Bugfix/path traversal check on chatId (#5428)

HenryHengZJ · gemini-code-assist[bot] · web-flow · commit 03c1750d73d7 · 2025-11-06T22:19:27.000Z
* path traversal check on chatId

* Update packages/server/src/utils/createAttachment.ts

Co-authored-by: gemini-code-assist[bot] &lt;176961590+gemini-code-assist[bot]@users.noreply.github.com&gt;

---------

Co-authored-by: gemini-code-assist[bot] &lt;176961590+gemini-code-assist[bot]@users.noreply.github.com&gt;
diff --git a/packages/server/src/utils/createAttachment.ts b/packages/server/src/utils/createAttachment.ts
@@ -27,15 +27,15 @@ export const createFileAttachment = async (req: Request) => {
     const appServer = getRunningExpressApp()
 
     const chatflowid = req.params.chatflowId
+    const chatId = req.params.chatId
+
     if (!chatflowid || !isValidUUID(chatflowid)) {
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid chatflowId format - must be a valid UUID')
     }
-    if (isPathTraversal(chatflowid)) {
+    if (isPathTraversal(chatflowid) || (chatId && isPathTraversal(chatId))) {
         throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, 'Invalid path characters detected')
     }
 
-    const chatId = req.params.chatId
-
     // Validate chatflow exists and check API key
     const chatflow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({
         id: chatflowid
