Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(expression): prevent calls to constructor to forbid arbitrary code execution #4139

Merged
merged 2 commits into from
Sep 20, 2022

Conversation

krynble
Copy link
Contributor

@krynble krynble commented Sep 19, 2022

No description provided.

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Sep 19, 2022
ivov
ivov previously approved these changes Sep 19, 2022
Copy link
Contributor

@ivov ivov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Confirmed working.

Minor details, feel free to disregard:

  1. \s seems unneeded as standalone constructor is already in the denylist.
  2. m multiline mode seems unneeded as multiline expressions don't resolve.
  3. Maybe contains invalid constructor call to make it clear to the user what the issue is, since causeDetailed is not visible in the UI.

@janober
Copy link
Member

janober commented Sep 19, 2022

We used a regex in the past to solve other security issues. It caused a lot of problems (mainly broke workflows because of false positives) and we then had to roll it back. Is there no other way of fixing this?

@krynble
Copy link
Contributor Author

krynble commented Sep 19, 2022

@janober I thought about changing the prototype but then it would also leak to the main code.

This is only preventing . followed by constructor with or without spaces. So if you have a sentece such as This is a good example. Constuctor is a cool thing. will not be denied because of the uppercase C in Constructor (and Math.floor.Constructor(...) is not an issue).

@krynble krynble merged commit a8030db into master Sep 20, 2022
@krynble krynble deleted the patch-expression-issue branch September 20, 2022 08:41
@n8n-assistant n8n-assistant bot added the Upcoming Release Will be part of the upcoming release label Sep 20, 2022
@janober
Copy link
Member

janober commented Sep 21, 2022

Got released with n8n@0.195.0

@janober janober removed the Upcoming Release Will be part of the upcoming release label Sep 21, 2022
valya pushed a commit to valya/n8n that referenced this pull request Nov 8, 2022
…e execution (n8n-io#4139)

* fix(expression): prevent calls to constructor to forbid arbitrary code execution
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants