Fix IDOR in Evaluators and Evaluations Endpoints (#6050)

* Fix IDOR in Evaluators and Evaluations Endpoints

* chore(services/evaluations & EvaluatorDTO): replace explicit field assignment with stripProtectedFields

---------

Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>
Co-authored-by: yau-wd <yau.ong@workday.com>

Author: 3 people

packages/server/src/Interface.Evaluation.ts

@@ -1,5 +1,6 @@
 // Evaluation Related Interfaces
 import { Evaluator } from './database/entities/Evaluator'
+import { stripProtectedFields } from './utils/stripProtectedFields'
 
 export interface IDataset {
     id: string
@@ -82,7 +83,7 @@ export class EvaluatorDTO {
 
     static toEntity(body: any): Evaluator {
         const newDs = new Evaluator()
-        Object.assign(newDs, body)
+        Object.assign(newDs, stripProtectedFields(body))
         let config: any = {}
         if (body.type === 'llm') {
             config = {

packages/server/src/services/evaluations/index.ts

@@ -1,25 +1,26 @@
-import { StatusCodes } from 'http-status-codes'
 import { EvaluationRunner, ICommonObject } from 'flowise-components'
-import { getRunningExpressApp } from '../../utils/getRunningExpressApp'
-import { InternalFlowiseError } from '../../errors/internalFlowiseError'
-import { getErrorMessage } from '../../errors/utils'
+import { StatusCodes } from 'http-status-codes'
+import { In } from 'typeorm'
+import { v4 as uuidv4 } from 'uuid'
+import { ApiKey } from '../../database/entities/ApiKey'
+import { Assistant } from '../../database/entities/Assistant'
+import { ChatFlow } from '../../database/entities/ChatFlow'
+import { Credential } from '../../database/entities/Credential'
 import { Dataset } from '../../database/entities/Dataset'
 import { DatasetRow } from '../../database/entities/DatasetRow'
 import { Evaluation } from '../../database/entities/Evaluation'
-import { EvaluationStatus, IEvaluationResult } from '../../Interface'
 import { EvaluationRun } from '../../database/entities/EvaluationRun'
-import { Credential } from '../../database/entities/Credential'
-import { ApiKey } from '../../database/entities/ApiKey'
-import { ChatFlow } from '../../database/entities/ChatFlow'
-import { getAppVersion } from '../../utils'
-import { In } from 'typeorm'
 import { getWorkspaceSearchOptions } from '../../enterprise/utils/ControllerServiceUtils'
-import { v4 as uuidv4 } from 'uuid'
+import { InternalFlowiseError } from '../../errors/internalFlowiseError'
+import { getErrorMessage } from '../../errors/utils'
+import { EvaluationStatus, IEvaluationResult } from '../../Interface'
+import { getAppVersion } from '../../utils'
+import { getRunningExpressApp } from '../../utils/getRunningExpressApp'
+import { stripProtectedFields } from '../../utils/stripProtectedFields'
+import evaluatorsService from '../evaluator'
 import { calculateCost, formatCost } from './CostCalculator'
 import { runAdditionalEvaluators } from './EvaluatorRunner'
-import evaluatorsService from '../evaluator'
 import { LLMEvaluationRunner } from './LLMEvaluationRunner'
-import { Assistant } from '../../database/entities/Assistant'
 
 const runAgain = async (id: string, baseURL: string, orgId: string, workspaceId: string) => {
     try {
@@ -66,7 +67,8 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
     try {
         const appServer = getRunningExpressApp()
         const newEval = new Evaluation()
-        Object.assign(newEval, body)
+        Object.assign(newEval, stripProtectedFields(body))
+        newEval.workspaceId = workspaceId
         newEval.status = EvaluationStatus.PENDING
 
         const row = appServer.AppDataSource.getRepository(Evaluation).create(newEval)

packages/server/src/services/evaluator/index.ts

@@ -53,6 +53,7 @@ const createEvaluator = async (body: any) => {
     try {
         const appServer = getRunningExpressApp()
         const newDs = EvaluatorDTO.toEntity(body)
+        newDs.workspaceId = body.workspaceId
 
         const evaluator = appServer.AppDataSource.getRepository(Evaluator).create(newDs)
         const result = await appServer.AppDataSource.getRepository(Evaluator).save(evaluator)
@@ -78,6 +79,7 @@ const updateEvaluator = async (id: string, body: any, workspaceId: string) => {
 
         const updateEvaluator = EvaluatorDTO.toEntity(body)
         updateEvaluator.id = id
+        updateEvaluator.workspaceId = workspaceId
         appServer.AppDataSource.getRepository(Evaluator).merge(evaluator, updateEvaluator)
         const result = await appServer.AppDataSource.getRepository(Evaluator).save(evaluator)
         return EvaluatorDTO.fromEntity(result)

packages/server/src/utils/stripProtectedFields.ts

@@ -2,7 +2,7 @@
  * Fields that are managed exclusively by the server and must never be
  * overwritten by user-supplied request bodies.
  */
-export const PROTECTED_FIELDS = ['id', 'createdDate', 'updatedDate', 'workspaceId', 'organizationId'] as const
+export const PROTECTED_FIELDS = ['id', 'createdDate', 'updatedDate', 'runDate', 'workspaceId', 'organizationId'] as const
 
 export type ProtectedField = (typeof PROTECTED_FIELDS)[number]