mudhorn/n8n
1
0
Fork 0
mirror of https://github.com/n8n-io/n8n.git synced 2024-11-09 22:24:05 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(core): Prevent prototype pollution on injectable services (#6309)

Browse source 
This helps prevent classes from being tampered by external-hooks or community nodes
This commit is contained in:
कारतोफ्फेलस्क्रिप्ट™ 2023-05-26 16:03:06 +00:00 committed by GitHub
parent 0631f69d98
commit d94c20ada5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
patches/typedi@0.10.0.patch
View file

@ -1,8 +1,16 @@
diff --git a/cjs/container-instance.class.js b/cjs/container-instance.class.js diff --git a/cjs/container-instance.class.js b/cjs/container-instance.class.js
index e473b1e652aa0b6e7462f7ba93fcef2812483b20..1e2ac7e5cb7943f5226a2bc25fa83bee0470f90c 100644 index e473b1e652aa0b6e7462f7ba93fcef2812483b20..1e406113d68c401ee170c997afb53e5f71edeee2 100644
--- a/cjs/container-instance.class.js --- a/cjs/container-instance.class.js
+++ b/cjs/container-instance.class.js +++ b/cjs/container-instance.class.js
@@ -234,6 +234,7 @@ class ContainerInstance { @@ -209,6 +209,7 @@ class ContainerInstance {
// this allows us to support javascript where we don't have decorators and emitted metadata about dependencies
// need to be injected, and user can use provided container to get instances he needs
params.push(this);
+ if (process.env.NODE_ENV === 'production') Object.freeze(constructableTargetType.prototype);
value = new constructableTargetType(...params);
// TODO: Calling this here, leads to infinite loop, because @Inject decorator registerds a handler
// TODO: which calls Container.get, which will check if the requested type has a value set and if not
@@ -234,6 +235,7 @@ class ContainerInstance {
*/ */
initializeParams(target, paramTypes) { initializeParams(target, paramTypes) {
return paramTypes.map((paramType, index) => { return paramTypes.map((paramType, index) => {

6
pnpm-lock.yaml
View file

@ -29,7 +29,7 @@ patchedDependencies:
hash: prckukfdop5sl2her6de25cod4 hash: prckukfdop5sl2her6de25cod4
path: patches/element-ui@2.15.12.patch path: patches/element-ui@2.15.12.patch
typedi@0.10.0: typedi@0.10.0:
hash: syy565ld7euwcedfbmx53j2qc4 hash: 62r6bc2crgimafeyruodhqlgo4
path: patches/typedi@0.10.0.patch path: patches/typedi@0.10.0.patch
importers: importers:
@ -456,7 +456,7 @@ importers:
version: 1.1.1 version: 1.1.1
typedi: typedi:
specifier: ^0.10.0 specifier: ^0.10.0
version: 0.10.0(patch_hash=syy565ld7euwcedfbmx53j2qc4) version: 0.10.0(patch_hash=62r6bc2crgimafeyruodhqlgo4)
typeorm: typeorm:
specifier: ^0.3.12 specifier: ^0.3.12
version: 0.3.12(ioredis@5.2.4)(mysql2@2.3.3)(pg@8.8.0)(sqlite3@5.1.6) version: 0.3.12(ioredis@5.2.4)(mysql2@2.3.3)(pg@8.8.0)(sqlite3@5.1.6)
@ -21852,7 +21852,7 @@ packages:
/typedarray@0.0.6: /typedarray@0.0.6:
resolution: {integrity: sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==} resolution: {integrity: sha512-/aCDEGatGvZ2BIk+HmLf4ifCJFwvKFNb9/JeZPMulfgFracn9QFcAf5GO8B/mweUjSoblS5In0cWhqpfs/5PQA==}
/typedi@0.10.0(patch_hash=syy565ld7euwcedfbmx53j2qc4): /typedi@0.10.0(patch_hash=62r6bc2crgimafeyruodhqlgo4):
resolution: {integrity: sha512-v3UJF8xm68BBj6AF4oQML3ikrfK2c9EmZUyLOfShpJuItAqVBHWP/KtpGinkSsIiP6EZyyb6Z3NXyW9dgS9X1w==} resolution: {integrity: sha512-v3UJF8xm68BBj6AF4oQML3ikrfK2c9EmZUyLOfShpJuItAqVBHWP/KtpGinkSsIiP6EZyyb6Z3NXyW9dgS9X1w==}
dev: false dev: false
patched: true patched: true