Bugfix/update nodevm sandbox options, sanitize tablename (#3818)

* update nodevm sandbox options, sanitize tablename * sanitize file name when getFileFromStorage
2026-06-28 17:01:00 +03:00 · 2025-01-07 15:26:25 +00:00
parent 22801591da
commit 9a417bdc95
16 changed files with 269 additions and 76 deletions
@@ -318,7 +318,15 @@ class ChatflowTool extends StructuredTool {
            body: JSON.stringify(body)
        }

-        let sandbox = { $callOptions: options, $callBody: body }
+        let sandbox = {
+            $callOptions: options,
+            $callBody: body,
+            util: undefined,
+            Symbol: undefined,
+            child_process: undefined,
+            fs: undefined,
+            process: undefined
+        }

        const code = `
 const fetch = require('node-fetch');
@@ -349,7 +357,10 @@ try {
            require: {
                external: { modules: deps },
                builtin: builtinDeps
-            }
+            },
+            eval: false,
+            wasm: false,
+            timeout: 10000
        } as any

        const vm = new NodeVM(vmOptions)
@@ -111,7 +111,13 @@ export class DynamicStructuredTool<
        _?: CallbackManagerForToolRun,
        flowConfig?: { sessionId?: string; chatId?: string; input?: string; state?: ICommonObject }
    ): Promise<string> {
-        let sandbox: any = {}
+        let sandbox: any = {
+            util: undefined,
+            Symbol: undefined,
+            child_process: undefined,
+            fs: undefined,
+            process: undefined
+        }
        if (typeof arg === 'object' && Object.keys(arg).length) {
            for (const item in arg) {
                sandbox[`$${item}`] = arg[item]
@@ -137,7 +143,10 @@ export class DynamicStructuredTool<
            require: {
                external: { modules: deps },
                builtin: builtinDeps
-            }
+            },
+            eval: false,
+            wasm: false,
+            timeout: 10000
        } as any

        const vm = new NodeVM(options)
@@ -196,7 +196,13 @@ export class DynamicStructuredTool<
        _?: CallbackManagerForToolRun,
        flowConfig?: { sessionId?: string; chatId?: string; input?: string; state?: ICommonObject }
    ): Promise<string> {
-        let sandbox: any = {}
+        let sandbox: any = {
+            util: undefined,
+            Symbol: undefined,
+            child_process: undefined,
+            fs: undefined,
+            process: undefined
+        }
        if (typeof arg === 'object' && Object.keys(arg).length) {
            for (const item in arg) {
                sandbox[`$${item}`] = arg[item]
@@ -237,7 +243,10 @@ export class DynamicStructuredTool<
            require: {
                external: { modules: deps },
                builtin: builtinDeps
-            }
+            },
+            eval: false,
+            wasm: false,
+            timeout: 10000
        } as any

        const vm = new NodeVM(options)