fix(Code Node): Update vm2 to address CVE-2023-32313 (#6318)

GH advisory: https://github.com/advisories/GHSA-p5gc-c584-jj6v
2025-01-11 12:57:29 -08:00 · 2023-05-25 10:55:53 +00:00 · 2023-05-25 10:55:53 +00:00 · bcbec52552
parent 071955ba68
commit bcbec52552
5 changed files with 23 additions and 43 deletions
--- a/packages/nodes-base/nodes/Code/JavaScriptSandbox.ts
+++ b/packages/nodes-base/nodes/Code/JavaScriptSandbox.ts
@ -1,5 +1,5 @@
 import type { NodeVMOptions } from 'vm2';
-import { NodeVM } from 'vm2';
+import { NodeVM, makeResolverFromLegacyOptions } from 'vm2';
 import type { IExecuteFunctions, INodeExecutionData, WorkflowExecuteMode } from 'n8n-workflow';

 import { ValidationError } from './ValidationError';
@ -10,16 +10,23 @@ import { Sandbox } from './Sandbox';
 const { NODE_FUNCTION_ALLOW_BUILTIN: builtIn, NODE_FUNCTION_ALLOW_EXTERNAL: external } =
 	process.env;

+export const vmResolver = makeResolverFromLegacyOptions({
+	external: external
+		? {
+				modules: external.split(','),
+				transitive: false,
+		  }
+		: false,
+	builtin: builtIn?.split(',') ?? [],
+});
+
 const getSandboxOptions = (
 	context: SandboxContext,
 	workflowMode: WorkflowExecuteMode,
 ): NodeVMOptions => ({
 	console: workflowMode === 'manual' ? 'redirect' : 'inherit',
 	sandbox: context,
-	require: {
-		builtin: builtIn ? builtIn.split(',') : [],
-		external: external ? { modules: external.split(','), transitive: false } : false,
-	},
+	require: vmResolver,
 });

 export class JavaScriptSandbox extends Sandbox {
--- a/packages/nodes-base/nodes/Function/Function.node.ts
+++ b/packages/nodes-base/nodes/Function/Function.node.ts
@ -9,6 +9,7 @@ import type {
 	INodeTypeDescription,
 } from 'n8n-workflow';
 import { deepCopy, NodeOperationError } from 'n8n-workflow';
+import { vmResolver } from '../Code/JavaScriptSandbox';

 export class Function implements INodeType {
 	description: INodeTypeDescription = {
@ -150,23 +151,9 @@ return items;`,
 		const options: NodeVMOptions = {
 			console: mode === 'manual' ? 'redirect' : 'inherit',
 			sandbox,
-			require: {
-				external: false as boolean | { modules: string[]; transitive: boolean },
-				builtin: [] as string[],
-			},
+			require: vmResolver,
 		};

-		if (process.env.NODE_FUNCTION_ALLOW_BUILTIN && typeof options.require === 'object') {
-			options.require.builtin = process.env.NODE_FUNCTION_ALLOW_BUILTIN.split(',');
-		}
-
-		if (process.env.NODE_FUNCTION_ALLOW_EXTERNAL && typeof options.require === 'object') {
-			options.require.external = {
-				modules: process.env.NODE_FUNCTION_ALLOW_EXTERNAL.split(','),
-				transitive: false,
-			};
-		}
-
 		const vm = new NodeVM(options);

 		if (mode === 'manual') {
--- a/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
+++ b/packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
@ -1,5 +1,5 @@
 /* eslint-disable @typescript-eslint/no-loop-func */
-import type { NodeVMOptions, VMRequire } from 'vm2';
+import type { NodeVMOptions } from 'vm2';
 import { NodeVM } from 'vm2';
 import type {
 	IExecuteFunctions,
@ -10,6 +10,7 @@ import type {
 	INodeTypeDescription,
 } from 'n8n-workflow';
 import { deepCopy, NodeOperationError } from 'n8n-workflow';
+import { vmResolver } from '../Code/JavaScriptSandbox';

 export class FunctionItem implements INodeType {
 	description: INodeTypeDescription = {
@ -158,24 +159,9 @@ return item;`,
 				const options: NodeVMOptions = {
 					console: mode === 'manual' ? 'redirect' : 'inherit',
 					sandbox,
-					require: {
-						external: false,
-						builtin: [],
-					},
+					require: vmResolver,
 				};

-				const vmRequire = options.require as VMRequire;
-				if (process.env.NODE_FUNCTION_ALLOW_BUILTIN) {
-					vmRequire.builtin = process.env.NODE_FUNCTION_ALLOW_BUILTIN.split(',');
-				}
-
-				if (process.env.NODE_FUNCTION_ALLOW_EXTERNAL) {
-					vmRequire.external = {
-						modules: process.env.NODE_FUNCTION_ALLOW_EXTERNAL.split(','),
-						transitive: false,
-					};
-				}
-
 				const vm = new NodeVM(options as unknown as NodeVMOptions);

 				if (mode === 'manual') {
--- a/packages/nodes-base/package.json
+++ b/packages/nodes-base/package.json
@ -911,7 +911,7 @@
    "ssh2-sftp-client": "^7.0.0",
    "tmp-promise": "^3.0.2",
    "uuid": "^8.3.2",
-    "vm2": "~3.9.17",
+    "vm2": "^3.9.19",
    "xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz",
    "xml2js": "^0.5.0"
  }
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -1366,8 +1366,8 @@ importers:
        specifier: ^8.3.2
        version: 8.3.2
      vm2:
-        specifier: ~3.9.17
-        version: 3.9.17
+        specifier: ^3.9.19
+        version: 3.9.19
      xlsx:
        specifier: https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz
        version: '@cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz'
@ -11765,7 +11765,7 @@ packages:
      ast-types: 0.13.4
      escodegen: 1.14.3
      esprima: 4.0.1
-      vm2: 3.9.17
+      vm2: 3.9.19
    dev: false

  /del@6.1.1:
@ -22539,8 +22539,8 @@ packages:
      - terser
    dev: true

-  /vm2@3.9.17:
-    resolution: {integrity: sha512-AqwtCnZ/ERcX+AVj9vUsphY56YANXxRuqMb7GsDtAr0m0PcQX3u0Aj3KWiXM0YAHy7i6JEeHrwOnwXbGYgRpAw==}
+  /vm2@3.9.19:
+    resolution: {integrity: sha512-J637XF0DHDMV57R6JyVsTak7nIL8gy5KH4r1HiwWLf/4GBbb5MKL5y7LpmF4A8E2nR6XmzpmMFQ7V7ppPTmUQg==}
    engines: {node: '>=6.0'}
    hasBin: true
    dependencies: