Merge branch 'main' into feat/agentflow-create-credential

Author: j-sanaa

packages/agentflow/src/infrastructure/api/credentials.test.ts

@@ -33,6 +33,16 @@ describe('bindCredentialsApi', () => {
         expect(result).toEqual(mockCredentials)
     })
 
+    it('should not expose encryptedData in the response', async () => {
+        const mockCredentials = [{ id: '1', name: 'My OpenAI Key', credentialName: 'openAIApi' }]
+        ;(mockClient.get as jest.Mock).mockResolvedValue({ data: mockCredentials })
+
+        const result = await api.getCredentialsByName('openAIApi')
+        for (const credential of result) {
+            expect(credential).not.toHaveProperty('encryptedData')
+        }
+    })
+
     it('getComponentCredentialSchema calls GET /components-credentials/:name', async () => {
         const mockSchema = { name: 'openAIApi', label: 'OpenAI API', inputs: [] }
         ;(mockClient.get as jest.Mock).mockResolvedValue({ data: mockSchema })

packages/components/nodes/tools/MCP/core.test.ts

@@ -33,6 +33,22 @@ describe('MCP Security Validations', () => {
                 }).toThrow("Argument '-y' is not allowed for command 'npx'")
             })
 
+            it('should block --yes flag', () => {
+                expect(() => {
+                    validateCommandFlags('npx', ['--yes', 'https://test-malicious-download.com'])
+                }).toThrow("Argument '--yes' is not allowed for command 'npx'")
+            })
+
+            it('should block --node-options flag', () => {
+                expect(() => {
+                    validateCommandFlags('npx', ['--node-options', '--eval malicious'])
+                }).toThrow("Argument '--node-options' is not allowed for command 'npx'")
+
+                expect(() => {
+                    validateCommandFlags('npx', ['--node-options=--eval malicious'])
+                }).toThrow("contains flag '--node-options'")
+            })
+
             it('should block case variations', () => {
                 expect(() => {
                     validateCommandFlags('npx', ['-C', 'command'])
@@ -83,6 +99,42 @@ describe('MCP Security Validations', () => {
                 }).toThrow("Argument '--inspect-brk' is not allowed for command 'node'")
             })
 
+            it('should block -r/--require flags', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['-r', 'malicious-module'])
+                }).toThrow("Argument '-r' is not allowed for command 'node'")
+
+                expect(() => {
+                    validateCommandFlags('node', ['--require', 'malicious-module'])
+                }).toThrow("Argument '--require' is not allowed for command 'node'")
+            })
+
+            it('should block --loader/--experimental-loader flags', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['--loader', './malicious-loader.mjs'])
+                }).toThrow("Argument '--loader' is not allowed for command 'node'")
+
+                expect(() => {
+                    validateCommandFlags('node', ['--experimental-loader', './malicious-loader.mjs'])
+                }).toThrow("Argument '--experimental-loader' is not allowed for command 'node'")
+            })
+
+            it('should block --import flag', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['--import', './malicious.mjs'])
+                }).toThrow("Argument '--import' is not allowed for command 'node'")
+            })
+
+            it('should block --env-file flag', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['--env-file', '.env'])
+                }).toThrow("Argument '--env-file' is not allowed for command 'node'")
+
+                expect(() => {
+                    validateCommandFlags('node', ['--env-file=.env'])
+                }).toThrow("contains flag '--env-file'")
+            })
+
             it('should allow legitimate node usage', () => {
                 expect(() => {
                     validateCommandFlags('node', ['server.js'])
@@ -189,6 +241,56 @@ describe('MCP Security Validations', () => {
                 }).toThrow("Argument '--ipc' is not allowed for command 'docker'")
             })
 
