admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-18 02:21:13 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Filter out prototype and constructor lookups in expressions (#10382)

Browse Source
This commit is contained in:
Val
2024-08-13 16:57:01 +01:00
committed by GitHub
parent 117e2d968f
commit 8e7d29ad3c
7 changed files with 162 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

58
packages/workflow/src/ExpressionSandboxing.ts Normal file
View File

@@ -0,0 +1,58 @@
import { type ASTAfterHook, astBuilders as b, astVisit } from '@n8n/tournament';
import { ExpressionError } from './errors';
const forbiddenMembers = ['__proto__', 'prototype', 'constructor', 'getPrototypeOf'];
export const sanitizerName = '__sanitize';
const sanitizerIdentifier = b.identifier(sanitizerName);
export const PrototypeSanitizer: ASTAfterHook = (ast, dataNode) => {
astVisit(ast, {
visitMemberExpression(path) {
this.traverse(path);
const node = path.node;
if (!node.computed) {
// This is static, so we're safe to error here
if (node.property.type !== 'Identifier') {
// eslint-disable-next-line n8n-local-rules/no-plain-errors
throw new ExpressionError(
`Unknown property type ${node.property.type} while sanitising expression`,
);
}
if (forbiddenMembers.includes(node.property.name)) {
throw new ExpressionError(
`Cannot access "${node.property.name}" due to security concerns`,
);
}
} else if (node.property.type === 'StringLiteral' || node.property.type === 'Literal') {
// Check any static strings against our forbidden list
if (forbiddenMembers.includes(node.property.value as string)) {
throw new ExpressionError(
`Cannot access "${node.property.value as string}" due to security concerns`,
);
}
} else if (!node.property.type.endsWith('Literal')) {
// This isn't a literal value, so we need to wrap it
path.replace(
b.memberExpression(
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument, @typescript-eslint/no-explicit-any
node.object as any,
// eslint-disable-next-line @typescript-eslint/no-unsafe-argument
b.callExpression(b.memberExpression(dataNode, sanitizerIdentifier), [
// eslint-disable-next-line @typescript-eslint/no-explicit-any
node.property as any,
]),
true,
),
);
}
},
});
};
export const sanitizer = (value: unknown): unknown => {
if (forbiddenMembers.includes(value as string)) {
throw new ExpressionError(`Cannot access "${value as string}" due to security concerns`);
}
return value;
};