Skip to content

fix(security): forward-port release-1.10.3 hardening#14073

Merged
erichare merged 24 commits into
release-1.11.0from
fix/release-1.11-security-forward-port
Jul 16, 2026
Merged

fix(security): forward-port release-1.10.3 hardening#14073
erichare merged 24 commits into
release-1.11.0from
fix/release-1.11-security-forward-port

Conversation

@erichare

@erichare erichare commented Jul 14, 2026

Copy link
Copy Markdown
Collaborator

Summary

Forward-port the complete release-1.10.3 security hardening set to release-1.11.0, treating both merged and still-open backports as ready.

Included fixes

1.11 integration notes

  • Preserves the stronger MCP settings, tenant-scoped caches, SSRF checks, and trusted agentic identity binding already present from fix(security): harden multi-tenant surfaces #13530 and fix: close tenant-isolation gaps in security hardening #14044.
  • Keeps header values as opaque argv data while validating the executable/configuration before spawn.
  • Preserves executable paths containing spaces, including Windows C:/... paths, and retains compatibility for the deprecated packed-command component.
  • Does not copy the 1.10-only Alembic migrations; 1.11 keeps its native migration chain.

Validation

  • Backend MCP unit/component suite: 438 passed, 21 skipped
  • lfx MCP policy/runtime suite: 278 passed
  • Generated-code scanner suite: 136 passed
  • lfx KB/settings/process suite: 46 passed
  • SQL tweak/flow-validation suites: 119 passed, 4 skipped
  • Ruff, Biome, secret scan, starter-project validation, and all commit hooks: passed

Summary by CodeRabbit

  • New Features
    • Password changes now require the current password and reject reuse.
    • Added stronger MCP server command, package, environment, and Docker safety checks.
    • Added operator-controlled limits for knowledge-base folder ingestion.
  • Bug Fixes
    • Improved protection against unsafe file paths, code execution bypasses, SSRF, and unauthorized voice-flow access.
    • Knowledge-base paths are consistently validated before use.
  • Documentation
    • Updated MCP connection guidance and documented the loopback connector security setting.
  • Security
    • Published containers now disable connector access to loopback by default.

erichare added 11 commits July 14, 2026 12:11
* fix(security): protect Docling Serve requests

* fix(docling): support Self on Python 3.10

(cherry picked from commit 32bef8c)
* fix(security): harden component code module access

* fix(security): block native FFI imports in generated code

* fix: track module assignment aliases in code scanner

* fix(security): address alias review findings

(cherry picked from commit 2016e4b)
Adapt the 1.10.3 fix to the lfx-bundles component path used by release-1.11.0.
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3d5c3056-b656-4220-9932-f239f0eafcf0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

This pull request strengthens MCP command validation, AST security scanning, filesystem isolation, SSRF handling, password reset authentication, voice-flow authorization, protected tweaks, Docker defaults, CI sharding, documentation, and related regression coverage.

Changes

MCP execution security

Layer / File(s) Summary
MCP source policy and validation
src/lfx/src/lfx/base/mcp/source_policy.py, src/lfx/src/lfx/base/mcp/security.py
Centralizes command, environment, package-source, Docker, interpreter, and shell-wrapper validation.
MCP client and runtime wiring
src/lfx/src/lfx/base/mcp/util.py, src/lfx/src/lfx/components/deactivated/mcp_stdio.py
Adds final pre-spawn validation, sanitized headers, and trusted agentic identity handling.
MCP regression coverage
src/lfx/tests/unit/mcp/*, src/backend/tests/unit/base/mcp/*, src/backend/tests/unit/test_mcp_command_injection_security.py
Tests rejected and allowed commands, environment variables, wrappers, Docker options, headers, and legacy configurations.

Code execution and tweak security

Layer / File(s) Summary
AST security analysis
src/backend/base/langflow/agentic/helpers/code_security.py, src/backend/tests/unit/agentic/helpers/test_code_security.py
Expands forbidden imports and reflective access checks while tracking aliases across assignments and control flow.
Protected tweak enforcement
src/lfx/src/lfx/processing/process.py, src/backend/base/langflow/processing/process.py, src/lfx/src/lfx/utils/flow_validation.py
Blocks protected component fields and adds function_code to code-execution fields.
Security regression tests
src/backend/tests/unit/agentic/services/test_flow_run.py, src/backend/tests/unit/test_process.py, src/lfx/tests/unit/test_process.py
Covers FFI execution rejection and protected SQL and Python Function fields.

