateVariable(variable, updatedVariable)
         return res.json(apiResponse)
     } catch (error) {
diff --git a/packages/server/src/services/variables/index.ts b/packages/server/src/services/variables/index.ts
@@ -104,6 +104,7 @@ const updateVariable = async (variable: Variable, updatedVariable: Variable) =>
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Cloud platform does not support runtime variables!')
     try {
         const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable)
+        tmpUpdatedVariable.workspaceId = variable.workspaceId // defense-in-depth: never trust client-supplied workspaceId
         const dbResponse = await appServer.AppDataSource.getRepository(Variable).save(tmpUpdatedVariable)
         return dbResponse
     } catch (error) {
