fix(expression): prevent calls to constructor to forbid arbitrary cod…

…e execution (n8n-io#4139) * fix(expression): prevent calls to constructor to forbid arbitrary code execution
valya · Sep 20, 2022 · fff9b5e · fff9b5e
1 parent 32d604d
commit fff9b5e
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/packages/workflow/src/Expression.ts b/packages/workflow/src/Expression.ts
@@ -249,6 +249,15 @@ export class Expression {
 		data.Boolean = Boolean;
 		data.Symbol = Symbol;
 
+		const constructorValidation = new RegExp(/\.\s*constructor/gm);
+		if (parameterValue.match(constructorValidation)) {
+			throw new ExpressionError('Expression contains invalid constructor function call', {
+				causeDetailed: 'Constructor override attempt is not allowed due to security concerns',
+				runIndex,
+				itemIndex,
+			});
+		}
+
 		// Execute the expression
 		const returnValue = this.renderExpression(parameterValue, data);
 		if (typeof returnValue === 'function') {