fix(core): Prevent XSS via static cache dir (#10339)

n8n-io · Aug 9, 2024 · 4f392b5 · 4f392b5
1 parent 1cf48cc
commit 4f392b5
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 5 deletions.
diff --git a/packages/cli/BREAKING-CHANGES.md b/packages/cli/BREAKING-CHANGES.md
@@ -2,6 +2,16 @@
 
 This list shows all the versions which include breaking changes and how to upgrade.
 
+## 1.55.0
+
+### What changed?
+
+The `N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES` environment variable now also blocks access to n8n's static cache directory at `~/.cache/n8n/public`.
+
+### When is action necessary?
+
+If you are writing to or reading from a file at n8n's static cache directory via a node, e.g. `Read/Write Files from Disk`, please update your node to use a different path.
+
 ## 1.52.0
 
 ### What changed?

diff --git a/packages/cli/src/config/schema.ts b/packages/cli/src/config/schema.ts
@@ -341,7 +341,7 @@ export const schema = {
 			env: 'N8N_RESTRICT_FILE_ACCESS_TO',
 		},
 		blockFileAccessToN8nFiles: {
-			doc: 'If set to true it will block access to all files in the ".n8n" directory and user defined config files.',
+			doc: 'If set to true it will block access to all files in the ".n8n" directory, the static cache dir at ~/.cache/n8n/public, and user defined config files.',
 			format: Boolean,
 			default: true,
 			env: 'N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES',

diff --git a/packages/core/src/NodeExecuteFunctions.ts b/packages/core/src/NodeExecuteFunctions.ts
@@ -3326,7 +3326,7 @@ const getAllowedPaths = () => {
 	return allowedPaths;
 };
 
-function isFilePathBlocked(filePath: string): boolean {
+export function isFilePathBlocked(filePath: string): boolean {
 	const allowedPaths = getAllowedPaths();
 	const resolvedFilePath = path.resolve(filePath);
 	const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false';
@@ -3342,10 +3342,10 @@ function isFilePathBlocked(filePath: string): boolean {
 		return true;
 	}
 
-	//restrict access to .n8n folder and other .env config related paths
+	//restrict access to .n8n folder, ~/.cache/n8n/public, and other .env config related paths
 	if (blockFileAccessToN8nFiles) {
-		const { n8nFolder } = Container.get(InstanceSettings);
-		const restrictedPaths = [n8nFolder];
+		const { n8nFolder, staticCacheDir } = Container.get(InstanceSettings);
+		const restrictedPaths = [n8nFolder, staticCacheDir];
 
 		if (process.env[CONFIG_FILES]) {
 			restrictedPaths.push(...process.env[CONFIG_FILES].split(','));

diff --git a/packages/core/test/NodeExecuteFunctions.test.ts b/packages/core/test/NodeExecuteFunctions.test.ts
@@ -4,6 +4,7 @@ import {
 	copyInputItems,
 	ensureType,
 	getBinaryDataBuffer,
+	isFilePathBlocked,
 	parseIncomingMessage,
 	parseRequestObject,
 	proxyRequestToAxios,
@@ -34,6 +35,7 @@ import { join } from 'path';
 import Container from 'typedi';
 import type { Agent } from 'https';
 import toPlainObject from 'lodash/toPlainObject';
+import { InstanceSettings } from '@/InstanceSettings';
 
 const temporaryDir = mkdtempSync(join(tmpdir(), 'n8n'));
 
@@ -663,3 +665,11 @@ describe('NodeExecuteFunctions', () => {
 		});
 	});
 });
+
+describe('isFilePathBlocked', () => {
+	test('should return true for static cache dir', () => {
+		const filePath = Container.get(InstanceSettings).staticCacheDir;
+
+		expect(isFilePathBlocked(filePath)).toBe(true);
+	});
+});