From 602b2e70389b7ef7654914434d0c91beb10fd1e5 Mon Sep 17 00:00:00 2001 From: Omar Ajoue Date: Mon, 19 Sep 2022 17:52:38 +0200 Subject: [PATCH 1/2] fix(expression): prevent calls to constructor to forbid arbitrary code executionj --- packages/workflow/src/Expression.ts | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/packages/workflow/src/Expression.ts b/packages/workflow/src/Expression.ts index 794331dc1bd8b..ebb34fea341f5 100644 --- a/packages/workflow/src/Expression.ts +++ b/packages/workflow/src/Expression.ts @@ -249,6 +249,15 @@ export class Expression { data.Boolean = Boolean; data.Symbol = Symbol; + const constructorValidation = new RegExp(/\.\s*constructor/gm); + if (parameterValue.match(constructorValidation)) { + throw new ExpressionError('Expression contains invalid function call', { + causeDetailed: 'Constructor override attempt is not allowed due to security concerns', + runIndex, + itemIndex, + }); + } + // Execute the expression const returnValue = this.renderExpression(parameterValue, data); if (typeof returnValue === 'function') { From c9395b7c23d0a9b99076f80199b8173648f93962 Mon Sep 17 00:00:00 2001 From: Omar Ajoue Date: Mon, 19 Sep 2022 18:12:45 +0200 Subject: [PATCH 2/2] improve message --- packages/workflow/src/Expression.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/workflow/src/Expression.ts b/packages/workflow/src/Expression.ts index ebb34fea341f5..d2e07001af266 100644 --- a/packages/workflow/src/Expression.ts +++ b/packages/workflow/src/Expression.ts @@ -251,7 +251,7 @@ export class Expression { const constructorValidation = new RegExp(/\.\s*constructor/gm); if (parameterValue.match(constructorValidation)) { - throw new ExpressionError('Expression contains invalid function call', { + throw new ExpressionError('Expression contains invalid constructor function call', { causeDetailed: 'Constructor override attempt is not allowed due to security concerns', runIndex, itemIndex,