Skip to content

Fix Mass Assignment on Save Custom Template#6129

Open
christopherholland-workday wants to merge 1 commit intomainfrom
flowise-323-marketplace-c
Open

Fix Mass Assignment on Save Custom Template#6129
christopherholland-workday wants to merge 1 commit intomainfrom
flowise-323-marketplace-c

Conversation

@christopherholland-workday
Copy link
Copy Markdown
Contributor

@christopherholland-workday christopherholland-workday commented Apr 2, 2026

Flowise-323 (See comments on CustomTemplate)

Moved from #6059 because the branches got messed up

@christopherholland-workday christopherholland-workday mentioned this pull request Apr 2, 2026
Closed
@christopherholland-workday christopherholland-workday marked this pull request as ready for review April 2, 2026 19:04
gemini-code-assist[bot]
gemini-code-assist bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces the stripProtectedFields utility to the saveCustomTemplate logic in both the controller and service layers to mitigate mass assignment vulnerabilities. It also ensures workspaceId is handled separately from the request body. Feedback suggests replacing the stripProtectedFields approach with an explicit whitelist of allowed properties for better security and to align with best practices.

packages/server/src/services/marketplaces/index.ts
Comment on lines +212 to +213
Object.assign(customTemplate, stripProtectedFields(body))
customTemplate.workspaceId = body.workspaceId // re-apply: set by controller from req.user
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

While using stripProtectedFields fixes the mass assignment vulnerability, a more robust and secure pattern is to use a whitelist by explicitly mapping only the allowed properties. This aligns with the repository rule to 'explicitly map allowed properties' and prevents accidental exposure of any new sensitive fields. Sensitive fields like workspaceId must be set from a trusted source (e.g., user session) rather than being mapped from the request body.

Note: framework is omitted from this mapping because its value is overwritten by logic later in the function.

customTemplate.name = body.name
customTemplate.description = body.description
customTemplate.badge = body.badge
customTemplate.usecases = body.usecases
customTemplate.type = body.type
References
  1. Avoid mass assignment from request bodies to entities. Instead of using a generic assignment like Object.assign(entity, body), explicitly map allowed properties. Sensitive fields like workspaceId must be set on the server from a trusted source (e.g., user session), not from the client request body, to prevent IDOR vulnerabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@igor-magun-wd igor-magun-wd igor-magun-wd approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@christopherholland-workday @igor-magun-wd