feat: add sandboxed File System component for agents

[Cristhianzl]

OBJECTIVE: Give Langflow agents safe, scoped filesystem access via a configurable root path, exposing 5 standard ops (read/write/edit/glob/grep) with adversarial-grade boundary checks and the modern Tool Mode toggle.

CHANGES:

• Add FileSystemToolComponent using modern pattern (Component + add_tool_output=True + async _get_tools()), exposing read_file / write_file / edit_file / glob_search / grep_search as StructuredTool entries with dedicated Pydantic args schemas
• Centralized _validate_path() enforcing NUL-byte rejection, Windows portability checks (reserved names, forbidden chars, trailing dot/space), and resolve() + is_relative_to() sandbox boundary
• Read-only mode that omits write/edit tools from registration entirely (structural guarantee, not runtime guard)
• 74 unit tests covering happy paths, threats T1–T15, Tool Mode wiring, and Windows portability
• Register FileSystemToolComponent in src/lfx/src/lfx/components/tools/init.py

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 53.88%. Comparing base (99fc770) to head (0ad9aa5).
⚠️ Report is 20 commits behind head on release-1.10.0.

Additional details and impacted files

@@                Coverage Diff                 @@
##           release-1.10.0   #12901      +/-   ##
==================================================
+ Coverage           53.26%   53.88%   +0.61%     
==================================================
  Files                2033     2047      +14     
  Lines              184606   186342    +1736     
  Branches            27800    28041     +241     
==================================================
+ Hits                98339   100407    +2068     
+ Misses              85168    84825     -343     
- Partials             1099     1110      +11     

Flag	Coverage Δ
backend	57.08% <ø> (+0.87%)	⬆️
frontend	54.09% <ø> (+0.69%)	⬆️
lfx	49.74% <ø> (-0.11%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.
see 190 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 714c42da-fc9a-44d8-8ef6-cb6e413072e9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch cz/add-file-sys-component

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Frontend Unit Test Coverage Report

Coverage Summary

Lines	Statements	Branches	Functions
	36.36% (42047/115618)	67.91% (5790/8525)	36.28% (967/2665)

Unit Test Results

Tests	Skipped	Failures	Errors	Time
4092	0 💤	0 ❌	0 🔥	8m 8s ⏱️

[erichare]

@Cristhianzl Seems like an awesome addition, some things to address:

Blocking

1. User-controlled sandbox root can expose server files

   root_path defines the entire sandbox boundary. In hosted or multi-user deployments, a flow author could set it to /, the app config directory, or another sensitive server path, then read files or overwrite them when read_only=false.

   Please either cloud-gate this component like other local filesystem features, or make the root server-controlled via an allowlist/per-flow workspace path rather than fully user-controlled.

2. grep_search can be DoS’d by agent-supplied regex

   grep_search compiles arbitrary regex and runs it over file contents without a timeout or safe-regex guard. A catastrophic-backtracking pattern can pin a worker before output caps apply.

   Please add a mitigation, such as a timeout-capable regex path, rejecting unsafe patterns, or making literal search the default with regex as an explicitly constrained mode.

Should Fix

3. edit_file can allocate huge replacement output before enforcing size limits

   The replacement string is built before checking the resulting size. With replace_all=True, or especially old_string="", a small file plus a large new_string can allocate far beyond MAX_FILE_SIZE_BYTES before the guard runs.

   Please reject empty old_string and calculate the projected encoded size before constructing the replacement.

[erichare]

LGTM!