admin/n8n-enterprise-unlocked
1
0
Fork 0
mirror of https://github.com/Abdulazizzn/n8n-enterprise-unlocked.git synced 2025-12-17 18:12:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(expression): prevent calls to constructor to forbid arbitrary code execution (#4139)

Browse Source 
* fix(expression): prevent calls to constructor to forbid arbitrary code execution
This commit is contained in:
Omar Ajoue
2022-09-20 10:41:37 +02:00
committed by GitHub
parent 479f78b3bc
commit a8030dbda5
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
packages/workflow/src/Expression.ts
View File

@@ -249,6 +249,15 @@ export class Expression {
data.Boolean = Boolean; data.Boolean = Boolean;
data.Symbol = Symbol; data.Symbol = Symbol;
const constructorValidation = new RegExp(/\.\s*constructor/gm);
if (parameterValue.match(constructorValidation)) {
throw new ExpressionError('Expression contains invalid constructor function call', {
causeDetailed: 'Constructor override attempt is not allowed due to security concerns',
runIndex,
itemIndex,
});
}
// Execute the expression // Execute the expression
const returnValue = this.renderExpression(parameterValue, data); const returnValue = this.renderExpression(parameterValue, data);
if (typeof returnValue === 'function') { if (typeof returnValue === 'function') {