admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-19 02:51:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Prevent XSS via static cache dir (#10339)

Browse Source
This commit is contained in:
Iván Ovejero
2024-08-09 16:40:50 +02:00
committed by GitHub
parent 1cf48cc301
commit 4f392b5e3e
4 changed files with 25 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
packages/core/src/NodeExecuteFunctions.ts
View File

@@ -3326,7 +3326,7 @@ const getAllowedPaths = () => {
return allowedPaths;
};
function isFilePathBlocked(filePath: string): boolean {
export function isFilePathBlocked(filePath: string): boolean {
const allowedPaths = getAllowedPaths();
const resolvedFilePath = path.resolve(filePath);
const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false';
@@ -3342,10 +3342,10 @@ function isFilePathBlocked(filePath: string): boolean {
return true;
}
//restrict access to .n8n folder and other .env config related paths
//restrict access to .n8n folder, ~/.cache/n8n/public, and other .env config related paths
if (blockFileAccessToN8nFiles) {
const { n8nFolder } = Container.get(InstanceSettings);
const restrictedPaths = [n8nFolder];
const { n8nFolder, staticCacheDir } = Container.get(InstanceSettings);
const restrictedPaths = [n8nFolder, staticCacheDir];
if (process.env[CONFIG_FILES]) {
restrictedPaths.push(...process.env[CONFIG_FILES].split(','));