fix(core): Prevent XSS via static cache dir (#10339)

2025-01-11 12:57:29 -08:00 · 2024-08-09 16:40:50 +02:00 · 2024-08-09 16:40:50 +02:00 · 4f392b5e3e
parent 1cf48cc301
commit 4f392b5e3e
4 changed files with 25 additions and 5 deletions
--- a/packages/cli/BREAKING-CHANGES.md
+++ b/packages/cli/BREAKING-CHANGES.md
@ -2,6 +2,16 @@
 This list shows all the versions which include breaking changes and how to upgrade.
 ## 1.55.0
 ### What changed?
 The `N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES` environment variable now also blocks access to n8n's static cache directory at `~/.cache/n8n/public`.
 ### When is action necessary?
 If you are writing to or reading from a file at n8n's static cache directory via a node, e.g. `Read/Write Files from Disk`, please update your node to use a different path.
 ## 1.52.0
 ### What changed?
--- a/packages/cli/src/config/schema.ts
+++ b/packages/cli/src/config/schema.ts
@ -341,7 +341,7 @@ export const schema = {
 			env: 'N8N_RESTRICT_FILE_ACCESS_TO',
 		},
 		blockFileAccessToN8nFiles: {
-			doc: 'If set to true it will block access to all files in the ".n8n" directory and user defined config files.',
+			doc: 'If set to true it will block access to all files in the ".n8n" directory, the static cache dir at ~/.cache/n8n/public, and user defined config files.',
 			format: Boolean,
 			default: true,
 			env: 'N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES',
--- a/packages/core/src/NodeExecuteFunctions.ts
+++ b/packages/core/src/NodeExecuteFunctions.ts
@ -3326,7 +3326,7 @@ const getAllowedPaths = () => {
 	return allowedPaths;
 };
-function isFilePathBlocked(filePath: string): boolean {
+export function isFilePathBlocked(filePath: string): boolean {
 	const allowedPaths = getAllowedPaths();
 	const resolvedFilePath = path.resolve(filePath);
 	const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false';
@ -3342,10 +3342,10 @@ function isFilePathBlocked(filePath: string): boolean {
 		return true;
 	}
-	//restrict access to .n8n folder and other .env config related paths
+	//restrict access to .n8n folder, ~/.cache/n8n/public, and other .env config related paths
 	if (blockFileAccessToN8nFiles) {
-		const { n8nFolder } = Container.get(InstanceSettings);
+		const { n8nFolder, staticCacheDir } = Container.get(InstanceSettings);
-		const restrictedPaths = [n8nFolder];
+		const restrictedPaths = [n8nFolder, staticCacheDir];
 		if (process.env[CONFIG_FILES]) {
 			restrictedPaths.push(...process.env[CONFIG_FILES].split(','));
--- a/packages/core/test/NodeExecuteFunctions.test.ts
+++ b/packages/core/test/NodeExecuteFunctions.test.ts
@ -4,6 +4,7 @@ import {
 	copyInputItems,
 	ensureType,
 	getBinaryDataBuffer,
 	isFilePathBlocked,
 	parseIncomingMessage,
 	parseRequestObject,
 	proxyRequestToAxios,
@ -34,6 +35,7 @@ import { join } from 'path';
 import Container from 'typedi';
 import type { Agent } from 'https';
 import toPlainObject from 'lodash/toPlainObject';
 import { InstanceSettings } from '@/InstanceSettings';
 const temporaryDir = mkdtempSync(join(tmpdir(), 'n8n'));
@ -663,3 +665,11 @@ describe('NodeExecuteFunctions', () => {
 		});
 	});
 });
 describe('isFilePathBlocked', () => {
 	test('should return true for static cache dir', () => {
 		const filePath = Container.get(InstanceSettings).staticCacheDir;
 		expect(isFilePathBlocked(filePath)).toBe(true);
 	});
 });