admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-20 19:32:15 +00:00
Code Issues Packages Projects Releases Wiki Activity

refactor(core): Block __import__ via AST validation in native Python runner (#18974)

Browse Source
This commit is contained in:
Iván Ovejero
2025-09-01 09:47:15 +02:00
committed by GitHub
parent a8be824b57
commit 2c6e2f6c7e
2 changed files with 35 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
packages/@n8n/task-runner-python/src/constants.py
View File

@@ -57,7 +57,7 @@ TASK_REJECTED_REASON_OFFER_EXPIRED = (
TASK_REJECTED_REASON_AT_CAPACITY = "No open task slots - runner already at capacity"
# Security
BUILTINS_DENY_DEFAULT = "eval,exec,compile,open,input,breakpoint,__import__,getattr,object,type,vars,setattr,delattr,hasattr,dir,memoryview,__build_class__"
BUILTINS_DENY_DEFAULT = "eval,exec,compile,open,input,breakpoint,getattr,object,type,vars,setattr,delattr,hasattr,dir,memoryview,__build_class__"
ALWAYS_BLOCKED_ATTRIBUTES = {
"__subclasses__",
"__globals__",
@@ -112,4 +112,7 @@ ERROR_RELATIVE_IMPORT = "Relative imports are disallowed."
ERROR_STDLIB_DISALLOWED = "Import of standard library module '{module}' is disallowed. Allowed stdlib modules: {allowed}"
ERROR_EXTERNAL_DISALLOWED = "Import of external package '{module}' is disallowed. Allowed external packages: {allowed}"
ERROR_DANGEROUS_ATTRIBUTE = "Access to attribute '{attr}' is disallowed, because it can be used to bypass security restrictions."
ERROR_DYNAMIC_IMPORT = (
"Dynamic __import__() calls are not allowed for security reasons."
)
ERROR_SECURITY_VIOLATIONS = "Security violations detected:\n{violations}"