fix(core): Disallow code generation in task runner (#12522)

2025-12-17 01:56:46 +00:00 · 2025-01-09 13:27:17 +02:00
parent 46f13cfca9
commit 35b618098b
5 changed files with 23 additions and 12 deletions
--- a/packages/@n8n/task-runner/src/js-task-runner/tests/js-task-runner.test.ts
+++ b/packages/@n8n/task-runner/src/js-task-runner/tests/js-task-runner.test.ts
@@ -302,6 +302,7 @@ describe('JsTaskRunner', () => {
 				['typeof clearInterval', 'function'],
 				['typeof clearImmediate', 'function'],
 			],
+			eval: [['eval("1+2")', 3]],
 			'JS built-ins': [
 				['typeof btoa', 'function'],
 				['typeof atob', 'function'],
--- a/packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts
+++ b/packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts
@@ -19,7 +19,7 @@ import type {
 } from 'n8n-workflow';
 import * as a from 'node:assert';
 import { inspect } from 'node:util';
-import { runInNewContext, type Context } from 'node:vm';
+import { type Context, createContext, runInContext } from 'node:vm';

 import type { MainConfig } from '@/config/main-config';
 import { UnsupportedFunctionError } from '@/js-task-runner/errors/unsupported-function.error';
@@ -158,10 +158,8 @@ export class JsTaskRunner extends TaskRunner {

 	private getNativeVariables() {
 		return {
-			// Exposed Node.js globals in vm2
+			// Exposed Node.js globals
 			Buffer,
-			Function,
-			eval,
 			setTimeout,
 			setInterval,
 			setImmediate,
@@ -205,7 +203,7 @@ export class JsTaskRunner extends TaskRunner {

 				signal.addEventListener('abort', abortHandler, { once: true });

-				const taskResult = runInNewContext(
+				const taskResult = runInContext(
 					`globalThis.global = globalThis; module.exports = async function VmCodeWrapper() {${settings.code}\n}()`,
 					context,
 					{ timeout: this.taskTimeout * 1000 },
@@ -268,7 +266,7 @@ export class JsTaskRunner extends TaskRunner {

 					signal.addEventListener('abort', abortHandler);

-					const taskResult = runInNewContext(
+					const taskResult = runInContext(
 						`module.exports = async function VmCodeWrapper() {${settings.code}\n}()`,
 						context,
 						{ timeout: this.taskTimeout * 1000 },
@@ -470,7 +468,7 @@ export class JsTaskRunner extends TaskRunner {
 		dataProxy: IWorkflowDataProxyData,
 		additionalProperties: Record<string, unknown> = {},
 	): Context {
-		const context: Context = {
+		return createContext({
 			[inspect.custom]: () => '[[ExecutionContext]]',
 			require: this.requireResolver,
 			module: {},
@@ -480,8 +478,6 @@ export class JsTaskRunner extends TaskRunner {
 			...dataProxy,
 			...this.buildRpcCallObject(taskId),
 			...additionalProperties,
-		};
-
-		return context;
+		});
 	}
 }