Skip to content

Commit 12b4519

Browse files
HenryHengZJHenryHengZJ
authored
Merge pull request #557 from FlowiseAI/bugfix/VM2-Security
Bugfix/VM2 security
2 parents fe6c56a + 13622ba commit 12b4519

File tree

7 files changed

+72
-46
lines changed

7 files changed

+72
-46
lines changed

README.md

+13-11
Original file line numberDiff line numberDiff line change
@@ -130,17 +130,19 @@ FLOWISE_PASSWORD=1234
130130
131131
Flowise support different environment variables to configure your instance. You can specify the following variables in the `.env` file inside `packages/server` folder. Read [more](https://docs.flowiseai.com/environment-variables)
132132
133-
| Variable | Description | Type | Default |
134-
| ---------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- |
135-
| PORT | The HTTP port Flowise runs on | Number | 3000 |
136-
| FLOWISE_USERNAME | Username to login | String |
137-
| FLOWISE_PASSWORD | Password to login | String |
138-
| DEBUG | Print logs onto terminal/console | Boolean |
139-
| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/packages/server` |
140-
| LOG_LEVEL | Different log levels for loggers to be saved | Enum String: `error`, `info`, `verbose`, `debug` | `info` |
141-
| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` |
142-
| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` |
143-
| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` |
133+
| Variable | Description | Type | Default |
134+
| -------------------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- |
135+
| PORT | The HTTP port Flowise runs on | Number | 3000 |
136+
| FLOWISE_USERNAME | Username to login | String |
137+
| FLOWISE_PASSWORD | Password to login | String |
138+
| DEBUG | Print logs onto terminal/console | Boolean |
139+
| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/packages/server` |
140+
| LOG_LEVEL | Different log levels for loggers to be saved | Enum String: `error`, `info`, `verbose`, `debug` | `info` |
141+
| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` |
142+
| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` |
143+
| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` |
144+
| TOOL_FUNCTION_BUILTIN_DEP | NodeJS built-in modules to be used for Tool Function | String | |
145+
| TOOL_FUNCTION_EXTERNAL_DEP | External modules to be used for Tool Function | String | |
144146
145147
You can also specify the env variables when using `npx`. For example:
146148

docker/.env.example

+2
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,5 @@ LOG_PATH=/root/.flowise/logs
77
# DEBUG=true
88
# LOG_LEVEL=debug (error | warn | info | verbose | debug)
99
# EXECUTION_MODE=child or main
10+
# TOOL_FUNCTION_BUILTIN_DEP=crypto,fs
11+
# TOOL_FUNCTION_EXTERNAL_DEP=moment,lodash

docker/README.md

+13-11
Original file line numberDiff line numberDiff line change
@@ -33,14 +33,16 @@ If you like to persist your data (flows, logs, apikeys), set these variables in
3333
3434
Flowise also support different environment variables to configure your instance. Read [more](https://docs.flowiseai.com/environment-variables)
3535
36-
| Variable | Description | Type | Default |
37-
| ---------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- |
38-
| PORT | The HTTP port Flowise runs on | Number | 3000 |
39-
| FLOWISE_USERNAME | Username to login | String |
40-
| FLOWISE_PASSWORD | Password to login | String |
41-
| DEBUG | Print logs onto terminal/console | Boolean |
42-
| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/packages/server` |
43-
| LOG_LEVEL | Different log levels for loggers to be saved | Enum String: `error`, `info`, `verbose`, `debug` | `info` |
44-
| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` |
45-
| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` |
46-
| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` |
36+
| Variable | Description | Type | Default |
37+
| -------------------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- |
38+
| PORT | The HTTP port Flowise runs on | Number | 3000 |
39+
| FLOWISE_USERNAME | Username to login | String |
40+
| FLOWISE_PASSWORD | Password to login | String |
41+
| DEBUG | Print logs onto terminal/console | Boolean |
42+
| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/packages/server` |
43+
| LOG_LEVEL | Different log levels for loggers to be saved | Enum String: `error`, `info`, `verbose`, `debug` | `info` |
44+
| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` |
45+
| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` |
46+
| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` |
47+
| TOOL_FUNCTION_BUILTIN_DEP | NodeJS built-in modules to be used for Tool Function | String | |
48+
| TOOL_FUNCTION_EXTERNAL_DEP | External modules to be used for Tool Function | String | |

packages/components/nodes/tools/CustomTool/core.ts

+24-12
Original file line numberDiff line numberDiff line change
@@ -51,25 +51,37 @@ export class DynamicStructuredTool<
5151
}
5252
}
5353

54+
const defaultAllowBuiltInDep = [
55+
'assert',
56+
'buffer',
57+
'crypto',
58+
'events',
59+
'http',
60+
'https',
61+
'net',
62+
'path',
63+
'querystring',
64+
'timers',
65+
'tls',
66+
'url',
67+
'zlib'
68+
]
69+
70+
const builtinDeps = process.env.TOOL_FUNCTION_BUILTIN_DEP
71+
? defaultAllowBuiltInDep.concat(process.env.TOOL_FUNCTION_BUILTIN_DEP.split(','))
72+
: defaultAllowBuiltInDep
73+
const externalDeps = process.env.TOOL_FUNCTION_EXTERNAL_DEP ? process.env.TOOL_FUNCTION_EXTERNAL_DEP.split(',') : []
74+
const deps = availableDependencies.concat(externalDeps)
75+
5476
const options = {
5577
console: 'inherit',
5678
sandbox,
5779
require: {
58-
external: false as boolean | { modules: string[] },
59-
builtin: ['*']
80+
external: { modules: deps },
81+
builtin: builtinDeps
6082
}
6183
} as any
6284

63-
const external = JSON.stringify(availableDependencies)
64-
if (external) {
65-
const deps = JSON.parse(external)
66-
if (deps && deps.length) {
67-
options.require.external = {
68-
modules: deps
69-
}
70-
}
71-
}
72-
7385
const vm = new NodeVM(options)
7486
const response = await vm.run(`module.exports = async function() {${this.code}}()`, __dirname)
7587

packages/server/.env.example

+2
Original file line numberDiff line numberDiff line change
@@ -7,3 +7,5 @@ PORT=3000
77
# LOG_PATH=/your_log_path/.flowise/logs
88
# LOG_LEVEL=debug (error | warn | info | verbose | debug)
99
# EXECUTION_MODE=main (child | main)
10+
# TOOL_FUNCTION_BUILTIN_DEP=crypto,fs
11+
# TOOL_FUNCTION_EXTERNAL_DEP=moment,lodash

packages/server/README.md

+13-11
Original file line numberDiff line numberDiff line change
@@ -33,17 +33,19 @@ FLOWISE_PASSWORD=1234
3333
3434
Flowise support different environment variables to configure your instance. You can specify the following variables in the `.env` file inside `packages/server` folder. Read [more](https://docs.flowiseai.com/environment-variables)
3535
36-
| Variable | Description | Type | Default |
37-
| ---------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- |
38-
| PORT | The HTTP port Flowise runs on | Number | 3000 |
39-
| FLOWISE_USERNAME | Username to login | String |
40-
| FLOWISE_PASSWORD | Password to login | String |
41-
| DEBUG | Print logs onto terminal/console | Boolean |
42-
| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/packages/server` |
43-
| LOG_LEVEL | Different log levels for loggers to be saved | Enum String: `error`, `info`, `verbose`, `debug` | `info` |
44-
| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` |
45-
| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` |
46-
| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` |
36+
| Variable | Description | Type | Default |
37+
| -------------------------- | ---------------------------------------------------------------- | ------------------------------------------------ | ----------------------------------- |
38+
| PORT | The HTTP port Flowise runs on | Number | 3000 |
39+
| FLOWISE_USERNAME | Username to login | String |
40+
| FLOWISE_PASSWORD | Password to login | String |
41+
| DEBUG | Print logs onto terminal/console | Boolean |
42+
| LOG_PATH | Location where log files are stored | String | `your-path/Flowise/packages/server` |
43+
| LOG_LEVEL | Different log levels for loggers to be saved | Enum String: `error`, `info`, `verbose`, `debug` | `info` |
44+
| DATABASE_PATH | Location where database is saved | String | `your-home-dir/.flowise` |
45+
| APIKEY_PATH | Location where api keys are saved | String | `your-path/Flowise/packages/server` |
46+
| EXECUTION_MODE | Whether predictions run in their own process or the main process | Enum String: `child`, `main` | `main` |
47+
| TOOL_FUNCTION_BUILTIN_DEP | NodeJS built-in modules to be used for Tool Function | String | |
48+
| TOOL_FUNCTION_EXTERNAL_DEP | External modules to be used for Tool Function | String | |
4749
4850
You can also specify the env variables when using `npx`. For example:
4951

packages/server/src/commands/start.ts

+5-1
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,9 @@ export default class Start extends Command {
2424
APIKEY_PATH: Flags.string(),
2525
LOG_PATH: Flags.string(),
2626
LOG_LEVEL: Flags.string(),
27-
EXECUTION_MODE: Flags.string()
27+
EXECUTION_MODE: Flags.string(),
28+
TOOL_FUNCTION_BUILTIN_DEP: Flags.string(),
29+
TOOL_FUNCTION_EXTERNAL_DEP: Flags.string()
2830
}
2931

3032
async stopProcess() {
@@ -65,6 +67,8 @@ export default class Start extends Command {
6567
if (flags.LOG_LEVEL) process.env.LOG_LEVEL = flags.LOG_LEVEL
6668
if (flags.EXECUTION_MODE) process.env.EXECUTION_MODE = flags.EXECUTION_MODE
6769
if (flags.DEBUG) process.env.DEBUG = flags.DEBUG
70+
if (flags.TOOL_FUNCTION_BUILTIN_DEP) process.env.TOOL_FUNCTION_BUILTIN_DEP = flags.TOOL_FUNCTION_BUILTIN_DEP
71+
if (flags.TOOL_FUNCTION_EXTERNAL_DEP) process.env.TOOL_FUNCTION_EXTERNAL_DEP = flags.TOOL_FUNCTION_EXTERNAL_DEP
6872

6973
await (async () => {
7074
try {

0 commit comments

Comments
 (0)