+            it('should block --mount flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--mount', 'type=bind,source=/,target=/host'])
+                }).toThrow("Argument '--mount' is not allowed for command 'docker'")
+
+                expect(() => {
+                    validateCommandFlags('docker', ['--mount=type=bind,source=/,target=/host'])
+                }).toThrow("contains flag '--mount'")
+            })
+
+            it('should block --device flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--device', '/dev/sda'])
+                }).toThrow("Argument '--device' is not allowed for command 'docker'")
+            })
+
+            it('should block --entrypoint flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--entrypoint', '/bin/sh'])
+                }).toThrow("Argument '--entrypoint' is not allowed for command 'docker'")
+            })
+
+            it('should block compose subcommand', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['compose', 'up'])
+                }).toThrow("Argument 'compose' is not allowed for command 'docker'")
+            })
+
+            it('should block --volumes-from flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--volumes-from', 'other-container'])
+                }).toThrow("Argument '--volumes-from' is not allowed for command 'docker'")
+            })
+
+            it('should block --env-file flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--env-file', '/etc/secrets'])
+                }).toThrow("Argument '--env-file' is not allowed for command 'docker'")
+
+                expect(() => {
+                    validateCommandFlags('docker', ['--env-file=/etc/secrets'])
+                }).toThrow("contains flag '--env-file'")
+            })
+
+            it('should block build subcommand', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['build', 'https://evil.com/'])
+                }).toThrow("Argument 'build' is not allowed for command 'docker'")
+            })
+
             it('should allow safe docker usage', () => {
                 expect(() => {
                     validateCommandFlags('docker', ['ps'])
@@ -271,6 +373,12 @@ describe('MCP Security Validations', () => {
             }).toThrow('Argument contains potential local file access')
         })
 
+        it('should block double-slash absolute paths', () => {
+            expect(() => {
+                validateArgsForLocalFileAccess(['//etc/passwd'])
+            }).toThrow('Argument contains potential local file access')
+        })
+
         it('should block path traversal', () => {
             expect(() => {
                 validateArgsForLocalFileAccess(['../../../etc/passwd'])

packages/components/nodes/tools/MCP/core.ts

@@ -15,14 +15,19 @@ export class MCPToolkit extends BaseToolkit {
     client: Client | null = null
     serverParams: StdioServerParameters | any
     transportType: 'stdio' | 'sse'
+    /** Per-invocation HTTP headers injected at tools/call time; overrides static toolkit headers for the same names. */
+    getToolCallHeaders?: () => Promise<Record<string, string>>
     constructor(serverParams: StdioServerParameters | any, transportType: 'stdio' | 'sse') {
         super()
         this.serverParams = serverParams
         this.transportType = transportType
     }
 
-    // Method to create a new client with transport
-    async createClient(): Promise<Client> {
+    /**
+     * Creates a new MCP client and connects it via the configured transport.
+     * @param injectHeaders - Additional HTTP headers merged over static `serverParams.headers` for this connection. Used to pass per-invocation headers (e.g. from {@link getToolCallHeaders}) into SSE/HTTP transports.
+     */
+    async createClient(injectHeaders: Record<string, string> = {}): Promise<Client> {
         const client = new Client(
             {
                 name: 'flowise-client',
@@ -54,28 +59,30 @@ export class MCPToolkit extends BaseToolkit {
 
             const baseUrl = new URL(this.serverParams.url)
             await checkDenyList(this.serverParams.url)
+            const mergedHeaders = { ...this.serverParams?.headers, ...injectHeaders }
+            const headers = Object.keys(mergedHeaders).length > 0 ? mergedHeaders : undefined
             try {
-                if (this.serverParams.headers) {
+                if (headers) {
                     transport = new StreamableHTTPClientTransport(baseUrl, {
                         requestInit: {
-                            headers: this.serverParams.headers
+                            headers
                         }
                     })
                 } else {
                     transport = new StreamableHTTPClientTransport(baseUrl)
                 }
                 await client.connect(transport)
             } catch (error) {
-                if (this.serverParams.headers) {
+                if (headers) {
                     transport = new SSEClientTransport(baseUrl, {
                         requestInit: {
-                            headers: this.serverParams.headers
+                            headers
                         },
                         eventSourceInit: {
                             fetch: async (url, init) => {
                                 return secureFetch(url.toString(), {
                                     ...(init as any),
-                                    headers: this.serverParams.headers
+                                    headers
                                 }) as any
                             }
                         }
@@ -148,7 +155,8 @@ export async function MCPTool({
     return tool(
         async (input): Promise<string> => {
             // Create a new client for this request
-            const client = await toolkit.createClient()
+            const toolCallHeaders = await toolkit.getToolCallHeaders?.()
+            const client = await toolkit.createClient(toolCallHeaders)
 
             try {
                 const req: CallToolRequest = { method: 'tools/call', params: { name: name, arguments: input as any } }
@@ -190,7 +198,7 @@ function createSchemaModel(
 export const validateArgsForLocalFileAccess = (args: string[]): void => {
     const dangerousPatterns = [
         // Absolute paths
-        /^\/[^/]/, // Unix absolute paths starting with /
+        /^\//, // Unix absolute paths starting with /
         /^[a-zA-Z]:\\/, // Windows absolute paths like C:\
 