Filesystem and SSRF isolation

Layer / File(s) Summary
Knowledge-base path validation
src/lfx/src/lfx/components/files_and_knowledge/knowledge.py, src/backend/base/langflow/initial_setup/starter_projects/*.json, src/lfx/src/lfx/_assets/component_index.json
Routes KB creation, caching, ingestion, and retrieval through validated path resolution.
Folder ingestion policy
src/backend/base/langflow/api/v1/knowledge_bases.py, src/lfx/src/lfx/services/settings/groups/paths.py, src/lfx/src/lfx/base/knowledge_bases/ingestion_sources/folder.py
Applies operator-owned roots and file-size limits to folder ingestion requests.
External resource boundaries
src/bundles/docling/src/lfx_docling/components/docling/docling_remote.py, src/bundles/lfx-bundles/src/lfx_bundles/assemblyai/assemblyai_start_transcript.py
Uses SSRF-protected Docling clients and trusted-root-bound AssemblyAI audio handles.

Authentication and authorization

Layer / File(s) Summary
Password reset contract and UI
src/backend/base/langflow/api/v1/{schemas/__init__.py,users.py}, src/frontend/src/pages/SettingsPage/..., src/frontend/src/types/*, src/frontend/src/locales/*
Requires the current password in backend requests, frontend state, form validation, and localized messages.
Voice flow authorization
src/backend/base/langflow/api/v1/voice_mode.py, src/backend/tests/unit/api/v1/test_voice_mode_flow_authz.py
Authorizes execute access before exposing flow descriptions or initializing voice resources.

Supporting updates

Layer / File(s) Summary
Runtime security defaults
docker/*.Dockerfile, src/backend/tests/unit/test_docker_security_defaults.py
Adds the connector loopback SSRF default and verifies published-image hardening settings.
MCP UI and documentation alignment
docs/docs/Agents/mcp-client.mdx, docs/docs/Develop/api-keys-and-authentication.mdx, src/frontend/tests/extended/features/mcp-server.spec.ts
Updates command/argument examples, SSRF documentation, and Playwright coverage.
CI and baseline refresh
.github/workflows/typescript_test.yml, .secrets.baseline
Expands shared-state Playwright detection and refreshes secret baseline records.

Estimated code review effort: 5 (Critical) | ~120 minutes

Possibly related PRs

Suggested labels: test

Suggested reviewers: cristhianzl, jordanrfrazier, dkaushik94

🚥 Pre-merge checks | ✅ 7 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 35.61% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Excessive Mock Usage Warning ⚠️ Warning TestUpdateToolsStdioHeaders is heavily mock-driven: many tests use AsyncMock(spec=MCPStdioClient) and reconstruct the spawn command from call_args, so they don’t verify the real boundary. Use a real MCPStdioClient with only session creation stubbed, then assert _connection_params.command/args/env directly; keep helper-only assertions separate.
✅ Passed checks (7 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Test Coverage For New Implementations ✅ Passed PASS: The PR adds substantive tests for each new security path (password reset, knowledge path isolation, MCP, SSRF, voice authz, code scanner) with proper naming.
Test Quality And Coverage ✅ Passed PASS: Async pytest and Playwright tests cover success/error paths, assert statuses/JSON, and verify side effects/call counts rather than smoke checks.
Test File Naming And Structure ✅ Passed Added tests use expected names/dirs (test_*.py, mcp-server.spec.ts), with descriptive async/parametrized cases and clear positive/negative coverage.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly summarizes the main change: forward-porting a security hardening set to the newer release.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/release-1.11-security-forward-port

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added the bug Something isn't working label Jul 14, 2026
@erichare erichare requested a review from Adam-Aghili July 14, 2026 20:07
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 14, 2026
@github-actions

Copy link
Copy Markdown
Contributor

✅ Test Coverage Advisor

No source changes detected without accompanying tests. Thanks for keeping coverage up! 🎉

Advisory check only — never blocks merge.

@codecov

codecov Bot commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 79.58740% with 188 lines in your changes missing coverage. Please review.
✅ Project coverage is 60.99%. Comparing base (f307634) to head (abf3766).

Files with missing lines Patch % Lines
src/lfx/src/lfx/base/mcp/source_policy.py 79.53% 52 Missing and 28 partials ⚠️
...end/base/langflow/agentic/helpers/code_security.py 86.39% 46 Missing ⚠️
...ages/GeneralPage/components/PasswordForm/index.tsx 0.00% 28 Missing ⚠️
src/lfx/src/lfx/base/mcp/util.py 74.50% 7 Missing and 6 partials ⚠️
src/lfx/src/lfx/base/mcp/security.py 79.54% 6 Missing and 3 partials ⚠️
...src/pages/SettingsPage/pages/GeneralPage/index.tsx 25.00% 6 Missing ⚠️
src/backend/base/langflow/api/v1/voice_mode.py 91.30% 2 Missing ⚠️
src/frontend/src/types/api/index.ts 0.00% 2 Missing ⚠️
src/frontend/src/types/components/index.ts 0.00% 1 Missing ⚠️
...x/base/knowledge_bases/ingestion_sources/folder.py 0.00% 1 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@                Coverage Diff                 @@
##           release-1.11.0   #14073      +/-   ##
==================================================
- Coverage           61.28%   60.99%   -0.30%     
==================================================
  Files                2427     2376      -51     
  Lines              236857   234790    -2067     
  Branches            37030    35091    -1939     
==================================================
- Hits               145157   143199    -1958     
+ Misses              89987    89843     -144     
- Partials             1713     1748      +35     
Flag Coverage Δ
lfx 59.61% <79.31%> (+0.24%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
...rc/backend/base/langflow/api/v1/knowledge_bases.py 79.40% <100.00%> (+1.97%) ⬆️
src/backend/base/langflow/api/v1/users.py 74.48% <100.00%> (+3.06%) ⬆️
src/backend/base/langflow/processing/process.py 73.64% <100.00%> (-0.56%) ⬇️
src/frontend/src/constants/constants.ts 99.90% <100.00%> (+<0.01%) ⬆️
src/lfx/src/lfx/processing/process.py 35.46% <100.00%> (+2.37%) ⬆️
src/lfx/src/lfx/services/settings/groups/paths.py 100.00% <100.00%> (ø)
src/lfx/src/lfx/utils/flow_validation.py 72.20% <100.00%> (+0.07%) ⬆️
src/frontend/src/types/components/index.ts 0.00% <0.00%> (ø)
...x/base/knowledge_bases/ingestion_sources/folder.py 0.00% <0.00%> (ø)
src/backend/base/langflow/api/v1/voice_mode.py 21.27% <91.30%> (+4.07%) ⬆️
... and 7 more

... and 335 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@github-actions

This comment has been minimized.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 14, 2026
@github-actions

github-actions Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Frontend Unit Test Coverage Report

Coverage Summary

Lines Statements Branches Functions
Coverage: 46%
46.91% (66203/141107) 70.11% (9220/13149) 44.91% (1514/3371)

Unit Test Results

Tests Skipped Failures Errors Time
5391 0 💤 0 ❌ 0 🔥 19m 22s ⏱️

@Adam-Aghili Adam-Aghili left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but would want QA

and we would want to get #14039 into this PR as well

@github-actions github-actions Bot added the lgtm This PR has been approved by a maintainer label Jul 14, 2026
@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 14, 2026
@github-actions

This comment has been minimized.

@github-actions github-actions Bot added the bug Something isn't working label Jul 14, 2026
@github-actions

This comment has been minimized.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 14, 2026
@github-actions

This comment has been minimized.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 14, 2026
@github-actions

This comment has been minimized.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 15, 2026
@github-actions

This comment has been minimized.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 15, 2026
@github-actions

This comment has been minimized.

@erichare erichare deleted the branch release-1.11.0 July 15, 2026 18:36
@erichare erichare closed this Jul 15, 2026
@erichare erichare reopened this Jul 15, 2026
@github-actions

This comment has been minimized.

@github-actions github-actions Bot added bug Something isn't working and removed bug Something isn't working labels Jul 16, 2026
@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Build successful! ✅
Deploying docs draft.
Deploy successful! View draft

@erichare erichare merged commit f4d6ac4 into release-1.11.0 Jul 16, 2026
165 of 166 checks passed
@erichare erichare deleted the fix/release-1.11-security-forward-port branch July 16, 2026 00:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

bug Something isn't working lgtm This PR has been approved by a maintainer

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants