Upsert error - Help!!

[ramitl]

I suddenly started getting an error during upsert. This was not happening before. I am going crazy trying to figure out why. Can anyone help?

Error: vectorsService.upsertVector - Error: Invalid folder path: Path traversal detected. Please provide a safe folder path.

I hadnt changed the paths, but since the error, I have tried relative paths also- but continue to get this error

[AlterDevi]

In general, make sure your path is safe and accessible.
For special: give more details about you setup.

[ramitl]

Thanks for the response @AlterDevi - I havent changed anything at all and suddenly I get this error - Error: Invalid folder path: Path traversal detected. Please provide a safe folder path. Even the previous workflows are not working

Correction - I did upgrade to 3.08 and started getting this error. Then I downgraded back to 3.07, and I still get this error

[AlterDevi]

Do not downgrade, keep it up.
Some you just did, be sure of that. But you just don't know yet.

[udtaichung]

same error「Error: vectorsService.upsertVector - Error: Invalid folder path: Path traversal detected. Please provide a safe folder path.」
system
upgrade version 3.0.5 to 3.0.8
docker desktop
volumes
host
d://mydocument
contrainer path
\mydocument

upsert to pinecone with "folder with files"
folder path
/mydockument/text

3.0.5 is fine.
3.0.8 is Path traversal detected.

[udtaichung]

3.0.10 Error: vectorsService.upsertVector - Error: Invalid folder path: Path traversal detected. Please provide a safe folder path.

run a new container setting
Volumes
HOST PAYH is D:\Temp\ud-chatgpt
CONTAINER PATH is /ud-chatgpt

also
Environment variables
DATABASE_PATH /ud-chatgpt/database
APIKEY_PATH /ud-chatgpt/apikey
SECRETKEY_PATH /ud-chatgpt/secretkey

old setting work well

but

upsert by FOLDER WITH FILES with path /ud-chatgpt/urbanrenewal/urlaw/
get Error: vectorsService.upsertVector - Error: Invalid folder path: Path traversal detected. Please provide a safe folder path.

3.0.5 upsert still work.

2025-11-14 08:37:55 [INFO]: 🖊 PUT /api/v1/chatflows/ff19b9f0-8c91-40a4-8c04-980d4c0cbd02

2025-11-14 08:37:57 [INFO]: ⬆️ POST /api/v1/vector/internal-upsert/ff19b9f0-8c91-40a4-8c04-980d4c0cbd02

2025-11-14 08:37:57 [ERROR]: [server]: [f40b8056-fb46-4e96-a63c-ba783e0257f7]: Invalid folder path: Path traversal detected. Please provide a safe folder path.

Error: Invalid folder path: Path traversal detected. Please provide a safe folder path.

at Folder_DocumentLoaders.init (/usr/src/packages/components/dist/nodes/documentloaders/Folder/Folder.js:141:19)

at buildFlow (/usr/src/packages/server/dist/utils/index.js:495:58)

at async executeUpsert (/usr/src/packages/server/dist/utils/upsertVector.js:143:28)

at async upsertVector (/usr/src/packages/server/dist/utils/upsertVector.js:272:28)

at async Object.upsertVectorMiddleware (/usr/src/packages/server/dist/services/vectors/index.js:9:16)

at async createInternalUpsert (/usr/src/packages/server/dist/controllers/vectors/index.js:28:29)

2025-11-14 08:37:57 [ERROR]: [server]: Error: Error: Invalid folder path: Path traversal detected. Please provide a safe folder path.

Error: Error: Invalid folder path: Path traversal detected. Please provide a safe folder path.

at buildFlow (/usr/src/packages/server/dist/utils/index.js:550:19)

at async executeUpsert (/usr/src/packages/server/dist/utils/upsertVector.js:143:28)

at async upsertVector (/usr/src/packages/server/dist/utils/upsertVector.js:272:28)

at async Object.upsertVectorMiddleware (/usr/src/packages/server/dist/services/vectors/index.js:9:16)

at async createInternalUpsert (/usr/src/packages/server/dist/controllers/vectors/index.js:28:29)

2025-11-14 08:38:10 [INFO]: 🖊 PUT /api/v1/chatflows/ff19b9f0-8c91-40a4-8c04-980d4c0cbd02

[paio]

Same happened here, I started using Flowise on 3.0.8 version so I cannot compare.
After mounting the folder I wanted to access as a volume in docker, I tried using absolute path, relative path, etc, no matter what I use I receive this traversal error, which seems a recent fix to avoid a path hack to access information, but maybe has a bug.

[dbachurski]

Still not fixed

[udtaichung]

Claude help me solve this question, for local docker desktop user.

Flowise Local Adaptation Guide

Use Case: Standalone Docker Desktop + Local Filesystem Access
Last Updated: 2025-12-10
Adapted Version: Flowise 3.012

---

📋 Overview

Starting from version 3.0.6, Flowise has enhanced its security measures, but these restrictions are overly strict for standalone local environments. This document records two critical modifications to adapt Flowise for local application scenarios.

Use Cases

• Local Docker Desktop: Local development and data maintenance
• Requirement: Access absolute paths within containers (e.g., /data/..., /app/files/...)

---

🔧 Modification 1: Allow Absolute Paths in Containers

Problem Description

Flowise 3.0.6+ introduced strict path validation that blocks all paths containing /, preventing the use of absolute paths within containers.

Error Message:

[ERROR]: Invalid folder path: Path traversal detected.
Please provide a safe folder path.

Affected Features:

• Folder with Files document loader
• Local filesystem access (e.g., /data/documents/folder)

Official Security Background

• Vulnerability ID: GHSA-99pg-hqvx-r4gf (CVSS 9.1)
• Affected Version: 3.0.5
• Fixed Version: 3.0.6+
• Issue: The official fix is overly strict, falsely rejecting legitimate container absolute paths

Solution

File Location: packages/components/src/validator.ts

Lines to Modify: Lines 31-46

Before (Official Version)

export const isPathTraversal = (path: string): boolean => {
    // Check for common path traversal patterns
    const dangerousPatterns = [
        '..', // Directory traversal
        '/', // Root directory ← Too strict, blocks all absolute paths!
        '\\', // Windows root directory
        '%2e', // URL encoded .
        '%2f', // URL encoded /
        '%5c' // URL encoded \
    ]

    return dangerousPatterns.some((pattern) => path.toLowerCase().includes(pattern))
}

After (Local Adaptation)

export const isPathTraversal = (path: string): boolean => {
    // Allow absolute paths in Linux containers (e.g., /data/...)
    // but block directory traversal attempts
    const dangerousPatterns = [
        /\.\./,                 // Directory traversal (..)
        /%2e%2e/i,              // URL encoded ..
        /%2f\.\./i,             // URL encoded /../
        /%5c/i,                 // URL encoded \ (Windows path)
        /\0/,                   // Null bytes
        /^[a-zA-Z]:\\/,         // Windows absolute paths (C:\) - not allowed in Linux containers
        /^\\\\[^\\]/,           // UNC paths (\\server\) - not allowed in Linux containers
        /%00/i                  // URL encoded null byte
    ]

    return dangerousPatterns.some((pattern) => pattern.test(path))
}

Comparison

Path Example	Official	Adapted	Description
/data/documents/folder	❌ Blocked	✅ Allowed	Legitimate container absolute path
/root/.flowise	❌ Blocked	✅ Allowed	Flowise default data directory
../../../etc/passwd	✅ Blocked	✅ Blocked	Path traversal attack
/../../etc/passwd	✅ Blocked	✅ Blocked	Path traversal attack
%2e%2e/etc/passwd	✅ Blocked	✅ Blocked	URL encoded traversal
C:\Windows\System32	❌ Blocked	✅ Blocked	Windows path (not applicable to Linux containers)

---

🔧 Modification 2: Run Container as Root User

Problem Description

Flowise 3.012 defaults to switching to a non-root user (node), which conflicts with the /root/.flowise mount configuration in docker-compose.yml.

Symptoms:

• whoami shows node instead of root
• Permission issues preventing access to /root/.flowise

Solution

File Location: Dockerfile (root directory)

Lines to Modify: Lines 38 and 41

Before (Official Version)

# Give the node user ownership of the application files
RUN chown -R node:node .

# Switch to non-root user (node user already exists in node:20-alpine)
USER node

EXPOSE 3000

CMD [ "pnpm", "start" ]

After (Local Adaptation)

# Give the node user ownership of the application files
# RUN chown -R node:node .

# Switch to non-root user (node user already exists in node:20-alpine)
# USER node

EXPOSE 3000

CMD [ "pnpm", "start" ]

Verification

# Enter the container
docker exec -it <container_id> sh

# Check current user
whoami
# Should output: root (not node)

---

🚀 Apply Modifications

1. Clone or Update Flowise Source

git clone https://github.com/FlowiseAI/Flowise.git
cd Flowise

2. Apply Modifications

Manual Modification:

1. Edit packages/components/src/validator.ts (refer to Modification 1 above)
2. Edit Dockerfile (refer to Modification 2 above)

3. Rebuild Docker Image

docker build --no-cache -t flowise .

4. Stop Old Container

# View container ID
docker ps

# Stop old container
docker stop <container_id>

# Remove old container (optional)
docker rm <container_id>

5. Run New Container

docker run -d -p 3000:3000 \
  -v /path/to/your/data:/data \
  -e DATABASE_PATH=/data/database \
  -e APIKEY_PATH=/data/apikey \
  -e SECRETKEY_PATH=/data/secretkey \
  flowise

Note: Replace /path/to/your/data with your actual local path.

---

📝 Environment Variables Example

Recommended Configuration (Local Environment)

# Data storage paths
DATABASE_PATH=/data/database
APIKEY_PATH=/data/apikey
SECRETKEY_PATH=/data/secretkey

# Log path
LOG_PATH=/data/logs

# File storage path
BLOB_STORAGE_PATH=/data/storage

# Port
PORT=3000

Volume Mount Example

# Linux/Mac
-v /home/user/flowise-data:/data

# Windows
-v D:\flowise-data:/data

---

⚠️ Important Notes

Security Considerations

1. For local environments only: These modifications remove certain security restrictions and are not suitable for public deployment
2. Do not expose to the internet: Ensure the container is only accessible locally (localhost:3000)
3. Regular data backups: The mounted directory contains all important data

Upgrade Process

1. Backup current version:

   docker save flowise > flowise-backup.tar
   # Backup data directory

2. Test new version:

   • Apply modifications in a test environment first
   • Deploy to production only after confirming functionality

3. Keep this document:

   • Reference this document for each upgrade
   • Document any special modification requirements for new versions

---

🔗 References

Official Documentation

• Flowise Environment Variables
• Flowise Docker Setup

Security Advisories

• GHSA-99pg-hqvx-r4gf: Arbitrary File Read
• GHSA-q67q-549q-p849: Path Traversal

Related Issues

• Issue #2562: Folder Path not found
• Issue #4293: Folder with Files loader inconsistent

---

📊 Version History

Version	Date	Changes
3.012	2025-12-10	Initial version: Path validation adaptation + root user configuration

---

🤝 Acknowledgments

Thanks to the Flowise team for providing an excellent open-source project. The modifications in this document are intended for local standalone environments and do not affect the security improvements of the official version.