fix(core): Prevent XSS via static cache dir (#10339)

packages/core/test/NodeExecuteFunctions.test.ts

@@ -4,6 +4,7 @@ import {
 	copyInputItems,
 	ensureType,
 	getBinaryDataBuffer,
+	isFilePathBlocked,
 	parseIncomingMessage,
 	parseRequestObject,
 	proxyRequestToAxios,
@@ -34,6 +35,7 @@ import { join } from 'path';
 import Container from 'typedi';
 import type { Agent } from 'https';
 import toPlainObject from 'lodash/toPlainObject';
+import { InstanceSettings } from '@/InstanceSettings';
 
 const temporaryDir = mkdtempSync(join(tmpdir(), 'n8n'));
 
@@ -663,3 +665,11 @@ describe('NodeExecuteFunctions', () => {
 		});
 	});
 });
+
+describe('isFilePathBlocked', () => {
+	test('should return true for static cache dir', () => {
+		const filePath = Container.get(InstanceSettings).staticCacheDir;
+
+		expect(isFilePathBlocked(filePath)).toBe(true);
+	});
+});