fix(core): Prevent prototype pollution in task runner (#12588)

2025-12-17 01:56:46 +00:00 · 2025-01-15 09:51:42 +01:00
parent 674ba3c59a
commit bdf266cf55
5 changed files with 99 additions and 5 deletions
--- a/packages/cli/src/task-runners/task-runner-process.ts
+++ b/packages/cli/src/task-runners/task-runner-process.ts
@@ -106,9 +106,13 @@ export class TaskRunnerProcess extends TypedEmitter<TaskRunnerProcessEventMap> {
 	startNode(grantToken: string, taskBrokerUri: string) {
 		const startScript = require.resolve('@n8n/task-runner/start');

-		return spawn('node', ['--disallow-code-generation-from-strings', startScript], {
-			env: this.getProcessEnvVars(grantToken, taskBrokerUri),
-		});
+		return spawn(
+			'node',
+			['--disallow-code-generation-from-strings', '--disable-proto=delete', startScript],
+			{
+				env: this.getProcessEnvVars(grantToken, taskBrokerUri),
+			},
+		);
 	}

 	@OnShutdown()