remove read write file tools and imports#5480
Merged
HenryHengZJ merged 1 commit intomainfrom Nov 15, 2025
Merged
Conversation
Contributor
Summary of ChangesHello @HenryHengZJ, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request focuses on streamlining the codebase by eliminating components related to file system operations. It removes dedicated file read/write tools and their underlying security validation mechanisms, simplifying the architecture and reducing potential attack surfaces associated with direct file access. The changes also include minor cleanups in browser-based document loaders that previously relied on the removed validation logic. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request removes the ReadFile and WriteFile tools and their related security logic, which is consistent with the title. However, a critical security vulnerability is introduced by also removing the validation for browser executable paths in the Playwright and Puppeteer components. This change could allow for arbitrary code execution if an attacker can control the corresponding environment variables. It is crucial to restore this security check. I have left comments on the affected files with critical severity.
0xi4o
pushed a commit
that referenced
this pull request
Nov 19, 2025
HenryHengZJ
added a commit
that referenced
this pull request
Nov 27, 2025
* feat: handle 429 errors and redirect to rate-limited page * fix: simplify rate-limited page and better 429 error handling * fix: status code in quotaUsage * update: add back to home button rate-limited page * chore: fix typos in docker/worker/Dockerfile (#5435) Fix typos in docker/worker/Dockerfile * chore: fix typos in packages/components/nodes/agentflow/Condition/Condition.ts (#5436) Fix typos in packages/components/nodes/agentflow/Condition/Condition.ts * chore: fix typos in packages/components/nodes/chatmodels/ChatHuggingFace/ChatHuggingFace.ts (#5437) Fix typos in packages/components/nodes/chatmodels/ChatHuggingFace/ChatHuggingFace.ts * chore: fix typos in packages/components/nodes/prompts/ChatPromptTemplate/ChatPromptTemplate.ts (#5438) Fix typos in packages/components/nodes/prompts/ChatPromptTemplate/ChatPromptTemplate.ts * docs: fix typos in packages/ui/src/layout/MainLayout/Sidebar/MenuList/NavGroup/index.jsx (#5444) Fix typos in packages/ui/src/layout/MainLayout/Sidebar/MenuList/NavGroup/index.jsx * docs: fix typos in packages/components/nodes/engine/SubQuestionQueryEngine/SubQuestionQueryEngine.ts (#5446) Fix typos in packages/components/nodes/engine/SubQuestionQueryEngine/SubQuestionQueryEngine.ts * docs: fix typos in packages/components/nodes/embeddings/AWSBedrockEmbedding/AWSBedrockEmbedding.ts (#5447) Fix typos in packages/components/nodes/embeddings/AWSBedrockEmbedding/AWSBedrockEmbedding.ts * docs: fix typos in packages/server/README.md (#5445) Fix typos in packages/server/README.md * Bugfix/Supervisor Node AzureChatOpenAI (#5448) Integrate AzureChatOpenAI into the Supervisor node to handle user requests alongside ChatOpenAI. This enhancement allows for improved multi-agent conversation management. * Chore/JSON Array (#5467) * add separate by JSON object * add file check for Unstructured * Enhance JSON DocumentLoader: Update label and description for 'Separate by JSON Object' option, and add type check for JSON objects in array processing. * Chore/Remove Deprecated File Path Unstructured (#5478) * Refactor UnstructuredFile and UnstructuredFolder loaders to remove deprecated file path handling and enhance folder path validation. Ensure folder paths are sanitized and validated against path traversal attacks. * Update UnstructuredFolder.ts * feat(security): enhance file path validation and implement non-root D… (#5474) * feat(security): enhance file path validation and implement non-root Docker user - Validate resolved full file paths including workspace boundaries in SecureFileStore - Resolve paths before validation in readFile and writeFile operations - Run Docker container as non-root flowise user (uid/gid 1001) - Apply proper file ownership and permissions for application files Prevents path traversal attacks and follows container security best practices * Add sensitive system directory validation and Flowise internal file protection * Update Dockerfile to use default node user * update validation patterns to include additional system binary directories (/usr/bin, /usr/sbin, /usr/local/bin) * added isSafeBrowserExecutable function to validate browser executable paths for Playwright and Puppeteer loaders --------- Co-authored-by: taraka-vishnumolakala <[email protected]> Co-authored-by: Henry Heng <[email protected]> Co-authored-by: Henry <[email protected]> * Chore/docker file non root (#5479) * update dockerfile * Update Dockerfile * remove read write file tools and imports (#5480) * Bugfix/Custom Function Libraries (#5472) * Updated the executeJavaScriptCode function to automatically detect and install required libraries from import/require statements in the provided code. * Update utils.ts * lint-fix * Release/3.0.11 (#5481) [email protected] * [email protected] * Chore/Disable Unstructure Folder (#5483) * commented out unstructure folder node * Update packages/components/nodes/documentloaders/Unstructured/UnstructuredFolder.ts Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * update: condition for handling 429 errors * update: handle rate limit errors in auth pages * fix: crash due to missing import --------- Co-authored-by: Lê Nam Khánh <[email protected]> Co-authored-by: Henry Heng <[email protected]> Co-authored-by: Taraka Vishnumolakala <[email protected]> Co-authored-by: taraka-vishnumolakala <[email protected]> Co-authored-by: Henry <[email protected]> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
