-
Notifications
You must be signed in to change notification settings - Fork 12.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(core): Updated expressions allowlist and denylist. (#3424)
* feat: Updated expressions allowlist and denylist. * test: Added unit tests for expression allow and deny list. * feat: Updated riot-tmpl to be installed from n8n fork. * fix: Added check for non-standard browser built-in. * chore: Removed package-lock.json from branch. * chore: Removed package-lock.json from branch. * chore: Added jest-environment-jsdom@27
- Loading branch information
1 parent
ad09d9a
commit d18a29d
Showing
3 changed files
with
249 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,145 @@ | ||
| /** | ||
| * @jest-environment jsdom | ||
| */ | ||
|
|
||
| import { | ||
| Expression, | ||
| Workflow, | ||
| } from "../src"; | ||
| import * as Helpers from "./Helpers"; | ||
| import { | ||
| DateTime, | ||
| Duration, | ||
| Interval | ||
| } from "luxon"; | ||
|
|
||
| describe('Expression', () => { | ||
| describe('getParameterValue()', () => { | ||
| const nodeTypes = Helpers.NodeTypes(); | ||
| const workflow = new Workflow({ nodes: [ | ||
| { | ||
| name: 'node', | ||
| typeVersion: 1, | ||
| type: 'test.set', | ||
| position: [0, 0], | ||
| parameters: {} | ||
| } | ||
| ], connections: {}, active: false, nodeTypes }); | ||
| const expression = new Expression(workflow); | ||
|
|
||
| const evaluate = (value: string) => expression.getParameterValue( | ||
| value, | ||
| null, | ||
| 0, | ||
| 0, | ||
| 'node', | ||
| [], | ||
| 'manual', | ||
| '', | ||
| {}, | ||
| ); | ||
|
|
||
| it('should not be able to use global built-ins from denylist', () => { | ||
| expect(evaluate('={{document}}')).toEqual({}); | ||
| expect(evaluate('={{window}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{Window}}')).toEqual({}); | ||
| expect(evaluate('={{globalThis}}')).toEqual({}); | ||
| expect(evaluate('={{self}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{alert}}')).toEqual({}); | ||
| expect(evaluate('={{prompt}}')).toEqual({}); | ||
| expect(evaluate('={{confirm}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{eval}}')).toEqual({}); | ||
| expect(evaluate('={{uneval}}')).toEqual({}); | ||
| expect(evaluate('={{setTimeout}}')).toEqual({}); | ||
| expect(evaluate('={{setInterval}}')).toEqual({}); | ||
| expect(evaluate('={{Function}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{fetch}}')).toEqual({}); | ||
| expect(evaluate('={{XMLHttpRequest}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{Promise}}')).toEqual({}); | ||
| expect(evaluate('={{Generator}}')).toEqual({}); | ||
| expect(evaluate('={{GeneratorFunction}}')).toEqual({}); | ||
| expect(evaluate('={{AsyncFunction}}')).toEqual({}); | ||
| expect(evaluate('={{AsyncGenerator}}')).toEqual({}); | ||
| expect(evaluate('={{AsyncGeneratorFunction}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{WebAssembly}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{Reflect}}')).toEqual({}); | ||
| expect(evaluate('={{Proxy}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{constructor}}')).toEqual({}); | ||
|
|
||
| expect(evaluate('={{escape}}')).toEqual({}); | ||
| expect(evaluate('={{unescape}}')).toEqual({}); | ||
| }); | ||
|
|
||
| it('should be able to use global built-ins from allowlist', () => { | ||
| expect(evaluate('={{new Date()}}')).toBeInstanceOf(Date); | ||
| expect(evaluate('={{DateTime.now().toLocaleString()}}')).toEqual(DateTime.now().toLocaleString()); | ||
| expect(evaluate('={{Interval.after(new Date(), 100)}}')).toEqual(Interval.after(new Date(), 100)); | ||
