Skip to content

Traversal env var#5962

Merged
christopherholland-workday merged 6 commits intomainfrom
traversal-env-var
Mar 16, 2026
Merged

Traversal env var#5962
christopherholland-workday merged 6 commits intomainfrom
traversal-env-var

Conversation

@christopherholland-workday
Copy link
Copy Markdown
Contributor

@christopherholland-workday christopherholland-workday commented Mar 12, 2026

Related to #5861, #5958, and #5326.

Flowise-334.

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Mar 12, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the application's security posture by implementing a configurable mechanism to prevent path traversal vulnerabilities. It introduces a new environment variable that, when enabled, activates a more stringent set of checks within the isPathTraversal utility function, safeguarding against various malicious path inputs. The changes ensure that this critical security feature is easily deployable and testable across different environments.

Highlights

  • New Environment Variable for Path Traversal Safety: Introduced a new environment variable, PATH_TRAVERSAL_SAFETY, which defaults to true and can be explicitly set to false to disable path traversal checks. This provides a configurable way to manage security against path traversal vulnerabilities.
  • Enhanced Path Traversal Validation Logic: The isPathTraversal function in packages/components/src/validator.ts has been significantly updated to include more robust checks. It now detects various dangerous patterns, including URL-encoded characters (e.g., %2e, %2f, %5c), null bytes (%00), Windows absolute paths, UNC paths, and absolute Unix paths, improving the overall security posture.
  • Docker and Environment Configuration Updates: The new PATH_TRAVERSAL_SAFETY environment variable has been integrated into docker/.env.example, docker/docker-compose-queue-prebuilt.yml, docker/docker-compose.yml, docker/worker/.env.example, and docker/worker/docker-compose.yml. This ensures that the security setting is exposed and configurable within Dockerized environments.
  • Comprehensive Unit Testing for Path Traversal: A new, extensive suite of unit tests has been added to packages/components/test/validator.test.ts for the isPathTraversal function. These tests cover a wide range of dangerous path patterns and verify the correct behavior when PATH_TRAVERSAL_SAFETY is enabled or disabled.
Changelog
  • docker/.env.example
    • Added PATH_TRAVERSAL_SAFETY environment variable as an example.
  • docker/docker-compose-queue-prebuilt.yml
    • Exposed PATH_TRAVERSAL_SAFETY to the flowise and worker services.
  • docker/docker-compose.yml
    • Exposed PATH_TRAVERSAL_SAFETY to the flowise service.
  • docker/worker/.env.example
    • Added PATH_TRAVERSAL_SAFETY environment variable as an example.
  • docker/worker/docker-compose.yml
    • Exposed PATH_TRAVERSAL_SAFETY to the flowise-worker service.
  • packages/components/src/validator.ts
    • Updated isPathTraversal to include new regex patterns for dangerous paths and to respect the PATH_TRAVERSAL_SAFETY environment variable.
  • packages/components/test/validator.test.ts
    • Added new test cases for isPathTraversal, covering dangerous patterns and the PATH_TRAVERSAL_SAFETY bypass.
  • packages/server/.env.example
    • Added PATH_TRAVERSAL_SAFETY environment variable as an example.
  • packages/server/src/commands/base.ts
    • Added PATH_TRAVERSAL_SAFETY as a configurable flag for base commands.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a new PATH_TRAVERSAL_SAFETY feature, significantly enhancing the isPathTraversal function in packages/components/src/validator.ts. The updated function now includes more robust checks for various path traversal patterns, such as URL-encoded characters, null bytes, Windows absolute paths, UNC paths, and Unix absolute paths, with a critical improvement being the normalization of %2e to . to prevent mixed-encoding bypasses. The feature can be disabled via the PATH_TRAVERSAL_SAFETY=false environment variable. Corresponding environment variable declarations and Docker Compose configurations have been updated across multiple docker and packages/server files to propagate this setting. Comprehensive unit tests have also been added in packages/components/test/validator.test.ts to validate the new path traversal detection logic and its bypass mechanism.

@christopherholland-workday christopherholland-workday mentioned this pull request Mar 12, 2026
Closed
@christopherholland-workday christopherholland-workday marked this pull request as ready for review March 12, 2026 20:48
@christopherholland-workday christopherholland-workday mentioned this pull request Mar 12, 2026
Merged
HenryHengZJ
HenryHengZJ reviewed Mar 13, 2026
View reviewed changes
@christopherholland-workday christopherholland-workday merged commit aff0647 into main Mar 16, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HenryHengZJ HenryHengZJ HenryHengZJ approved these changes

@igor-magun-wd igor-magun-wd igor-magun-wd approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@christopherholland-workday @HenryHengZJ @igor-magun-wd