davehamptonusa
pushed a commit
to davehamptonusa/Flowise
that referenced
this pull request
Dec 8, 2025
davehamptonusa
pushed a commit
to davehamptonusa/Flowise
that referenced
this pull request
Dec 8, 2025
davehamptonusa
pushed a commit
to davehamptonusa/Flowise
that referenced
this pull request
Dec 8, 2025
…5440) * feat: handle 429 errors and redirect to rate-limited page * fix: simplify rate-limited page and better 429 error handling * fix: status code in quotaUsage * update: add back to home button rate-limited page * chore: fix typos in docker/worker/Dockerfile (FlowiseAI#5435) Fix typos in docker/worker/Dockerfile * chore: fix typos in packages/components/nodes/agentflow/Condition/Condition.ts (FlowiseAI#5436) Fix typos in packages/components/nodes/agentflow/Condition/Condition.ts * chore: fix typos in packages/components/nodes/chatmodels/ChatHuggingFace/ChatHuggingFace.ts (FlowiseAI#5437) Fix typos in packages/components/nodes/chatmodels/ChatHuggingFace/ChatHuggingFace.ts * chore: fix typos in packages/components/nodes/prompts/ChatPromptTemplate/ChatPromptTemplate.ts (FlowiseAI#5438) Fix typos in packages/components/nodes/prompts/ChatPromptTemplate/ChatPromptTemplate.ts * docs: fix typos in packages/ui/src/layout/MainLayout/Sidebar/MenuList/NavGroup/index.jsx (FlowiseAI#5444) Fix typos in packages/ui/src/layout/MainLayout/Sidebar/MenuList/NavGroup/index.jsx * docs: fix typos in packages/components/nodes/engine/SubQuestionQueryEngine/SubQuestionQueryEngine.ts (FlowiseAI#5446) Fix typos in packages/components/nodes/engine/SubQuestionQueryEngine/SubQuestionQueryEngine.ts * docs: fix typos in packages/components/nodes/embeddings/AWSBedrockEmbedding/AWSBedrockEmbedding.ts (FlowiseAI#5447) Fix typos in packages/components/nodes/embeddings/AWSBedrockEmbedding/AWSBedrockEmbedding.ts * docs: fix typos in packages/server/README.md (FlowiseAI#5445) Fix typos in packages/server/README.md * Bugfix/Supervisor Node AzureChatOpenAI (FlowiseAI#5448) Integrate AzureChatOpenAI into the Supervisor node to handle user requests alongside ChatOpenAI. This enhancement allows for improved multi-agent conversation management. * Chore/JSON Array (FlowiseAI#5467) * add separate by JSON object * add file check for Unstructured * Enhance JSON DocumentLoader: Update label and description for 'Separate by JSON Object' option, and add type check for JSON objects in array processing. * Chore/Remove Deprecated File Path Unstructured (FlowiseAI#5478) * Refactor UnstructuredFile and UnstructuredFolder loaders to remove deprecated file path handling and enhance folder path validation. Ensure folder paths are sanitized and validated against path traversal attacks. * Update UnstructuredFolder.ts * feat(security): enhance file path validation and implement non-root D… (FlowiseAI#5474) * feat(security): enhance file path validation and implement non-root Docker user - Validate resolved full file paths including workspace boundaries in SecureFileStore - Resolve paths before validation in readFile and writeFile operations - Run Docker container as non-root flowise user (uid/gid 1001) - Apply proper file ownership and permissions for application files Prevents path traversal attacks and follows container security best practices * Add sensitive system directory validation and Flowise internal file protection * Update Dockerfile to use default node user * update validation patterns to include additional system binary directories (/usr/bin, /usr/sbin, /usr/local/bin) * added isSafeBrowserExecutable function to validate browser executable paths for Playwright and Puppeteer loaders --------- Co-authored-by: taraka-vishnumolakala <[email protected]> Co-authored-by: Henry Heng <[email protected]> Co-authored-by: Henry <[email protected]> * Chore/docker file non root (FlowiseAI#5479) * update dockerfile * Update Dockerfile * remove read write file tools and imports (FlowiseAI#5480) * Bugfix/Custom Function Libraries (FlowiseAI#5472) * Updated the executeJavaScriptCode function to automatically detect and install required libraries from import/require statements in the provided code. * Update utils.ts * lint-fix * Release/3.0.11 (FlowiseAI#5481) [email protected] * [email protected] * Chore/Disable Unstructure Folder (FlowiseAI#5483) * commented out unstructure folder node * Update packages/components/nodes/documentloaders/Unstructured/UnstructuredFolder.ts Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> * update: condition for handling 429 errors * update: handle rate limit errors in auth pages * fix: crash due to missing import --------- Co-authored-by: Lê Nam Khánh <[email protected]> Co-authored-by: Henry Heng <[email protected]> Co-authored-by: Taraka Vishnumolakala <[email protected]> Co-authored-by: taraka-vishnumolakala <[email protected]> Co-authored-by: Henry <[email protected]> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.