admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-18 18:41:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(HTTP Request Node): Fix prototype pollution vulnerability (#15463)

Browse Source
This commit is contained in:
Elias Meire
2025-05-20 15:39:33 +02:00
committed by GitHub
parent 8d1170e3dd
commit 1ffc33dcc6
6 changed files with 65 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
packages/workflow/src/utils.ts
View File

@@ -283,3 +283,30 @@ export function randomString(minLength: number, maxLength?: number): string {
export function hasKey<T extends PropertyKey>(value: unknown, key: T): value is Record<T, unknown> {
return value !== null && typeof value === 'object' && value.hasOwnProperty(key);
}
const unsafeObjectProperties = new Set(['__proto__', 'prototype', 'constructor', 'getPrototypeOf']);
/**
* Checks if a property key is safe to use on an object, preventing prototype pollution.
* setting untrusted properties can alter the object's prototype chain and introduce vulnerabilities.
*
* @see setSafeObjectProperty
*/
export function isSafeObjectProperty(property: string) {
return !unsafeObjectProperties.has(property);
}
/**
* Safely sets a property on an object, preventing prototype pollution.
*
* @see isSafeObjectProperty
*/
export function setSafeObjectProperty(
target: Record<string, unknown>,
property: string,
value: unknown,
) {
if (isSafeObjectProperty(property)) {
target[property] = value;
}
}