fix(core): Do not allow arbitrary path traversal in the credential-translation endpoint (#5522)

packages/cli/src/controllers/translation.controller.ts

@@ -0,0 +1,58 @@
+import type { Request } from 'express';
+import { ICredentialTypes } from 'n8n-workflow';
+import { join } from 'path';
+import { access } from 'fs/promises';
+import { Get, RestController } from '@/decorators';
+import { BadRequestError, InternalServerError } from '@/ResponseHelper';
+import { Config } from '@/config';
+import { NODES_BASE_DIR } from '@/constants';
+
+export const CREDENTIAL_TRANSLATIONS_DIR = 'n8n-nodes-base/dist/credentials/translations';
+export const NODE_HEADERS_PATH = join(NODES_BASE_DIR, 'dist/nodes/headers');
+
+export declare namespace TranslationRequest {
+	export type Credential = Request<{}, {}, {}, { credentialType: string }>;
+}
+
+@RestController('/')
+export class TranslationController {
+	constructor(private config: Config, private credentialTypes: ICredentialTypes) {}
+
+	@Get('/credential-translation')
+	async getCredentialTranslation(req: TranslationRequest.Credential) {
+		const { credentialType } = req.query;
+
+		if (!this.credentialTypes.recognizes(credentialType))
+			throw new BadRequestError(`Invalid Credential type: "${credentialType}"`);
+
+		const defaultLocale = this.config.getEnv('defaultLocale');
+		const translationPath = join(
+			CREDENTIAL_TRANSLATIONS_DIR,
+			defaultLocale,
+			`${credentialType}.json`,
+		);
+
+		try {
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-return
+			return require(translationPath);
+		} catch (error) {
+			return null;
+		}
+	}
+
+	@Get('/node-translation-headers')
+	async getNodeTranslationHeaders() {
+		try {
+			await access(`${NODE_HEADERS_PATH}.js`);
+		} catch (_) {
+			return; // no headers available
+		}
+
+		try {
+			// eslint-disable-next-line @typescript-eslint/no-unsafe-return
+			return require(NODE_HEADERS_PATH);
+		} catch (error) {
+			throw new InternalServerError('Failed to load headers file');
+		}
+	}
+}