From a3f47af027cb0a2ce552b0b04bdb0a118ee67533 Mon Sep 17 00:00:00 2001
From: Henry Heng <henryheng@flowiseai.com>
Date: Thu, 24 Jul 2025 00:57:45 +0100
Subject: [PATCH] Chore/deny list urls (#4938)

* Refactor URL filtering logic in App class

- Introduced a denylist for URLs using the DENYLIST_URLS environment variable.
- Updated the whitelist logic to filter out denylisted URLs, ensuring improved request validation.

* revery whitelist url changes

* revert whitelist url changes
---
 packages/server/src/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/server/src/index.ts b/packages/server/src/index.ts
index 7968f8bf..40666c5c 100644
--- a/packages/server/src/index.ts
+++ b/packages/server/src/index.ts
@@ -210,7 +210,7 @@ export class App {
                 // Step 2: Check if the req path is casesensitive
                 if (URL_CASE_SENSITIVE_REGEX.test(req.path)) {
                     // Step 3: Check if the req path is in the whitelist
-                    const isWhitelisted = whitelistURLs.includes(req.path)
+                    const isWhitelisted = whitelistURLs.some((url) => req.path.startsWith(url))
                     if (isWhitelisted) {
                         next()
                     } else if (req.headers['x-request-from'] === 'internal') {