Skip to content

Commit

Permalink
fix(Code Node): Update vm2 to address CVE-2023-32313 (#6318)
Browse files Browse the repository at this point in the history
GH advisory: GHSA-p5gc-c584-jj6v
  • Loading branch information
netroy authored and maspio committed May 30, 2023
1 parent 62757c4 commit 4301127
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 43 deletions.
17 changes: 12 additions & 5 deletions packages/nodes-base/nodes/Code/JavaScriptSandbox.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
import type { NodeVMOptions } from 'vm2';
import { NodeVM } from 'vm2';
import { NodeVM, makeResolverFromLegacyOptions } from 'vm2';
import type { IExecuteFunctions, INodeExecutionData, WorkflowExecuteMode } from 'n8n-workflow';

import { ValidationError } from './ValidationError';
Expand All @@ -10,16 +10,23 @@ import { Sandbox } from './Sandbox';
const { NODE_FUNCTION_ALLOW_BUILTIN: builtIn, NODE_FUNCTION_ALLOW_EXTERNAL: external } =
process.env;

export const vmResolver = makeResolverFromLegacyOptions({
external: external
? {
modules: external.split(','),
transitive: false,
}
: false,
builtin: builtIn?.split(',') ?? [],
});

const getSandboxOptions = (
context: SandboxContext,
workflowMode: WorkflowExecuteMode,
): NodeVMOptions => ({
console: workflowMode === 'manual' ? 'redirect' : 'inherit',
sandbox: context,
require: {
builtin: builtIn ? builtIn.split(',') : [],
external: external ? { modules: external.split(','), transitive: false } : false,
},
require: vmResolver,
});

export class JavaScriptSandbox extends Sandbox {
Expand Down
17 changes: 2 additions & 15 deletions packages/nodes-base/nodes/Function/Function.node.ts
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import type {
INodeTypeDescription,
} from 'n8n-workflow';
import { deepCopy, NodeOperationError } from 'n8n-workflow';
import { vmResolver } from '../Code/JavaScriptSandbox';

export class Function implements INodeType {
description: INodeTypeDescription = {
Expand Down Expand Up @@ -150,23 +151,9 @@ return items;`,
const options: NodeVMOptions = {
console: mode === 'manual' ? 'redirect' : 'inherit',
sandbox,
require: {
external: false as boolean | { modules: string[]; transitive: boolean },
builtin: [] as string[],
},
require: vmResolver,
};

if (process.env.NODE_FUNCTION_ALLOW_BUILTIN && typeof options.require === 'object') {
options.require.builtin = process.env.NODE_FUNCTION_ALLOW_BUILTIN.split(',');
}

if (process.env.NODE_FUNCTION_ALLOW_EXTERNAL && typeof options.require === 'object') {
options.require.external = {
modules: process.env.NODE_FUNCTION_ALLOW_EXTERNAL.split(','),
transitive: false,
};
}

const vm = new NodeVM(options);

if (mode === 'manual') {
Expand Down
20 changes: 3 additions & 17 deletions packages/nodes-base/nodes/FunctionItem/FunctionItem.node.ts
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
/* eslint-disable @typescript-eslint/no-loop-func */
import type { NodeVMOptions, VMRequire } from 'vm2';
import type { NodeVMOptions } from 'vm2';
import { NodeVM } from 'vm2';
import type {
IExecuteFunctions,
Expand All @@ -10,6 +10,7 @@ import type {
INodeTypeDescription,
} from 'n8n-workflow';
import { deepCopy, NodeOperationError } from 'n8n-workflow';
import { vmResolver } from '../Code/JavaScriptSandbox';

export class FunctionItem implements INodeType {
description: INodeTypeDescription = {
Expand Down Expand Up @@ -158,24 +159,9 @@ return item;`,
const options: NodeVMOptions = {
console: mode === 'manual' ? 'redirect' : 'inherit',
sandbox,
require: {
external: false,
builtin: [],
},
require: vmResolver,
};

const vmRequire = options.require as VMRequire;
if (process.env.NODE_FUNCTION_ALLOW_BUILTIN) {
vmRequire.builtin = process.env.NODE_FUNCTION_ALLOW_BUILTIN.split(',');
}

if (process.env.NODE_FUNCTION_ALLOW_EXTERNAL) {
vmRequire.external = {
modules: process.env.NODE_FUNCTION_ALLOW_EXTERNAL.split(','),
transitive: false,
};
}

const vm = new NodeVM(options as unknown as NodeVMOptions);

if (mode === 'manual') {
Expand Down
2 changes: 1 addition & 1 deletion packages/nodes-base/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -911,7 +911,7 @@
"ssh2-sftp-client": "^7.0.0",
"tmp-promise": "^3.0.2",
"uuid": "^8.3.2",
"vm2": "~3.9.17",
"vm2": "^3.9.19",
"xlsx": "https://cdn.sheetjs.com/xlsx-0.19.3/xlsx-0.19.3.tgz",
"xml2js": "^0.5.0"
}
Expand Down
10 changes: 5 additions & 5 deletions pnpm-lock.yaml

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit 4301127

Please sign in to comment.