admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 10:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Filter out prototype and constructor lookups in expressions (#10382)

Browse Source
This commit is contained in:
Val
2024-08-13 16:57:01 +01:00
committed by GitHub
parent 117e2d968f
commit 8e7d29ad3c
7 changed files with 162 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
packages/workflow/test/Expression.test.ts
View File

@@ -74,7 +74,9 @@ for (const evaluator of ['tmpl', 'tournament'] as const) {
expect(evaluate('={{Reflect}}')).toEqual({});
expect(evaluate('={{Proxy}}')).toEqual({});
expect(evaluate('={{constructor}}')).toEqual({});
expect(() => evaluate('={{constructor}}')).toThrowError(
new ExpressionError('Cannot access "constructor" due to security concerns'),
);
expect(evaluate('={{escape}}')).toEqual({});
expect(evaluate('={{unescape}}')).toEqual({});
@@ -166,7 +168,7 @@ for (const evaluator of ['tmpl', 'tournament'] as const) {
const testFn = jest.fn();
Object.assign(global, { testFn });
expect(() => evaluate("={{ Date['constructor']('testFn()')()}}")).toThrowError(
new ExpressionError('Arbitrary code execution detected'),
new ExpressionError('Cannot access "constructor" due to security concerns'),
);
expect(testFn).not.toHaveBeenCalled();
});