fix(core): Do not send credentials to browser console (#5031)

2025-12-17 01:56:46 +00:00 · 2022-12-23 16:25:59 -06:00
parent a229788d4b
commit afc529799d
4 changed files with 67 additions and 30 deletions
--- a/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
+++ b/packages/nodes-base/nodes/HttpRequest/GenericFunctions.ts
@@ -1,4 +1,9 @@
-import { INodeExecutionData, IOAuth2Options } from 'n8n-workflow';
+import { IDataObject, INodeExecutionData, IOAuth2Options } from 'n8n-workflow';
+import { OptionsWithUri } from 'request-promise-native';
+
+export type IAuthDataSanitizeKeys = {
+	[key: string]: string[];
+};

 export const replaceNullValues = (item: INodeExecutionData) => {
 	if (item.json === null) {
@@ -7,6 +12,37 @@ export const replaceNullValues = (item: INodeExecutionData) => {
 	return item;
 };

+export function sanitizeUiMessage(request: OptionsWithUri, authDataKeys: IAuthDataSanitizeKeys) {
+	let sendRequest = request as unknown as IDataObject;
+
+	// Protect browser from sending large binary data
+	if (Buffer.isBuffer(sendRequest.body) && sendRequest.body.length > 250000) {
+		sendRequest = {
+			...request,
+			body: `Binary data got replaced with this text. Original was a Buffer with a size of ${request.body.length} byte.`,
+		};
+	}
+
+	// Remove credential information
+	for (const requestProperty of Object.keys(authDataKeys)) {
+		sendRequest = {
+			...sendRequest,
+			[requestProperty]: Object.keys(sendRequest[requestProperty] as object).reduce(
+				// eslint-disable-next-line @typescript-eslint/no-loop-func
+				(acc: IDataObject, curr) => {
+					acc[curr] = authDataKeys[requestProperty].includes(curr)
+						? '** hidden **'
+						: (sendRequest[requestProperty] as IDataObject)[curr];
+					return acc;
+				},
+				{},
+			),
+		};
+	}
+
+	return sendRequest;
+}
+
 export const getOAuth2AdditionalParameters = (nodeCredentialType: string) => {
 	const oAuth2Options: { [credentialType: string]: IOAuth2Options } = {
 		bitlyOAuth2Api: {