code · pull · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/packages/components/nodes/tools/MCP/core.test.ts b/packages/components/nodes/tools/MCP/core.test.ts
@@ -33,6 +33,22 @@ describe('MCP Security Validations', () => {
                 }).toThrow("Argument '-y' is not allowed for command 'npx'")
             })
 
+            it('should block --yes flag', () => {
+                expect(() => {
+                    validateCommandFlags('npx', ['--yes', 'https://test-malicious-download.com'])
+                }).toThrow("Argument '--yes' is not allowed for command 'npx'")
+            })
+
+            it('should block --node-options flag', () => {
+                expect(() => {
+                    validateCommandFlags('npx', ['--node-options', '--eval malicious'])
+                }).toThrow("Argument '--node-options' is not allowed for command 'npx'")
+
+                expect(() => {
+                    validateCommandFlags('npx', ['--node-options=--eval malicious'])
+                }).toThrow("contains flag '--node-options'")
+            })
+
             it('should block case variations', () => {
                 expect(() => {
                     validateCommandFlags('npx', ['-C', 'command'])
@@ -83,6 +99,42 @@ describe('MCP Security Validations', () => {
                 }).toThrow("Argument '--inspect-brk' is not allowed for command 'node'")
             })
 
+            it('should block -r/--require flags', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['-r', 'malicious-module'])
+                }).toThrow("Argument '-r' is not allowed for command 'node'")
+
+                expect(() => {
+                    validateCommandFlags('node', ['--require', 'malicious-module'])
+                }).toThrow("Argument '--require' is not allowed for command 'node'")
+            })
+
+            it('should block --loader/--experimental-loader flags', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['--loader', './malicious-loader.mjs'])
+                }).toThrow("Argument '--loader' is not allowed for command 'node'")
+
+                expect(() => {
+                    validateCommandFlags('node', ['--experimental-loader', './malicious-loader.mjs'])
+                }).toThrow("Argument '--experimental-loader' is not allowed for command 'node'")
+            })
+
+            it('should block --import flag', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['--import', './malicious.mjs'])
+                }).toThrow("Argument '--import' is not allowed for command 'node'")
+            })
+
+            it('should block --env-file flag', () => {
+                expect(() => {
+                    validateCommandFlags('node', ['--env-file', '.env'])
+                }).toThrow("Argument '--env-file' is not allowed for command 'node'")
+
+                expect(() => {
+                    validateCommandFlags('node', ['--env-file=.env'])
+                }).toThrow("contains flag '--env-file'")
+            })
+
             it('should allow legitimate node usage', () => {
                 expect(() => {
                     validateCommandFlags('node', ['server.js'])
@@ -189,6 +241,56 @@ describe('MCP Security Validations', () => {
                 }).toThrow("Argument '--ipc' is not allowed for command 'docker'")
             })
 
+            it('should block --mount flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--mount', 'type=bind,source=/,target=/host'])
+                }).toThrow("Argument '--mount' is not allowed for command 'docker'")
+
+                expect(() => {
+                    validateCommandFlags('docker', ['--mount=type=bind,source=/,target=/host'])
+                }).toThrow("contains flag '--mount'")
+            })
+
+            it('should block --device flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--device', '/dev/sda'])
+                }).toThrow("Argument '--device' is not allowed for command 'docker'")
+            })
+
+            it('should block --entrypoint flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--entrypoint', '/bin/sh'])
+                }).toThrow("Argument '--entrypoint' is not allowed for command 'docker'")
+            })
+
+            it('should block compose subcommand', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['compose', 'up'])
+                }).toThrow("Argument 'compose' is not allowed for command 'docker'")
+            })
+
+            it('should block --volumes-from flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--volumes-from', 'other-container'])
+                }).toThrow("Argument '--volumes-from' is not allowed for command 'docker'")
+            })
+
+            it('should block --env-file flag', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['--env-file', '/etc/secrets'])
+                }).toThrow("Argument '--env-file' is not allowed for command 'docker'")
+
+                expect(() => {
+                    validateCommandFlags('docker', ['--env-file=/etc/secrets'])
+                }).toThrow("contains flag '--env-file'")
+            })
+
+            it('should block build subcommand', () => {
+                expect(() => {
+                    validateCommandFlags('docker', ['build', 'https://evil.com/'])
+                }).toThrow("Argument 'build' is not allowed for command 'docker'")
+            })
+
             it('should allow safe docker usage', () => {
                 expect(() => {
                     validateCommandFlags('docker', ['ps'])
@@ -271,6 +373,12 @@ describe('MCP Security Validations', () => {
             }).toThrow('Argument contains potential local file access')
         })
 
