admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 10:02:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(core): Filter out prototype and constructor lookups in expressions (#10382)

Browse Source
This commit is contained in:
Val
2024-08-13 16:57:01 +01:00
committed by GitHub
parent 117e2d968f
commit 8e7d29ad3c
7 changed files with 162 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
packages/workflow/test/ExpressionSandboxing.test.ts Normal file
View File

@@ -0,0 +1,84 @@
import { PrototypeSanitizer, sanitizer } from '@/ExpressionSandboxing';
import { Tournament } from '@n8n/tournament';
const tournament = new Tournament(
(e) => {
throw e;
},
undefined,
undefined,
{
before: [],
after: [PrototypeSanitizer],
},
);
const errorRegex = /^Cannot access ".*" due to security concerns$/;
describe('PrototypeSanitizer', () => {
describe('Static analysis', () => {
it('should not allow access to __proto__', () => {
expect(() => {
tournament.execute('{{ ({}).__proto__.__proto__ }}', {});
}).toThrowError(errorRegex);
expect(() => {
tournament.execute('{{ ({})["__proto__"]["__proto__"] }}', {});
}).toThrowError(errorRegex);
});
it('should not allow access to prototype', () => {
expect(() => {
tournament.execute('{{ Number.prototype }}', { Number });
}).toThrowError(errorRegex);
expect(() => {
tournament.execute('{{ Number["prototype"] }}', { Number });
}).toThrowError(errorRegex);
});
it('should not allow access to constructor', () => {
expect(() => {
tournament.execute('{{ Number.constructor }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
expect(() => {
tournament.execute('{{ Number["constructor"] }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
});
});
describe('Runtime', () => {
it('should not allow access to __proto__', () => {
expect(() => {
tournament.execute('{{ ({})["__" + (() => "proto")() + "__"] }}', {
__sanitize: sanitizer,
});
}).toThrowError(errorRegex);
});
it('should not allow access to prototype', () => {
expect(() => {
tournament.execute('{{ Number["pro" + (() => "toty")() + "pe"] }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
});
it('should not allow access to constructor', () => {
expect(() => {
tournament.execute('{{ Number["cons" + (() => "truc")() + "tor"] }}', {
__sanitize: sanitizer,
Number,
});
}).toThrowError(errorRegex);
});
});
});