-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NPM - Esm modules are not supported, dynamic (async) import fails #9464
Comments
Hey @Joffcom Talking about JavaScript sandbox You use https://github.com/patriksimek/vm2
Why don't you use With
So any n8n user may do anything in n8n contrainer... I thought sandboxes should prevent this behaviour 😕 |
Hey @crutch12, We currently use our own fork of vm which has some fixes for the issues in it but it is isn't perfect, We looked at moving to other options which involve a lot of work to implement. If you look at the open discontinued issue on vm2 you will find some of our team in there, We are currently evaluating different options to see which fits our needs more. While not perfect in terms of risk for what you have provided not only do you need access to the n8n interface you would also need the server admin to have enabled all builtin functions. A much easier way to do the same set of commands would be to get access to the workflow builder and use the execute command node, A way to prevent this would be to set However this thread is not the place for the vm2 sandbox escape issue and if you want to raise your concern with the security team you can pop in an email to security@n8n.io as outlined here: https://github.com/n8n-io/n8n/blob/master/SECURITY |
as Jon pointed out, not being able to use ESM is a limitation of vm2.
We are aware. If you look at some their discussions, you'll see that we've been part of them.
vm2 suggests that people migrate to If I could make this decision at the very beginning on n8n, I'd have gone for
Even if we were to put significant effort to pull this off somehow,
So, unless we decide to create our own new sandboxing mechanism, or rewrite the entire execution engine on top of a completely different runtime, we (unfortunately) can't really address any of your concerns in this issue, and should close this. If security is really important to you, I'd highly recommend setting |
@netroy thank you for detailed answer!
Yes, I have. But I talk about another users in my n8n self-hosted instance. Or about npm malware packages. BTW Have you seen Pipedream? (https://pipedream.com/) I think Pipedream runs every Code node in independent sub VM/sandbox and it works really great! Maybe we could check out how they do it? |
Hey @crutch12, Pipedream don't make their runtime available like we do so what they do is hidden, It is possible that the approach they use also has issues that have just not been reported yet or maybe as it is all running in the cloud they start up a new docker image and pass the code to run to that image and remove it once completed. If you have multiple users and you are worried about the security of your instance we would recommend not allowing access to all node functions which is what we do on our Cloud service as well as blocking access to the execute command node, When it comes to npm malware packages unless you are manually adding them to the n8n image there should be a very minimal risk there as standard users can't install packages (unless you allow access to some node functions or allow the execute command node to be used). As the original topic here has been answered and is down to a limitation in the package and it is something we don't consider to be a bug at the moment I am going to mark this as closed. If / When we change the sandbox approach though I will make sure we pop a note back on this to let you know. |
Bug Description
Nowadays most of
npm
packages are published withesm
files only.So you can't
require
these modules, you shouldimport
them.For example: url-join
But
import
is not available inn8n
node:And
dynamic import
is not available too:To Reproduce
import lodash from 'lodash'
orconst lodash = await import('lodash')
Expected behavior
import('lodash')
should return PromiseOperating System
Ubuntu Linux 22.04
n8n Version
1.44.1
Node.js Version
18.20.2
Database
SQLite (default)
Execution mode
main (default)
The text was updated successfully, but these errors were encountered: