Skip to content

fix(editor): Restrict what binary-data types can be viewed in the UI #14685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Apr 16, 2025
Merged

fix(editor): Restrict what binary-data types can be viewed in the UI #14685

merged 6 commits into from
Apr 16, 2025

Conversation

netroy
Copy link
Contributor

@netroy netroy commented Apr 16, 2025
edited
Loading

Summary

We tried preventing XSS from viewable binary-data in #14350, but that doesn't seem to always work.
So, now are maintaining an explicit allow-list of mime-types that we permit as viewable in the UI.

Related Linear tickets, Github issues, and Community forum posts

SEC-244

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team labels Apr 16, 2025
ivov
ivov previously approved these changes Apr 16, 2025
View reviewed changes
@netroy netroy requested a review from ivov April 16, 2025 15:18
@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@codecov Codecov
Copy link

codecov bot commented Apr 16, 2025

Codecov Report

All modified and coverable lines are covered by tests ✅

📢 Thoughts on this report? Let us know!

@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@netroy netroy merged commit 11a36b7 into master Apr 16, 2025
36 checks passed
@netroy netroy deleted the SEC-244-fix-xss-in-rundata branch April 16, 2025 16:05
@cypress Cypress
Copy link

cypress bot commented Apr 17, 2025

n8n    Run #10312

Run Properties:  status check passed Passed #10312  •  git commit 11a36b758d: 🌳 master 🖥️ browsers:node18.12.0-chrome107 🤖 PR User 🗃️ e2e/*
Project n8n
Branch Review master
Run status status check passed Passed #10312
Run duration 03m 29s
Commit git commit 11a36b758d: 🌳 master 🖥️ browsers:node18.12.0-chrome107 🤖 PR User 🗃️ e2e/*
Committer कारतोफ्फेलस्क्रिप्ट™
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 6
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 480
View all changes introduced in this branch ↗︎

xbinaryx pushed a commit to xbinaryx/n8n that referenced this pull request Apr 18, 2025
@netroy @xbinaryx
fix(editor): Restrict what binary-data types can be viewed in the UI (n…
76dfd71 
…8n-io#14685)
@github-actions github-actions bot mentioned this pull request Apr 21, 2025
Merged
@janober
Copy link
Member

janober commented Apr 22, 2025

Got released with [email protected]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ivov ivov ivov approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team Released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@netroy @janober @ivov