fix(core): Filter out prototype and constructor lookups in expressions (#10382)

2025-12-18 02:21:13 +00:00 · 2024-08-13 16:57:01 +01:00
parent 117e2d968f
commit 8e7d29ad3c
7 changed files with 162 additions and 10 deletions
--- a/packages/workflow/src/ExpressionEvaluatorProxy.ts
+++ b/packages/workflow/src/ExpressionEvaluatorProxy.ts
@@ -3,6 +3,7 @@ import type { ReturnValue, TmplDifference } from '@n8n/tournament';
 import { Tournament } from '@n8n/tournament';
 import type { ExpressionEvaluatorType } from './Interfaces';
 import * as LoggerProxy from './LoggerProxy';
+import { PrototypeSanitizer } from './ExpressionSandboxing';

 type Evaluator = (expr: string, data: unknown) => tmpl.ReturnValue;
 type ErrorHandler = (error: Error) => void;
@@ -18,6 +19,7 @@ const differenceChecker = (diff: TmplDifference) => {
 		if (diff.same) {
 			return;
 		}
+		// eslint-disable-next-line @typescript-eslint/prefer-nullish-coalescing
 		if (diff.has?.function || diff.has?.templateString) {
 			return;
 		}
@@ -30,7 +32,10 @@ const differenceChecker = (diff: TmplDifference) => {
 		LoggerProxy.error('Expression evaluator difference checker failed');
 	}
 };
-const tournamentEvaluator = new Tournament(errorHandler, undefined);
+const tournamentEvaluator = new Tournament(errorHandler, undefined, undefined, {
+	before: [],
+	after: [PrototypeSanitizer],
+});
 let evaluator: Evaluator = tmpl.tmpl;
 let currentEvaluatorType: ExpressionEvaluatorType = 'tmpl';
 let diffExpressions = false;