Skip to content

fix(security): harden component code module access#14032

Merged
Adam-Aghili merged 7 commits into
release-1.10.3from
fix/le-1788-code-security-call-aliases
Jul 14, 2026
Merged

fix(security): harden component code module access#14032
Adam-Aghili merged 7 commits into
release-1.10.3from
fix/le-1788-code-security-call-aliases

Conversation

@erichare

@erichare erichare commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • block reflective access to restricted module members in generated component code
  • compose reflective checks with assignment-alias and native-FFI hardening
  • preserve ordinary getattr use and safe rebinding

Testing

  • 120 scanner tests passed
  • 5 flow security-gate tests passed
  • combined direct/import/assignment reflection repros passed
  • Ruff, formatting, and pre-commit passed

Merge order

Merge #14041, then #14040, then this PR.

Summary by CodeRabbit

  • Security Enhancements
    • Expanded code scanning to block additional native/FFI-related imports and restricted reflective module access.
    • Hardened protection against bypasses using aliases, conditional assignments, and shadowed names.
    • Improved detection of dangerous attribute access patterns (including module-qualified and dynamic getattr cases).
  • Bug Fixes
    • Unsafe flows are now consistently rejected before any graph building or execution when prohibited patterns are detected.
  • Tests
    • Added/updated coverage for native imports, aliasing bypass attempts, runtime module access attempts, and confirmed safe reflective access behavior.

@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 98bb8130-5003-47f0-b343-523607bda886

📥 Commits

Reviewing files that changed from the base of the PR and between 7feae3f and 8beed74.

📒 Files selected for processing (2)
  • src/backend/base/langflow/agentic/helpers/code_security.py
  • src/backend/tests/unit/agentic/helpers/test_code_security.py
🚧 Files skipped from review as they are similar to previous changes (2)
  • src/backend/tests/unit/agentic/helpers/test_code_security.py
  • src/backend/base/langflow/agentic/helpers/code_security.py

Walkthrough

The AST security scanner now blocks native FFI imports, sys.modules, and reflective access to dangerous module members. Alias tracking handles rebinding, control-flow merges, unpacking, and isolated scopes. Tests cover bypass patterns and flow refusal before graph construction.

Changes

Security scanning hardening

Layer / File(s) Summary
Forbidden APIs and conservative alias tracking
src/backend/base/langflow/agentic/helpers/code_security.py
Adds FFI and sys.modules restrictions and refactors alias tracking for rebinding, branch merging, unpacking, and scope isolation.
Reflective dangerous access detection
src/backend/base/langflow/agentic/helpers/code_security.py
Extends call scanning to resolve aliases and reject dangerous constant-string getattr access.
Bypass and flow-gate validation
src/backend/tests/unit/agentic/helpers/test_code_security.py, src/backend/tests/unit/agentic/services/test_flow_run.py
Adds coverage for FFI imports, aliasing, runtime reflection, safe rebinding, and rejection before graph construction.

Estimated code review effort: 4 (Complex) | ~45 minutes

Sequence Diagram(s)

sequenceDiagram
  participant FlowRunner
  participant SecurityChecker
  participant AliasResolver
  participant GraphBuilder
  FlowRunner->>SecurityChecker: scan generated node code
  SecurityChecker->>AliasResolver: resolve imports and aliases
  AliasResolver-->>SecurityChecker: canonical module candidates
  SecurityChecker-->>FlowRunner: unsafe violation or safe result
  FlowRunner->>GraphBuilder: build graph only when safe
Loading

Possibly related PRs

Suggested labels: lgtm

Suggested reviewers: adam-aghili

🚥 Pre-merge checks | ✅ 9
✅ Passed checks (9 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: tightening security around component code module access.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Test Coverage For New Implementations ✅ Passed Updated unit tests cover alias/reflection/FFI scanner changes, and flow-run has a security-gate test that blocks unsafe code before build.
Test Quality And Coverage ✅ Passed Tests cover new security paths with positive/negative cases, async flow-gate behavior, and project-idiomatic pytest patterns.
Test File Naming And Structure ✅ Passed Backend tests use proper test_*.py naming, pytest classes/marks, descriptive names, and clear positive/negative coverage; no frontend/integration files were added.
Excessive Mock Usage Warning ✅ Passed Mocks are limited to isolating run_working_flow’s async engine boundary; code-security tests use real inputs, and no deep/mock-heavy test design appears.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/le-1788-code-security-call-aliases

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the bug Something isn't working label Jul 13, 2026
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 13, 2026
@erichare erichare marked this pull request as ready for review July 13, 2026 19:47
@github-actions

Copy link
Copy Markdown
Contributor

✅ Test Coverage Advisor

No source changes detected without accompanying tests. Thanks for keeping coverage up! 🎉

Advisory check only — never blocks merge.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 13, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/backend/base/langflow/agentic/helpers/code_security.py`:
- Around line 528-533: Update the getattr-call validation in the visible AST
security-checking logic to resolve `node.func` through the existing alias
tracker, not only accept an `ast.Name` whose identifier is literally “getattr”.
Ensure aliases such as `reflect = getattr` are treated as getattr calls and
cannot bypass the security checks, and add a regression test covering
`reflect(os, "system")("id")`.
- Around line 366-376: Extend the alias visitor with visit_For, visit_AsyncFor,
and visit_While methods. Each method must snapshot the pre-loop alias state,
visit the loop condition/target and body from that state, then conservatively
merge the pre-loop state with the loop-body effects so zero-iteration execution
remains possible. Preserve appropriate handling of loop else branches without
allowing loop-only alias rewrites to bypass security checks.
- Around line 265-277: The fallback in _bind_assignment_target incorrectly
shadows fixed targets when unpacking a tuple/list with a starred target. Update
tuple/list handling to bind each fixed target to its corresponding RHS element,
while assigning the remaining RHS elements to the starred target as appropriate,
so `module, *rest = (os,)` preserves the alias for `module` and unresolved cases
still shadow only targets without a resolvable value.
- Around line 306-312: Update visit_Import so alias bindings retain the complete
dotted import target, recording alias.asname or the appropriate default binding
as alias.name rather than only its top-level module. Preserve the existing
dangerous-import checks and ensure imports without aliases continue to bind
correctly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6eb80dfa-8571-404f-8ef6-fc96dbb9e92e