+        it('should block double-slash absolute paths', () => {
+            expect(() => {
+                validateArgsForLocalFileAccess(['//etc/passwd'])
+            }).toThrow('Argument contains potential local file access')
+        })
+
         it('should block path traversal', () => {
             expect(() => {
                 validateArgsForLocalFileAccess(['../../../etc/passwd'])

diff --git a/packages/components/nodes/tools/MCP/core.ts b/packages/components/nodes/tools/MCP/core.ts
@@ -190,7 +190,7 @@ function createSchemaModel(
 export const validateArgsForLocalFileAccess = (args: string[]): void => {
     const dangerousPatterns = [
         // Absolute paths
-        /^\/[^/]/, // Unix absolute paths starting with /
+        /^\//, // Unix absolute paths starting with /
         /^[a-zA-Z]:\\/, // Windows absolute paths like C:\
 
         // Relative paths that could escape current directory
@@ -286,7 +286,9 @@ export const validateCommandFlags = (command: string, args: string[]): void => {
             '-c', // Execute shell commands
             '--call', // Execute shell commands
             '--shell-auto-fallback', // Shell execution fallback
-            '-y' // Auto-confirms installation prompts
+            '-y', // Auto-confirms installation prompts
+            '--yes', // Auto-confirms installation prompts
+            '--node-options' // Passes arbitrary Node flags to underlying process, bypassing node flag blocklist
         ],
         node: [
             '-e', // Execute JavaScript code
@@ -295,7 +297,13 @@ export const validateCommandFlags = (command: string, args: string[]): void => {
             '--print', // Evaluate and print JavaScript code
             '--inspect', // Enable remote debugging (security risk)
             '--inspect-brk', // Enable remote debugging with breakpoint (security risk)
-            '--experimental-policy' // Could load malicious policies
+            '--experimental-policy', // Could load malicious policies
+            '-r', // Short alias for --require
+            '--require', // Preload a CommonJS module before script runs
+            '--loader', // Custom ES module loader hook (code execution)
+            '--experimental-loader', // Same as --loader, older Node alias
+            '--import', // Preload ESM module before entry script (Node 18+)
+            '--env-file' // Read env vars from a local file (Node 20+, local file access)
         ],
         python: [
             '-c', // Execute Python code
@@ -307,15 +315,22 @@ export const validateCommandFlags = (command: string, args: string[]): void => {
         ],
         docker: [
             'run', // Run containers (too powerful)
+            'build', // Pulls a container and executes the run instructions
             'exec', // Execute in containers
+            'compose', // Subcommand that starts containers (same risk as run)
             '-v', // Mount host filesystems
             '--volume', // Mount host filesystems
+            '--mount', // Alternative to -v/--volume for mounting host paths
+            '--volumes-from', // Mount volumes from another container (filesystem access)
             '--privileged', // Privileged mode
             '--cap-add', // Add capabilities
             '--security-opt', // Modify security options
+            '--device', // Add host device files to container (privilege escalation)
+            '--entrypoint', // Override container entrypoint (arbitrary code execution)
             '--network', // Host network access (catches --network=host and --network host)
             '--pid', // Host PID namespace (catches --pid=host and --pid host)
-            '--ipc' // Host IPC namespace (catches --ipc=host and --ipc host)
+            '--ipc', // Host IPC namespace (catches --ipc=host and --ipc host)
+            '--env-file' // Read env vars from a local host file (local file access)
         ]
     }
 

diff --git a/packages/server/src/controllers/text-to-speech/index.ts b/packages/server/src/controllers/text-to-speech/index.ts
@@ -89,8 +89,6 @@ const generateTextToSpeech = async (req: Request, res: Response) => {
         res.setHeader('Content-Type', 'text/event-stream')
         res.setHeader('Cache-Control', 'no-cache')
         res.setHeader('Connection', 'keep-alive')
-        res.setHeader('Access-Control-Allow-Origin', '*')
-        res.setHeader('Access-Control-Allow-Headers', 'Cache-Control')
 
         const appServer = getRunningExpressApp()
         const options = {

diff --git a/packages/server/src/utils/XSS.ts b/packages/server/src/utils/XSS.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from 'express'
 import sanitizeHtml from 'sanitize-html'
-import { extractChatflowId, validateChatflowDomain, isPublicChatflowRequest } from './domainValidation'
+import { extractChatflowId, validateChatflowDomain, isPublicChatflowRequest, isTTSGenerateRequest } from './domainValidation'
 
 export function sanitizeMiddleware(req: Request, res: Response, next: NextFunction): void {
     // decoding is necessary as the url is encoded by the browser
@@ -44,6 +44,7 @@ export function getCorsOptions(): any {
             origin: async (origin: string | undefined, originCallback: (err: Error | null, allow?: boolean) => void) => {
                 const allowedOrigins = getAllowedCorsOrigins()
                 const isPublicChatflowReq = isPublicChatflowRequest(req.url)
+                const isTTSReq = isTTSGenerateRequest(req.url)
                 const allowedList = parseAllowedOrigins(allowedOrigins)
                 const originLc = origin?.toLowerCase()
 
@@ -53,9 +54,10 @@ export function getCorsOptions(): any {
                 // Global allow: '*' or exact match
                 const globallyAllowed = allowedOrigins === '*' || allowedList.includes(originLc)
 
-                if (isPublicChatflowReq) {
+                if (isPublicChatflowReq || isTTSReq) {
                     // Per-chatflow allowlist OR globally allowed
-                    const chatflowId = extractChatflowId(req.url)
+                    // TTS generate passes chatflowId in the request body, not the URL path
+                    const chatflowId = isTTSReq ? req.body?.chatflowId : extractChatflowId(req.url)
                     let chatflowAllowed = false
                     if (chatflowId) {
                         try {
@@ -65,6 +67,9 @@ export function getCorsOptions(): any {
                             console.error('Domain validation error:', error)
                             chatflowAllowed = false
                         }
+                    } else if (isTTSReq) {
+                        // OPTIONS preflight has no body — allow it through so the actual POST can be validated with chatflowId
+                        chatflowAllowed = true
                     }
                     return originCallback(null, globallyAllowed || chatflowAllowed)
                 }

diff --git a/packages/server/src/utils/domainValidation.ts b/packages/server/src/utils/domainValidation.ts
@@ -9,6 +9,9 @@ import logger from './logger'
 // /chatflows-streaming/{chatflowId}
 const ALLOWED_SLUGS = ['/prediction/', '/public-chatbotConfig/', '/chatflows-streaming/']
 
+// The TTS generate endpoint passes chatflowId in the request body, not the URL path
+const TTS_GENERATE_PATH = '/api/v1/text-to-speech/generate'
+
 /**
  * Validates if the origin is allowed for a specific chatflow
  * @param chatflowId - The chatflow ID to validate against
@@ -105,6 +108,16 @@ function isPublicChatflowRequest(url: string): boolean {
     return extractSlugFromUrl(url) !== null
 }
 
+/**
+ * Checks if the request is for the TTS generate endpoint.
+ * This endpoint passes chatflowId in the request body rather than the URL path.
+ * @param url - The request URL
+ * @returns boolean - True if it's the TTS generate endpoint
+ */
+function isTTSGenerateRequest(url: string): boolean {
+    return url.split('?')[0] === TTS_GENERATE_PATH
+}
+
 /**
  * Get the custom error message for unauthorized origin
  * @param chatflowId - The chatflow ID
@@ -129,4 +142,4 @@ async function getUnauthorizedOriginError(chatflowId: string, workspaceId?: stri
     }
 }
 
-export { isPublicChatflowRequest, extractChatflowId, validateChatflowDomain, getUnauthorizedOriginError }
+export { isPublicChatflowRequest, isTTSGenerateRequest, extractChatflowId, validateChatflowDomain, getUnauthorizedOriginError }