fix(core): Prevent arbitrary code execution via expressions (#6420)

2025-12-17 10:02:05 +00:00 · 2023-06-14 13:15:27 +02:00
parent 2aef9de148
commit da7ae2beef
2 changed files with 27 additions and 0 deletions
--- a/packages/workflow/test/Expression.test.ts
+++ b/packages/workflow/test/Expression.test.ts
@@ -150,6 +150,13 @@ describe('Expression', () => {
 			expect(evaluate('={{Boolean(1)}}')).toEqual(Boolean(1));
 			expect(evaluate('={{Symbol(1).toString()}}')).toEqual(Symbol(1).toString());
 		});
+
+		it('should not able to do arbitrary code execution', () => {
+			const testFn = jest.fn();
+			Object.assign(global, { testFn });
+			evaluate("={{ Date['constructor']('testFn()')()}}");
+			expect(testFn).not.toHaveBeenCalled();
+		});
 	});

 	describe('Test all expression value fixtures', () => {