Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(core): VM2 sandbox should not throw on new Promise #10298

Merged
merged 1 commit into from
Aug 6, 2024
Merged

Conversation

netroy
Copy link
Member

@netroy netroy commented Aug 5, 2024

Summary

In an attempt to prevent CVE-2023-37466, I added a fix here. But this also broke any code that uses new Promise.
So, I've re-done the fix here, added tests in that repo, and also added tests for the code node to prevent something like this from happening again.

Review / Merge checklist

  • PR title and summary are descriptive
  • Tests included

@netroy netroy changed the title fix(core): VM2 sandbox should not throw on new Promise (no-changelog) fix(core): VM2 sandbox should not throw on new Promise Aug 5, 2024
@netroy netroy added the release/backport Changes that need to be backported to older releases. label Aug 5, 2024
Copy link
Contributor

github-actions bot commented Aug 6, 2024

✅ All Cypress E2E specs passed

Copy link

cypress bot commented Aug 6, 2024



Test summary

394 0 0 0Flakiness 0


Run details

Project n8n
Status Passed
Commit 40516eb
Started Aug 6, 2024 12:53 PM
Ended Aug 6, 2024 12:58 PM
Duration 04:40 💡
OS Linux Debian -
Browser Electron 118

View run in Cypress Cloud ➡️


This comment has been generated by cypress-bot as a result of this project's GitHub integration settings. You can manage this integration in this project's settings in the Cypress Cloud

@n8n-assistant n8n-assistant bot added n8n team Authored by the n8n team node/improvement New feature or request labels Aug 6, 2024
@netroy netroy merged commit 7e95f9e into master Aug 6, 2024
28 checks passed
@netroy netroy deleted the upgrade-vm2 branch August 6, 2024 13:16
@github-actions github-actions bot mentioned this pull request Aug 7, 2024
@janober
Copy link
Member

janober commented Aug 7, 2024

Got released with n8n@1.54.0

MiloradFilipovic added a commit that referenced this pull request Aug 7, 2024
* master:
  refactor(core): Centralize scaling mode (no-changelog) (#9835)
  fix(editor): Remove body padding from storybook previews (no-changelog) (#10317)
  feat(MySQL Node): Return decimal types as numbers (#10313)
  🚀 Release 1.54.0 (#10315)
  feat(Elasticsearch Node): Add bulk operations for Elasticsearch (#9940)
  feat(Stripe Trigger Node): Add Stripe webhook descriptions based on the workflow ID and name (#9956)
  feat(MongoDB Node): Add projection to query options on Find (#9972)
  fix(Invoice Ninja Node): Fix payment types (#10196)
  feat(HTTP Request Tool Node): Use DynamicStructuredTool with models supporting it (no-changelog) (#10246)
  feat: Return scopes on executions (no-changelog) (#10310)
  feat(Webflow Node): Update to use the v2 API (#9996)
  feat(Lemlist Trigger Node): Update Trigger events (#10311)
  feat(Calendly Trigger Node): Update event names (no-changelog) (#10129)
  refactor(core): Reorganize webhook related components under src/webhooks (no-changelog) (#10296)
  docs: Fix links to license files in readme (no-changelog) (#10257)
  fix(editor): Update design system Avatar component to show initials also when only firstName or lastName is given (#10308)
  fix(editor): Update tags filter/editor to not show non existing tag as a selectable option (#10297)
  fix(editor): Update project tabs test (no-changelog) (#10300)
  fix(core): VM2 sandbox should not throw on `new Promise` (#10298)

# Conflicts:
#	packages/design-system/src/components/N8nAvatar/Avatar.vue
@github-actions github-actions bot mentioned this pull request Aug 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
n8n team Authored by the n8n team node/improvement New feature or request release/backport Changes that need to be backported to older releases. Released
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants