From 1464fdb691bd2c76f7142801c9798b27d38d2f81 Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Wed, 11 Mar 2026 14:10:27 -0700 Subject: [PATCH 1/3] Fix Mass Assignment in Variables Endpoints --- packages/server/src/controllers/variables/index.ts | 12 +++++++++--- packages/server/src/services/variables/index.ts | 1 + 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/packages/server/src/controllers/variables/index.ts b/packages/server/src/controllers/variables/index.ts index decc4d5093f..fe02924b504 100644 --- a/packages/server/src/controllers/variables/index.ts +++ b/packages/server/src/controllers/variables/index.ts @@ -22,9 +22,12 @@ const createVariable = async (req: Request, res: Response, next: NextFunction) = throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Error: toolsController.createTool - workspace ${workspaceId} not found!`) } const body = req.body - body.workspaceId = workspaceId + // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client const newVariable = new Variable() - Object.assign(newVariable, body) + if (body.name !== undefined) newVariable.name = body.name + if (body.value !== undefined) newVariable.value = body.value + if (body.type !== undefined) newVariable.type = body.type + newVariable.workspaceId = workspaceId const apiResponse = await variablesService.createVariable(newVariable, orgId) return res.json(apiResponse) } catch (error) { @@ -91,8 +94,11 @@ const updateVariable = async (req: Request, res: Response, next: NextFunction) = return res.status(404).send('Variable not found in the database') } const body = req.body + // Explicit allowlist — id/workspaceId/timestamps must not be overrideable by client const updatedVariable = new Variable() - Object.assign(updatedVariable, body) + if (body.name !== undefined) updatedVariable.name = body.name + if (body.value !== undefined) updatedVariable.value = body.value + if (body.type !== undefined) updatedVariable.type = body.type const apiResponse = await variablesService.updateVariable(variable, updatedVariable) return res.json(apiResponse) } catch (error) { diff --git a/packages/server/src/services/variables/index.ts b/packages/server/src/services/variables/index.ts index 5b427e95488..e9be992de82 100644 --- a/packages/server/src/services/variables/index.ts +++ b/packages/server/src/services/variables/index.ts @@ -104,6 +104,7 @@ const updateVariable = async (variable: Variable, updatedVariable: Variable) => throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Cloud platform does not support runtime variables!') try { const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable) + tmpUpdatedVariable.workspaceId = variable.workspaceId // defense-in-depth: never trust client-supplied workspaceId const dbResponse = await appServer.AppDataSource.getRepository(Variable).save(tmpUpdatedVariable) return dbResponse } catch (error) { From d6fa99012279bb032918271cd3602e1d8e11b67e Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Wed, 11 Mar 2026 14:21:35 -0700 Subject: [PATCH 2/3] Update packages/server/src/services/variables/index.ts Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --- packages/server/src/services/variables/index.ts | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/packages/server/src/services/variables/index.ts b/packages/server/src/services/variables/index.ts index e9be992de82..19fb52eb478 100644 --- a/packages/server/src/services/variables/index.ts +++ b/packages/server/src/services/variables/index.ts @@ -104,7 +104,9 @@ const updateVariable = async (variable: Variable, updatedVariable: Variable) => throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Cloud platform does not support runtime variables!') try { const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable) - tmpUpdatedVariable.workspaceId = variable.workspaceId // defense-in-depth: never trust client-supplied workspaceId +const originalWorkspaceId = variable.workspaceId; +const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable); +tmpUpdatedVariable.workspaceId = originalWorkspaceId; const dbResponse = await appServer.AppDataSource.getRepository(Variable).save(tmpUpdatedVariable) return dbResponse } catch (error) { From aef5b3b95bf1ad8598d682bdd047ce763a2d0c10 Mon Sep 17 00:00:00 2001 From: christopherholland-workday Date: Wed, 11 Mar 2026 14:30:45 -0700 Subject: [PATCH 3/3] Fix Mass Assignment in Variables Endpoints --- packages/server/src/services/variables/index.ts | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/packages/server/src/services/variables/index.ts b/packages/server/src/services/variables/index.ts index 19fb52eb478..302dacfa7c6 100644 --- a/packages/server/src/services/variables/index.ts +++ b/packages/server/src/services/variables/index.ts @@ -103,10 +103,9 @@ const updateVariable = async (variable: Variable, updatedVariable: Variable) => if (appServer.identityManager.getPlatformType() === Platform.CLOUD && updatedVariable.type === 'runtime') throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Cloud platform does not support runtime variables!') try { + const originalWorkspaceId = variable.workspaceId const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable) -const originalWorkspaceId = variable.workspaceId; -const tmpUpdatedVariable = await appServer.AppDataSource.getRepository(Variable).merge(variable, updatedVariable); -tmpUpdatedVariable.workspaceId = originalWorkspaceId; + tmpUpdatedVariable.workspaceId = originalWorkspaceId const dbResponse = await appServer.AppDataSource.getRepository(Variable).save(tmpUpdatedVariable) return dbResponse } catch (error) {