diff --git a/packages/cli/BREAKING-CHANGES.md b/packages/cli/BREAKING-CHANGES.md index 4797def42288b..869ace642e35b 100644 --- a/packages/cli/BREAKING-CHANGES.md +++ b/packages/cli/BREAKING-CHANGES.md @@ -2,6 +2,16 @@ This list shows all the versions which include breaking changes and how to upgrade. +## 1.55.0 + +### What changed? + +The `N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES` environment variable now also blocks access to n8n's static cache directory at `~/.cache/n8n/public`. + +### When is action necessary? + +If you are writing to or reading from a file at n8n's static cache directory via a node, e.g. `Read/Write Files from Disk`, please update your node to use a different path. + ## 1.52.0 ### What changed? diff --git a/packages/cli/src/config/schema.ts b/packages/cli/src/config/schema.ts index c424066c8554f..90043ee20e110 100644 --- a/packages/cli/src/config/schema.ts +++ b/packages/cli/src/config/schema.ts @@ -341,7 +341,7 @@ export const schema = { env: 'N8N_RESTRICT_FILE_ACCESS_TO', }, blockFileAccessToN8nFiles: { - doc: 'If set to true it will block access to all files in the ".n8n" directory and user defined config files.', + doc: 'If set to true it will block access to all files in the ".n8n" directory, the static cache dir at ~/.cache/n8n/public, and user defined config files.', format: Boolean, default: true, env: 'N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES', diff --git a/packages/core/src/NodeExecuteFunctions.ts b/packages/core/src/NodeExecuteFunctions.ts index 5426ce94ab221..f97d86805911f 100644 --- a/packages/core/src/NodeExecuteFunctions.ts +++ b/packages/core/src/NodeExecuteFunctions.ts @@ -3326,7 +3326,7 @@ const getAllowedPaths = () => { return allowedPaths; }; -function isFilePathBlocked(filePath: string): boolean { +export function isFilePathBlocked(filePath: string): boolean { const allowedPaths = getAllowedPaths(); const resolvedFilePath = path.resolve(filePath); const blockFileAccessToN8nFiles = process.env[BLOCK_FILE_ACCESS_TO_N8N_FILES] !== 'false'; @@ -3342,10 +3342,10 @@ function isFilePathBlocked(filePath: string): boolean { return true; } - //restrict access to .n8n folder and other .env config related paths + //restrict access to .n8n folder, ~/.cache/n8n/public, and other .env config related paths if (blockFileAccessToN8nFiles) { - const { n8nFolder } = Container.get(InstanceSettings); - const restrictedPaths = [n8nFolder]; + const { n8nFolder, staticCacheDir } = Container.get(InstanceSettings); + const restrictedPaths = [n8nFolder, staticCacheDir]; if (process.env[CONFIG_FILES]) { restrictedPaths.push(...process.env[CONFIG_FILES].split(',')); diff --git a/packages/core/test/NodeExecuteFunctions.test.ts b/packages/core/test/NodeExecuteFunctions.test.ts index 8ff4ca22e59a8..3af9c752f67d1 100644 --- a/packages/core/test/NodeExecuteFunctions.test.ts +++ b/packages/core/test/NodeExecuteFunctions.test.ts @@ -4,6 +4,7 @@ import { copyInputItems, ensureType, getBinaryDataBuffer, + isFilePathBlocked, parseIncomingMessage, parseRequestObject, proxyRequestToAxios, @@ -34,6 +35,7 @@ import { join } from 'path'; import Container from 'typedi'; import type { Agent } from 'https'; import toPlainObject from 'lodash/toPlainObject'; +import { InstanceSettings } from '@/InstanceSettings'; const temporaryDir = mkdtempSync(join(tmpdir(), 'n8n')); @@ -663,3 +665,11 @@ describe('NodeExecuteFunctions', () => { }); }); }); + +describe('isFilePathBlocked', () => { + test('should return true for static cache dir', () => { + const filePath = Container.get(InstanceSettings).staticCacheDir; + + expect(isFilePathBlocked(filePath)).toBe(true); + }); +});