✨ Added checks for window object access in template strings.

n8n-io · May 24, 2022 · 567f85d · 567f85d
1 parent 680c968
commit 567f85d
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/packages/workflow/src/Expression.ts b/packages/workflow/src/Expression.ts
@@ -118,6 +118,21 @@ export class Expression {
 
 		// @ts-ignore
 		data.document = {};
+		data.global = {};
+		data.window = {};
+		data.Window = {};
+		data.this = {};
+		data.alert = {};
+
+		// Prevent Remote Code Execution
+		data.eval = {};
+		data.setTimeout = {};
+		data.setInterval = {};
+		data.Function = {};
+
+		// Prevent requests
+		data.fetch = {};
+		data.XMLHttpRequest = {};
 
 		// @ts-ignore
 		data.DateTime = DateTime;
@@ -129,8 +144,18 @@ export class Expression {
 
 		// Execute the expression
 		try {
+			if (
+				parameterValue.includes('window') &&
+				!/([a-zA-Z.]window|window[a-zA-Z]|['"](?!\s*[\\+\-*/|]+\s*)[^'"]*window)/g.test(
+					parameterValue,
+				)
+			) {
+				throw new Error(`window is not allowed`);
+			}
+
 			// eslint-disable-next-line @typescript-eslint/no-unsafe-assignment, @typescript-eslint/no-unsafe-member-access, @typescript-eslint/no-unsafe-call
 			const returnValue = tmpl.tmpl(parameterValue, data);
+
 			if (typeof returnValue === 'function') {
 				throw new Error('Expression resolved to a function. Please add "()"');
 			} else if (returnValue !== null && typeof returnValue === 'object') {
@@ -368,6 +393,7 @@ export class Expression {
 		if (parameterValue === null || parameterValue === undefined) {
 			return parameterValue;
 		}
+
 		// Data is an object
 		const returnData: INodeParameters = {};
 		// eslint-disable-next-line no-restricted-syntax
@@ -381,6 +407,7 @@ export class Expression {
 		if (returnObjectAsString && typeof returnData === 'object') {
 			return this.convertObjectValueToString(returnData);
 		}
+
 		return returnData;
 	}
 }