RE: Updating a Node-RED flow from the file system

Ref:

The thread established that it is, indeed, possible.

But it seems a bit risky - allowing to upload any arbitrary file which just happens to have the "json" file type.

Some sort of "signature" would seem beneficial - to give at least some reassurance that what was uploaded was actually intended as a Node-RED Flows file.

So the question is: how to do that? Are there any existing examples?

I'm thinking specifically in the case of a Node-RED Dashboard app.

its kinda possible my idea is to upload or download the files out of the .nodered directory . dowload no problem just copy but the upload is risky you have to stop nodered replace the file with a the new one and the start nodered again i dont know if it can done because the deploy button isnt a command

We are doing this in our prototypes to quickly update a flow. After upload you just restart (which is same as a deploy). What you can do for example, create a checksum of your flow and then ask the user to re-enter the sum to confirm it's the same file.
Sorry, the checksum thing doesn't really make sense.

A flow itself can be risky too. So detecting whether it's an actual flow file does not really help here. "Password protection" is the only way, I guess.

As I said, that part isn't the problem - it's solved in the linked thread. And, as @rko said, restarting the system works for this.

The question is how to get (at least some) assurance that the uploaded file is intended for use as a Node-RED Flows file.

Yes - that's the kind of thing. But this would be for Flows that have already been "approved" for distribution (as in the linked thread)

Agreed.

What I was thinking was some sort of "archive" or container that would contain the Flow file and its "checksum" - so the upload process would upload this "archive", decompress/unpack it, and check that the "checksum" is OK. Only then would it replace the Flows file & restart.

So the question is how to do that packaging/unpacking & checking in Node-RED.

Have a look at the Code from Node-RED, hope I found the right bit where a flow is being validated before an import into the editor. Maybe you can re-use some or all of this. I am also not sure if there is a validation "feature" somewhere already .. you have to ask the experts.

I am planning to invest some time to improve the update procedure because it is a real time-saver, especially if the Node-RED system is far away and only the customer has access to it. But unfortunately I have to finish some other work first.

Archive etc. should be no problem.

Likewise.

In my case, the customer should only be uploading files that have been provided, so they should already be validated as "good" for Node-RED.
So the issue really is to just make sure they don't "accidentally" load something that isn't a provided file.

I guess I really only need some distinct text string within the file ...

Yes, I think then you could add another json object along with flow object and your import procedure should check if it's there. Uploading something else will fail, because the mentioned bit is missing. Or you just add something into your flow to make life easier (and keep it a valid flow file).

Put the flows in a dedicated folder and only allow selection from that folder. Disable write access to the folder for unauthorised users.

It's not about authorising the user - it's about ensuring that what the user uploads is a proper Flows file for the application.

Recognising a key text string within the JSON file does the trick; eg,

image

Not secure against malicious users, of course - but that's not the purpose here.

Your solution of a special string works.

Alternatively, you can encrypt the new flow file with a tool such as OpenSSL and distribute it to the client. This makes the flow secure and hard to crack.

Once the client upload the file, you decrypt the file with OpenSSL and verify it before you deploy the flow.

and how to do that in Node-RED?

There are a few crypto type contrib nodes

https://flows.nodered.org/search?term=crypto&type=node

1 Like

You may use the "exec" node. To encrypt a file, you can use command

sudo openssl aes-256-cbc -e -k password -iter 3 -in filename -out encrypted_filename

To decrypt:
sudo openssl aes-256-cbc -d -k password -iter 3 -in encrypted_filename -out filename

Note:
. Replace the password with your own password.
. Increase 3 to a larger number for better security

For a group of files, you can first tar the files, and then use openssl to encrypt it.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.