feat(core): Harden native Python task runner (no-changelog) (#18826)

2025-12-20 19:32:15 +00:00 · 2025-08-29 14:19:38 +02:00
parent e29ed1532a
commit 3b574306f3
8 changed files with 435 additions and 47 deletions
--- a/packages/@n8n/task-runner-python/src/constants.py
+++ b/packages/@n8n/task-runner-python/src/constants.py
@@ -23,6 +23,7 @@ OFFER_INTERVAL = 0.25  # 250ms
 OFFER_VALIDITY = 5000  # ms
 OFFER_VALIDITY_MAX_JITTER = 500  # ms
 OFFER_VALIDITY_LATENCY_BUFFER = 0.1  # 100ms
+MAX_VALIDATION_CACHE_SIZE = 500  # cached validation results

 # Executor
 EXECUTOR_USER_OUTPUT_KEY = "__n8n_internal_user_output__"
@@ -38,6 +39,9 @@ ENV_GRANT_TOKEN = "N8N_RUNNERS_GRANT_TOKEN"
 ENV_MAX_CONCURRENCY = "N8N_RUNNERS_MAX_CONCURRENCY"
 ENV_MAX_PAYLOAD_SIZE = "N8N_RUNNERS_MAX_PAYLOAD"
 ENV_TASK_TIMEOUT = "N8N_RUNNERS_TASK_TIMEOUT"
+ENV_STDLIB_ALLOW = "N8N_RUNNERS_STDLIB_ALLOW"
+ENV_EXTERNAL_ALLOW = "N8N_RUNNERS_EXTERNAL_ALLOW"
+ENV_BUILTINS_DENY = "N8N_RUNNERS_BUILTINS_DENY"

 # Logging
 LOG_FORMAT = "%(asctime)s.%(msecs)03d\t%(levelname)s\t%(message)s"
@@ -51,3 +55,61 @@ TASK_REJECTED_REASON_OFFER_EXPIRED = (
    "Offer expired - not accepted within validity window"
 )
 TASK_REJECTED_REASON_AT_CAPACITY = "No open task slots - runner already at capacity"
+
+# Security
+BUILTINS_DENY_DEFAULT = "eval,exec,compile,open,input,breakpoint,__import__,getattr,object,type,vars,setattr,delattr,hasattr,dir,memoryview,__build_class__"
+ALWAYS_BLOCKED_ATTRIBUTES = {
+    "__subclasses__",
+    "__globals__",
+    "__builtins__",
+    "__traceback__",
+    "tb_frame",
+    "tb_next",
+    "f_back",
+    "f_globals",
+    "f_locals",
+    "f_code",
+    "f_builtins",
+    "__getattribute__",
+    "__qualname__",
+    "__module__",
+    "gi_frame",
+    "gi_code",
+    "gi_yieldfrom",
+    "cr_frame",
+    "cr_code",
+    "ag_frame",
+    "ag_code",
+    "__thisclass__",
+    "__self_class__",
+}
+# Attributes blocked only in certain contexts:
+# - In attribute chains (e.g., x.__class__.__bases__)
+# - On literals (e.g., "".__class__)
+CONDITIONALLY_BLOCKED_ATTRIBUTES = {
+    "__class__",
+    "__bases__",
+    "__code__",
+    "__closure__",
+    "__loader__",
+    "__cached__",
+    "__dict__",
+    "__import__",
+    "__mro__",
+    "__init_subclass__",
+    "__getattr__",
+    "__setattr__",
+    "__delattr__",
+    "__self__",
+    "__func__",
+    "__wrapped__",
+    "__annotations__",
+}
+UNSAFE_ATTRIBUTES = ALWAYS_BLOCKED_ATTRIBUTES | CONDITIONALLY_BLOCKED_ATTRIBUTES
+
+# errors
+ERROR_RELATIVE_IMPORT = "Relative imports are disallowed."
+ERROR_STDLIB_DISALLOWED = "Import of standard library module '{module}' is disallowed. Allowed stdlib modules: {allowed}"
+ERROR_EXTERNAL_DISALLOWED = "Import of external package '{module}' is disallowed. Allowed external packages: {allowed}"
+ERROR_DANGEROUS_ATTRIBUTE = "Access to attribute '{attr}' is disallowed, because it can be used to bypass security restrictions."
+ERROR_SECURITY_VIOLATIONS = "Security violations detected:\n{violations}"