fix(Code Node): Update vm2 to address CVE-2023-32313 (#6318)

GH advisory: https://github.com/advisories/GHSA-p5gc-c584-jj6v
2025-12-18 02:21:13 +00:00 · 2023-05-25 10:55:53 +00:00
parent 071955ba68
commit bcbec52552
5 changed files with 23 additions and 43 deletions
--- a/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
+++ b/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
@@ -1,5 +1,5 @@
 /* eslint-disable @typescript-eslint/no-loop-func */
-import type { NodeVMOptions, VMRequire } from 'vm2';
+import type { NodeVMOptions } from 'vm2';
 import { NodeVM } from 'vm2';
 import type {
 	IExecuteFunctions,
@@ -10,6 +10,7 @@ import type {
 	INodeTypeDescription,
 } from 'n8n-workflow';
 import { deepCopy, NodeOperationError } from 'n8n-workflow';
+import { vmResolver } from '../Code/JavaScriptSandbox';

 export class FunctionItem implements INodeType {
 	description: INodeTypeDescription = {
@@ -158,24 +159,9 @@ return item;`,
 				const options: NodeVMOptions = {
 					console: mode === 'manual' ? 'redirect' : 'inherit',
 					sandbox,
-					require: {
-						external: false,
-						builtin: [],
-					},
+					require: vmResolver,
 				};

-				const vmRequire = options.require as VMRequire;
-				if (process.env.NODE_FUNCTION_ALLOW_BUILTIN) {
-					vmRequire.builtin = process.env.NODE_FUNCTION_ALLOW_BUILTIN.split(',');
-				}
-
-				if (process.env.NODE_FUNCTION_ALLOW_EXTERNAL) {
-					vmRequire.external = {
-						modules: process.env.NODE_FUNCTION_ALLOW_EXTERNAL.split(','),
-						transitive: false,
-					};
-				}
-
 				const vm = new NodeVM(options as unknown as NodeVMOptions);

 				if (mode === 'manual') {