         // Relative paths that could escape current directory
@@ -286,7 +294,9 @@ export const validateCommandFlags = (command: string, args: string[]): void => {
             '-c', // Execute shell commands
             '--call', // Execute shell commands
             '--shell-auto-fallback', // Shell execution fallback
-            '-y' // Auto-confirms installation prompts
+            '-y', // Auto-confirms installation prompts
+            '--yes', // Auto-confirms installation prompts
+            '--node-options' // Passes arbitrary Node flags to underlying process, bypassing node flag blocklist
         ],
         node: [
             '-e', // Execute JavaScript code
@@ -295,7 +305,13 @@ export const validateCommandFlags = (command: string, args: string[]): void => {
             '--print', // Evaluate and print JavaScript code
             '--inspect', // Enable remote debugging (security risk)
             '--inspect-brk', // Enable remote debugging with breakpoint (security risk)
-            '--experimental-policy' // Could load malicious policies
+            '--experimental-policy', // Could load malicious policies
+            '-r', // Short alias for --require
+            '--require', // Preload a CommonJS module before script runs
+            '--loader', // Custom ES module loader hook (code execution)
+            '--experimental-loader', // Same as --loader, older Node alias
+            '--import', // Preload ESM module before entry script (Node 18+)
+            '--env-file' // Read env vars from a local file (Node 20+, local file access)
         ],
         python: [
             '-c', // Execute Python code
@@ -307,15 +323,22 @@ export const validateCommandFlags = (command: string, args: string[]): void => {
         ],
         docker: [
             'run', // Run containers (too powerful)
+            'build', // Pulls a container and executes the run instructions
             'exec', // Execute in containers
+            'compose', // Subcommand that starts containers (same risk as run)
             '-v', // Mount host filesystems
             '--volume', // Mount host filesystems
+            '--mount', // Alternative to -v/--volume for mounting host paths
+            '--volumes-from', // Mount volumes from another container (filesystem access)
             '--privileged', // Privileged mode
             '--cap-add', // Add capabilities
             '--security-opt', // Modify security options
+            '--device', // Add host device files to container (privilege escalation)
+            '--entrypoint', // Override container entrypoint (arbitrary code execution)
             '--network', // Host network access (catches --network=host and --network host)
             '--pid', // Host PID namespace (catches --pid=host and --pid host)
-            '--ipc' // Host IPC namespace (catches --ipc=host and --ipc host)
+            '--ipc', // Host IPC namespace (catches --ipc=host and --ipc host)
+            '--env-file' // Read env vars from a local host file (local file access)
         ]
     }
 

packages/server/src/controllers/chatflows/index.ts

@@ -99,7 +99,7 @@ const getChatflowByApiKey = async (req: Request, res: Response, next: NextFuncti
         if (!apikey) {
             return res.status(401).send('Unauthorized')
         }
-        const apiResponse = await chatflowsService.getChatflowByApiKey(apikey.id, req.query.keyonly)
+        const apiResponse = await chatflowsService.getChatflowByApiKey(apikey.id, apikey.workspaceId, req.query.keyonly)
         return res.json(apiResponse)
     } catch (error) {
         next(error)

packages/server/src/controllers/tools/index.ts

@@ -18,9 +18,17 @@ const createTool = async (req: Request, res: Response, next: NextFunction) => {
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.createTool - workspace ${workspaceId} not found!`)
         }
         const body = req.body
-        body.workspaceId = workspaceId
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
+        const toolBody: Record<string, unknown> = {}
+        if (body.name !== undefined) toolBody.name = body.name
+        if (body.description !== undefined) toolBody.description = body.description
+        if (body.color !== undefined) toolBody.color = body.color
+        if (body.iconSrc !== undefined) toolBody.iconSrc = body.iconSrc
+        if (body.schema !== undefined) toolBody.schema = body.schema
+        if (body.func !== undefined) toolBody.func = body.func
+        toolBody.workspaceId = workspaceId
 