📥 Commits

Reviewing files that changed from the base of the PR and between 2433e87 and 7feae3f.

📒 Files selected for processing (3)
  • src/backend/base/langflow/agentic/helpers/code_security.py
  • src/backend/tests/unit/agentic/helpers/test_code_security.py
  • src/backend/tests/unit/agentic/services/test_flow_run.py

Comment thread src/backend/base/langflow/agentic/helpers/code_security.py Outdated
Comment thread src/backend/base/langflow/agentic/helpers/code_security.py Outdated
Comment thread src/backend/base/langflow/agentic/helpers/code_security.py
Comment thread src/backend/base/langflow/agentic/helpers/code_security.py
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 13, 2026
@github-actions

github-actions Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Frontend Unit Test Coverage Report

Coverage Summary

Lines Statements Branches Functions
Coverage: 43%
43.54% (58072/133362) 69.2% (7884/11392) 41.56% (1298/3123)

Unit Test Results

Tests Skipped Failures Errors Time
4978 0 💤 0 ❌ 0 🔥 15m 2s ⏱️

@codecov

codecov Bot commented Jul 13, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 86.60287% with 28 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (release-1.10.3@61d6490). Learn more about missing BASE report.

Files with missing lines Patch % Lines
...end/base/langflow/agentic/helpers/code_security.py 86.60% 28 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@                Coverage Diff                @@
##             release-1.10.3   #14032   +/-   ##
=================================================
  Coverage                  ?   58.71%           
=================================================
  Files                     ?     2308           
  Lines                     ?   221269           
  Branches                  ?    32389           
=================================================
  Hits                      ?   129920           
  Misses                    ?    89863           
  Partials                  ?     1486           
Flag Coverage Δ
backend 65.96% <86.60%> (?)
frontend 57.86% <ø> (?)
lfx 54.65% <ø> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...end/base/langflow/agentic/helpers/code_security.py 91.29% <86.60%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@Adam-Aghili Adam-Aghili left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Address code rabbits these 3 look real. otherwise LGTM

Comment thread src/backend/base/langflow/agentic/helpers/code_security.py Outdated
Comment thread src/backend/base/langflow/agentic/helpers/code_security.py Outdated
Comment thread src/backend/base/langflow/agentic/helpers/code_security.py
@Adam-Aghili

Copy link
Copy Markdown
Collaborator

Technically dosen't solve the issue in _check_attribute_call but does solve all reported bypass vectors. LGTM once coderabbit is addressed

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 14, 2026
@erichare erichare requested a review from Adam-Aghili July 14, 2026 17:22
@Adam-Aghili

Copy link
Copy Markdown
Collaborator

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 14, 2026

@Adam-Aghili Adam-Aghili left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Adam-Aghili Adam-Aghili merged commit 2016e4b into release-1.10.3 Jul 14, 2026
125 checks passed
@Adam-Aghili Adam-Aghili deleted the fix/le-1788-code-security-call-aliases branch July 14, 2026 17:51
@github-actions github-actions Bot added the lgtm This PR has been approved by a maintainer label Jul 14, 2026
erichare added a commit that referenced this pull request Jul 14, 2026
* fix(kb): enforce per-user path containment

* fix(security): protect Docling Serve outbound requests (#14033)

* fix(security): protect Docling Serve requests

* fix(docling): support Self on Python 3.10

* [autofix.ci] apply automated fixes

* [autofix.ci] apply automated fixes (attempt 2/3)

* fix(auth): verify current password on password changes (#14034)

* fix(security): harden MCP stdio configuration (#14036)

* fix(security): restrict MCP stdio package sources

* fix(security): block MCP Docker host access

* fix(security): validate embedded MCP stdio configs

* fix: require executable-only MCP commands

* test: use allowed MCP commands in timeout tests

* fix(security): harden component code module access (#14032)

* fix(security): harden component code module access

* fix(security): block native FFI imports in generated code

* fix: track module assignment aliases in code scanner

* fix(security): address alias review findings

* fix: correct deprecated model settings behavior (#14047)

* fix: prevent deprecated model enablement

* test: use supported model in credential cleanup

* fix(voice): enforce flow authorization on websocket (#14043)

* fix(security): block native FFI imports in generated code (#14040)

* fix(security): block native FFI imports in generated code

* fix: track module assignment aliases in code scanner

* chore: resolve code security conflicts

* fix(security): confine AssemblyAI audio file access (#14037)

* fix(security): confine AssemblyAI audio file access

* [autofix.ci] apply automated fixes

* test: stub optional AssemblyAI dependency

* fix(security): harden AssemblyAI file submission

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>

* fix: track assignment aliases in component code scanner (#14041)

fix: bind loop and comprehension aliases

---------

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working lgtm This PR has been approved by a maintainer

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants