fix(Execute Sub-workflow Node): Don't expose the file contens when reading the workflow from a file and it's not valid JSON (#16416)

packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.test.ts

@@ -0,0 +1,30 @@
+import { mockDeep, type DeepMockProxy } from 'jest-mock-extended';
+import type { IExecuteFunctions, ILoadOptionsFunctions, INode } from 'n8n-workflow';
+
+import { getWorkflowInfo } from './GenericFunctions';
+
+jest.mock('fs/promises', () => ({
+	readFile: jest.fn().mockResolvedValue('sensitive data'),
+}));
+
+describe('ExecuteWorkflow node - GenericFunctions', () => {
+	let executeFunctionsMock: DeepMockProxy<ILoadOptionsFunctions | IExecuteFunctions>;
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+		executeFunctionsMock = mockDeep<ILoadOptionsFunctions | IExecuteFunctions>();
+	});
+
+	describe('getWorkflowInfo', () => {
+		it('should throw an error without the file content when source is localFile and the file is not json', async () => {
+			executeFunctionsMock.getNode.mockReturnValue({
+				typeVersion: 1,
+			} as INode);
+			executeFunctionsMock.getNodeParameter.mockReturnValue('path/to/file');
+
+			await expect(getWorkflowInfo.call(executeFunctionsMock, 'localFile', 0)).rejects.toThrow(
+				'The file content is not valid JSON',
+			);
+		});
+	});
+});

packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts

@@ -45,7 +45,9 @@ export async function getWorkflowInfo(
 			throw error;
 		}
 
-		workflowInfo.code = jsonParse(workflowJson);
+		workflowInfo.code = jsonParse(workflowJson, {
+			errorMessage: 'The file content is not valid JSON', // pass a custom error message to not expose the file contents
+		});
 	} else if (source === 'parameter') {
 		// Read workflow from parameter
 		const workflowJson = this.getNodeParameter('workflowJson', itemIndex) as string;