-        const apiResponse = await toolsService.createTool(body, orgId)
+        const apiResponse = await toolsService.createTool(toolBody, orgId)
         return res.json(apiResponse)
     } catch (error) {
         next(error)
@@ -84,7 +92,16 @@ const updateTool = async (req: Request, res: Response, next: NextFunction) => {
         if (!workspaceId) {
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.updateTool - workspace ${workspaceId} not found!`)
         }
-        const apiResponse = await toolsService.updateTool(req.params.id, req.body, workspaceId)
+        const body = req.body
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
+        const toolBody: Record<string, unknown> = {}
+        if (body.name !== undefined) toolBody.name = body.name
+        if (body.description !== undefined) toolBody.description = body.description
+        if (body.color !== undefined) toolBody.color = body.color
+        if (body.iconSrc !== undefined) toolBody.iconSrc = body.iconSrc
+        if (body.schema !== undefined) toolBody.schema = body.schema
+        if (body.func !== undefined) toolBody.func = body.func
+        const apiResponse = await toolsService.updateTool(req.params.id, toolBody, workspaceId)
         return res.json(apiResponse)
     } catch (error) {
         next(error)

packages/server/src/enterprise/middleware/passport/SessionPersistance.ts

@@ -163,7 +163,7 @@ export const destroyAllSessionsForUser = async (userId: string): Promise<void> =
                     await repository
                         .createQueryBuilder()
                         .delete()
-                        .where(`JSON_EXTRACT(sess, '$.passport.user.id') = :userId`, { userId })
+                        .where(`JSON_EXTRACT(data, '$.passport.user.id') = :userId`, { userId }) // express-mysql-session uses column name 'data' for session payload, not 'sess'
                         .execute()
                     break
                 case 'postgres':

packages/server/src/services/chatflows/index.ts

@@ -1,6 +1,6 @@
 import { ICommonObject, removeFolderFromStorage } from 'flowise-components'
 import { StatusCodes } from 'http-status-codes'
-import { In } from 'typeorm'
+import { Brackets, In } from 'typeorm'
 import { validate as isValidUUID } from 'uuid'
 import { ChatflowType, IReactFlowObject } from '../../Interface'
 import { FLOWISE_COUNTER_STATUS, FLOWISE_METRIC_COUNTERS } from '../../Interface.Metrics'
@@ -220,16 +220,21 @@ const getAllChatflowsCount = async (type?: ChatflowType, workspaceId?: string):
     }
 }
 
-const getChatflowByApiKey = async (apiKeyId: string, keyonly?: unknown): Promise<any> => {
+const getChatflowByApiKey = async (apiKeyId: string, workspaceId: string, keyonly?: unknown): Promise<any> => {
     try {
         // Here we only get chatflows that are bounded by the apikeyid and chatflows that are not bounded by any apikey
         const appServer = getRunningExpressApp()
         let query = appServer.AppDataSource.getRepository(ChatFlow)
             .createQueryBuilder('cf')
-            .where('cf.apikeyid = :apikeyid', { apikeyid: apiKeyId })
-        if (keyonly === undefined) {
-            query = query.orWhere('cf.apikeyid IS NULL').orWhere('cf.apikeyid = ""')
-        }
+            .where('cf.workspaceId = :workspaceId', { workspaceId })
+            .andWhere(
+                new Brackets((qb) => {
+                    qb.where('cf.apikeyid = :apikeyid', { apikeyid: apiKeyId })
+                    if (keyonly === undefined) {
+                        qb.orWhere('cf.apikeyid IS NULL').orWhere('cf.apikeyid = ""')
+                    }
+                })
+            )
 
         const dbResponse = await query.orderBy('cf.name', 'ASC').getMany()
         if (dbResponse.length < 1) {

packages/server/src/services/credentials/index.ts

@@ -60,15 +60,15 @@ const getAllCredentials = async (paramCredentialName: any, workspaceId: string)
                         ...getWorkspaceSearchOptions(workspaceId)
                     }
                     const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)
-                    dbResponse.push(...credentials)
+                    dbResponse.push(...credentials.map((c) => omit(c, ['encryptedData'])))
                 }
             } else {
                 const searchOptions = {
                     credentialName: paramCredentialName,
                     ...getWorkspaceSearchOptions(workspaceId)
                 }
                 const credentials = await appServer.AppDataSource.getRepository(Credential).findBy(searchOptions)
-                dbResponse = [...credentials]
+                dbResponse = credentials.map((c) => omit(c, ['encryptedData']))
             }
             // get shared credentials
             if (workspaceId) {