Skip to content

Fix Mass Assignment in Assistants Endpoints#6128

Open
christopherholland-workday wants to merge 2 commits intomainfrom
flowise-323-assisstant-b
Open

Fix Mass Assignment in Assistants Endpoints#6128
christopherholland-workday wants to merge 2 commits intomainfrom
flowise-323-assisstant-b

Conversation

@christopherholland-workday
Copy link
Copy Markdown
Contributor

@christopherholland-workday christopherholland-workday commented Apr 2, 2026

Flowise-323 (See comments on Assistants)

Moved from #6052 (The branch got messed up in previous PR)

@christopherholland-workday christopherholland-workday mentioned this pull request Apr 2, 2026
Closed
gemini-code-assist[bot]
gemini-code-assist bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors the assistant creation logic by moving the assignment of workspaceId from the controller to the service layer and introducing stripProtectedFields to sanitize the input. The review feedback recommends replacing Object.assign with explicit property mapping to further mitigate mass assignment vulnerabilities and ensure strict control over entity attributes.

packages/server/src/services/assistants/index.ts
Comment on lines +143 to +144
Object.assign(newAssistant, stripProtectedFields(requestBody))
newAssistant.workspaceId = workspaceId
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

Avoid mass assignment from request bodies to entities. Instead of using Object.assign, explicitly map allowed properties. This prevents potential IDOR vulnerabilities and ensures sensitive fields like workspaceId are handled correctly from a trusted source (e.g., user session), as per the repository security rules.

Suggested change
Object.assign(newAssistant, stripProtectedFields(requestBody))
newAssistant.workspaceId = workspaceId
newAssistant.details = requestBody.details
newAssistant.credential = requestBody.credential
newAssistant.iconSrc = requestBody.iconSrc
newAssistant.type = requestBody.type
newAssistant.workspaceId = workspaceId
References
  1. Avoid mass assignment from request bodies to entities. Instead of using a generic assignment like Object.assign(entity, body), explicitly map allowed properties. Sensitive fields like workspaceId must be set on the server from a trusted source (e.g., user session), not from the client request body, to prevent IDOR vulnerabilities.

@christopherholland-workday christopherholland-workday marked this pull request as ready for review April 2, 2026 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xi4o 0xi4o Awaiting requested review from 0xi4o

@yau-wd yau-wd Awaiting requested review from yau-wd

@igor-magun-wd igor-magun-wd Awaiting requested review from igor-magun-wd

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@christopherholland-workday @igor-magun-wd @yau-wd