feat(core): Add credential runtime checks and prevent tampering in manual run (#4481)

* ✨ Create `PermissionChecker` * ⚡ Adjust helper * 🔥 Remove superseded helpers * ⚡ Use `PermissionChecker` * 🧪 Add test for dynamic router switching * ⚡ Simplify checks * ⚡ Export utils * ⚡ Add missing `init` method * 🧪 Write tests for `PermissionChecker` * 📘 Update types * 🧪 Fix tests * ✨ Set up `runManually()` * ⚡ Refactor to reuse methods * 🧪 Clear shared tables first * 🔀 Adjust merge * ⚡ Adjust imports
2025-12-18 02:21:13 +00:00 · 2022-11-11 11:14:45 +01:00
parent 50f7538779
commit d35d63a855
16 changed files with 497 additions and 233 deletions
--- a/packages/cli/src/workflows/workflows.controller.ee.ts
+++ b/packages/cli/src/workflows/workflows.controller.ee.ts
@@ -15,6 +15,8 @@ import { LoggerProxy } from 'n8n-workflow';
 import * as TagHelpers from '@/TagHelpers';
 import { EECredentialsService as EECredentials } from '../credentials/credentials.service.ee';
 import { WorkflowsService } from './workflows.services';
+import { IExecutionPushResponse } from '@/Interfaces';
+import * as GenericHelpers from '@/GenericHelpers';

 // eslint-disable-next-line @typescript-eslint/naming-convention
 export const EEWorkflowController = express.Router();
@@ -214,9 +216,11 @@ EEWorkflowController.patch(
 		const { tags, ...rest } = req.body;
 		Object.assign(updateData, rest);

-		const updatedWorkflow = await EEWorkflows.updateWorkflow(
+		const safeWorkflow = await EEWorkflows.preventTampering(updateData, workflowId, req.user);
+
+		const updatedWorkflow = await WorkflowsService.update(
 			req.user,
-			updateData,
+			safeWorkflow,
 			workflowId,
 			tags,
 			forceSave,
@@ -230,3 +234,24 @@ EEWorkflowController.patch(
 		};
 	}),
 );
+
+/**
+ * (EE) POST /workflows/run
+ */
+EEWorkflowController.post(
+	'/run',
+	ResponseHelper.send(async (req: WorkflowRequest.ManualRun): Promise<IExecutionPushResponse> => {
+		const workflow = new WorkflowEntity();
+		Object.assign(workflow, req.body.workflowData);
+
+		const safeWorkflow = await EEWorkflows.preventTampering(
+			workflow,
+			workflow.id.toString(),
+			req.user,
+		);
+
+		req.body.workflowData.nodes = safeWorkflow.nodes;
+
+		return WorkflowsService.runManually(req.body, req.user, GenericHelpers.getSessionId(req));
+	}),
+);