Skip to content

fix(core): Sandbox HTML binary files in viewing mode #14350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 2, 2025
Merged

fix(core): Sandbox HTML binary files in viewing mode #14350

merged 3 commits into from
Apr 2, 2025

Conversation

netroy
Copy link
Contributor

@netroy netroy commented Apr 2, 2025

Summary

When a binary data file's view url is opened directly in a browser tab/window, if the file is HTML, it can be used to perform XSS attacks. This PR fixes that vulnerability by sandboxing such files using CSP.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/SEC-244

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@netroy netroy added the security label Apr 2, 2025
@codecov Codecov
Copy link

codecov bot commented Apr 2, 2025

Codecov Report

Attention: Patch coverage is 80.00000% with 1 line in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
...ages/cli/src/controllers/binary-data.controller.ts 80.00% 0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

guillaumejacquart
guillaumejacquart reviewed Apr 2, 2025
View reviewed changes
Copy link
Contributor

@guillaumejacquart guillaumejacquart left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, but small comments

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Apr 2, 2025
@cypress Cypress
Copy link

cypress bot commented Apr 2, 2025

n8n    Run #10062

Run Properties:  status check passed Passed #10062  •  git commit 678fe7726a: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 netroy 🗃️ e2e/*
Project n8n
Branch Review SEC-244-fix-xss-in-rundata
Run status status check passed Passed #10062
Run duration 03m 39s
Commit git commit 678fe7726a: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 netroy 🗃️ e2e/*
Committer कारतोफ्फेलस्क्रिप्ट™
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 1
Tests that did not run due to a developer annotating a test with .skip  Pending 5
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 475
View all changes introduced in this branch ↗︎

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 2, 2025

✅ All Cypress E2E specs passed

@netroy netroy requested a review from guillaumejacquart April 2, 2025 12:13
@netroy netroy merged commit 9c8a5f9 into master Apr 2, 2025
7 checks passed
@netroy netroy deleted the SEC-244-fix-xss-in-rundata branch April 2, 2025 12:55
@github-actions github-actions bot mentioned this pull request Apr 7, 2025
Merged
@janober
Copy link
Member

janober commented Apr 7, 2025

Got released with [email protected]

@netroy netroy mentioned this pull request Apr 16, 2025
Merged
4 tasks
xbinaryx pushed a commit to xbinaryx/n8n that referenced this pull request Apr 18, 2025
@netroy @xbinaryx
fix(core): Sandbox HTML binary files in viewing mode (n8n-io#14350)
b9a1a27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guillaumejacquart guillaumejacquart Awaiting requested review from guillaumejacquart

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @guillaumejacquart