Potential fix for code scanning alert no. 84: Unvalidated dynamic method call

[christopherholland-workday]

Potential fix for https://github.com/FlowiseAI/Flowise/security/code-scanning/84

In general, to fix this issue you must ensure that the function you dynamically call is both (a) associated with an allowed identifier and (b) actually a function that is safe to invoke. For objects used as maps, that means rejecting keys that are not own properties and confirming the retrieved value has the expected type before invocation; alternatively, you can migrate to a Map and use has/get with the same checks.

The best minimal fix here, without changing existing functionality, is to add validation around the dynamic lookup and invocation in getRateLimiter (and keep getRateLimiterById safe as well). Specifically, after you derive id from req.params.id, you should: (1) ensure id is a non-empty string, (2) ensure this.rateLimiters has that id as an own property (not inherited from the prototype chain) using Object.prototype.hasOwnProperty.call, and (3) ensure this.rateLimiters[id] is a function before calling it. If any of these checks fail, fall back to next() so that no unexpected method is invoked or runtime error thrown. This preserves current behavior for valid IDs (they’re still routed to the correct rate limiter) while hardening the code against malicious or malformed input.

Concretely, in packages/server/src/utils/rateLimit.ts, you need to modify the body of getRateLimiter() (lines 128–135) to add these checks before calling idRateLimiter. You can also slightly tighten getRateLimiterById in the same style (even though its id parameter is not user-controlled in this context) for consistency and extra safety. No new imports are required; the validation uses built-in Object.prototype.hasOwnProperty.

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[gemini-code-assist]

Summary of Changes

Hello @christopherholland-workday, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request aims to resolve a security vulnerability identified by a code scanning alert. The changes introduce robust input validation within the rate limiter functions, getRateLimiter and getRateLimiterById, to ensure that dynamically called methods are safe and expected. This significantly hardens the application against potential attacks stemming from unvalidated dynamic method invocations, without altering existing legitimate functionality.

Highlights

• Security Vulnerability Fix: Implemented validation checks to address a code scanning alert regarding unvalidated dynamic method calls, specifically in rate limiter functions.
• Enhanced Input Validation: Added checks for id type, length, hasOwnProperty, and function type before invoking rate limiter functions to prevent malicious or malformed input.

Changelog

• packages/server/src/utils/rateLimit.ts
  • Added comprehensive validation for the id parameter in getRateLimiter to check its type, length, and if it's an own property of this.rateLimiters.
  • Ensured that the retrieved rate limiter is indeed a function before invocation in getRateLimiter.
  • Introduced hasOwnProperty check and function type validation in getRateLimiterById for consistency and enhanced safety.

Activity

• No activity has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