Bugfix/add path traversal check to chatId (#5208)

HenryHengZJ · web-flow · commit c00ae78488a8 · 2025-09-13T23:47:22.000+01:00
* add path traversal check to chatId

* update axios
diff --git a/package.json b/package.json
@@ -66,7 +66,7 @@
             "sqlite3"
         ],
         "overrides": {
-            "axios": "1.10.0",
+            "axios": "1.12.0",
             "body-parser": "2.0.2",
             "braces": "3.0.3",
             "cross-spawn": "7.0.6",
diff --git a/packages/components/package.json b/packages/components/package.json
@@ -83,7 +83,7 @@
         "@zilliz/milvus2-sdk-node": "^2.2.24",
         "apify-client": "^2.7.1",
         "assemblyai": "^4.2.2",
-        "axios": "1.7.9",
+        "axios": "1.12.0",
         "cheerio": "^1.0.0-rc.12",
         "chromadb": "^1.10.0",
         "cohere-ai": "^7.7.5",
diff --git a/packages/components/src/storageUtils.ts b/packages/components/src/storageUtils.ts
@@ -753,8 +753,8 @@ export const streamStorageFile = async (
     }
 
     // Check for path traversal attempts
-    if (isPathTraversal(chatflowId)) {
-        throw new Error('Invalid path characters detected in chatflowId')
+    if (isPathTraversal(chatflowId) || isPathTraversal(chatId)) {
+        throw new Error('Invalid path characters detected in chatflowId or chatId')
     }
 
     const storageType = getStorageType()
diff --git a/packages/server/package.json b/packages/server/package.json
@@ -87,7 +87,7 @@
         "@types/passport-local": "^1.0.38",
         "@types/uuid": "^9.0.7",
         "async-mutex": "^0.4.0",
-        "axios": "1.7.9",
+        "axios": "1.12.0",
         "bcryptjs": "^2.4.3",
         "bullmq": "5.45.2",
         "cache-manager": "^6.3.2",
diff --git a/packages/ui/package.json b/packages/ui/package.json
@@ -34,7 +34,7 @@
         "@uiw/codemirror-theme-sublime": "^4.21.21",
         "@uiw/codemirror-theme-vscode": "^4.21.21",
         "@uiw/react-codemirror": "^4.21.21",
-        "axios": "1.7.9",
+        "axios": "1.12.0",
         "clsx": "^1.1.1",
         "dompurify": "^3.2.6",
         "dotenv": "^16.0.0",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -753,8 +753,8 @@ export const streamStorageFile = async (`
`753`	`753`	`}`
`754`	`754`
`755`	`755`	`// Check for path traversal attempts`
`756`		`- if (isPathTraversal(chatflowId)) {`
`757`		`- throw new Error('Invalid path characters detected in chatflowId')`
	`756`	`+ if (isPathTraversal(chatflowId) \|\| isPathTraversal(chatId)) {`
	`757`	`+ throw new Error('Invalid path characters detected in chatflowId or chatId')`
`758`	`758`	`}`
`759`	`759`
`760`	`760`	`const storageType = getStorageType()`