Fix Mass Assignment in Tools Endpoint (#5954)

christopherholland-workday · christopherholland-workday · yau-wd · web-flow · commit f8defac0d64c · 2026-03-24T22:53:21.000+08:00
Co-authored-by: christopherholland-workday &lt;christopher.holland+evisort@workday.com&gt;
Co-authored-by: yau-wd &lt;yau.ong@workday.com&gt;
diff --git a/packages/server/src/controllers/tools/index.ts b/packages/server/src/controllers/tools/index.ts
@@ -18,9 +18,17 @@ const createTool = async (req: Request, res: Response, next: NextFunction) => {
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.createTool - workspace ${workspaceId} not found!`)
         }
         const body = req.body
-        body.workspaceId = workspaceId
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
+        const toolBody: Record<string, unknown> = {}
+        if (body.name !== undefined) toolBody.name = body.name
+        if (body.description !== undefined) toolBody.description = body.description
+        if (body.color !== undefined) toolBody.color = body.color
+        if (body.iconSrc !== undefined) toolBody.iconSrc = body.iconSrc
+        if (body.schema !== undefined) toolBody.schema = body.schema
+        if (body.func !== undefined) toolBody.func = body.func
+        toolBody.workspaceId = workspaceId
 
-        const apiResponse = await toolsService.createTool(body, orgId)
+        const apiResponse = await toolsService.createTool(toolBody, orgId)
         return res.json(apiResponse)
     } catch (error) {
         next(error)
@@ -84,7 +92,16 @@ const updateTool = async (req: Request, res: Response, next: NextFunction) => {
         if (!workspaceId) {
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.updateTool - workspace ${workspaceId} not found!`)
         }
-        const apiResponse = await toolsService.updateTool(req.params.id, req.body, workspaceId)
+        const body = req.body
+        // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client
+        const toolBody: Record<string, unknown> = {}
+        if (body.name !== undefined) toolBody.name = body.name
+        if (body.description !== undefined) toolBody.description = body.description
+        if (body.color !== undefined) toolBody.color = body.color
+        if (body.iconSrc !== undefined) toolBody.iconSrc = body.iconSrc
+        if (body.schema !== undefined) toolBody.schema = body.schema
+        if (body.func !== undefined) toolBody.func = body.func
+        const apiResponse = await toolsService.updateTool(req.params.id, toolBody, workspaceId)
         return res.json(apiResponse)
     } catch (error) {
         next(error)
diff --git a/packages/server/src/services/tools/index.ts b/packages/server/src/services/tools/index.ts
@@ -95,6 +95,7 @@ const updateTool = async (toolId: string, toolBody: any, workspaceId: string): P
         const updateTool = new Tool()
         Object.assign(updateTool, toolBody)
         appServer.AppDataSource.getRepository(Tool).merge(tool, updateTool)
+        tool.workspaceId = workspaceId // defense-in-depth: never trust client-supplied workspaceId
         const dbResponse = await appServer.AppDataSource.getRepository(Tool).save(tool)
         return dbResponse
     } catch (error) {