| expect(evaluate('={{Duration.fromMillis(100)}}')).toEqual(Duration.fromMillis(100)); | ||
|
|
||
| expect(evaluate('={{new Object()}}')).toEqual(new Object()); | ||
|
|
||
| expect(evaluate('={{new Array()}}')).toEqual(new Array()); | ||
| expect(evaluate('={{new Int8Array()}}')).toEqual(new Int8Array()); | ||
| expect(evaluate('={{new Uint8Array()}}')).toEqual(new Uint8Array()); | ||
| expect(evaluate('={{new Uint8ClampedArray()}}')).toEqual(new Uint8ClampedArray()); | ||
| expect(evaluate('={{new Int16Array()}}')).toEqual(new Int16Array()); | ||
| expect(evaluate('={{new Uint16Array()}}')).toEqual(new Uint16Array()); | ||
| expect(evaluate('={{new Int32Array()}}')).toEqual(new Int32Array()); | ||
| expect(evaluate('={{new Uint32Array()}}')).toEqual(new Uint32Array()); | ||
| expect(evaluate('={{new Float32Array()}}')).toEqual(new Float32Array()); | ||
| expect(evaluate('={{new Float64Array()}}')).toEqual(new Float64Array()); | ||
| expect(evaluate('={{new BigInt64Array()}}')).toEqual(new BigInt64Array()); | ||
| expect(evaluate('={{new BigUint64Array()}}')).toEqual(new BigUint64Array()); | ||
|
|
||
| expect(evaluate('={{new Map()}}')).toEqual(new Map()); | ||
| expect(evaluate('={{new WeakMap()}}')).toEqual(new WeakMap()); | ||
| expect(evaluate('={{new Set()}}')).toEqual(new Set()); | ||
| expect(evaluate('={{new WeakSet()}}')).toEqual(new WeakSet()); | ||
|
|
||
| expect(evaluate('={{new Error()}}')).toEqual(new Error()); | ||
| expect(evaluate('={{new TypeError()}}')).toEqual(new TypeError()); | ||
| expect(evaluate('={{new SyntaxError()}}')).toEqual(new SyntaxError()); | ||
| expect(evaluate('={{new EvalError()}}')).toEqual(new EvalError()); | ||
| expect(evaluate('={{new RangeError()}}')).toEqual(new RangeError()); | ||
| expect(evaluate('={{new ReferenceError()}}')).toEqual(new ReferenceError()); | ||
| expect(evaluate('={{new URIError()}}')).toEqual(new URIError()); | ||
|
|
||
| expect(evaluate('={{Intl}}')).toEqual(Intl); | ||
|
|
||
| expect(evaluate('={{new String()}}')).toEqual(new String()); | ||
| expect(evaluate('={{new RegExp(\'\')}}')).toEqual(new RegExp('')); | ||
|
|
||
| expect(evaluate('={{Math}}')).toEqual(Math); | ||
| expect(evaluate('={{new Number()}}')).toEqual(new Number()); | ||
| expect(evaluate('={{BigInt(\'1\')}}')).toEqual(BigInt('1')); | ||
| expect(evaluate('={{Infinity}}')).toEqual(Infinity); | ||
| expect(evaluate('={{NaN}}')).toEqual(NaN); | ||
| expect(evaluate('={{isFinite(1)}}')).toEqual(isFinite(1)); | ||
| expect(evaluate('={{isNaN(1)}}')).toEqual(isNaN(1)); | ||
| expect(evaluate('={{parseFloat(\'1\')}}')).toEqual(parseFloat('1')); | ||
| expect(evaluate('={{parseInt(\'1\', 10)}}')).toEqual(parseInt('1', 10)); | ||
|
|
||
| expect(evaluate('={{JSON.stringify({})}}')).toEqual(JSON.stringify({})); | ||
| expect(evaluate('={{new ArrayBuffer(10)}}')).toEqual(new ArrayBuffer(10)); | ||
| expect(evaluate('={{new SharedArrayBuffer(10)}}')).toEqual(new SharedArrayBuffer(10)); | ||
| expect(evaluate('={{Atomics}}')).toEqual(Atomics); | ||
| expect(evaluate('={{new DataView(new ArrayBuffer(1))}}')).toEqual(new DataView(new ArrayBuffer(1))); | ||
|
|
||
| expect(evaluate('={{encodeURI(\'https://google.com\')}}')).toEqual(encodeURI('https://google.com')); | ||
| expect(evaluate('={{encodeURIComponent(\'https://google.com\')}}')).toEqual(encodeURIComponent('https://google.com')); | ||
| expect(evaluate('={{decodeURI(\'https://google.com\')}}')).toEqual(decodeURI('https://google.com')); | ||
| expect(evaluate('={{decodeURIComponent(\'https://google.com\')}}')).toEqual(decodeURIComponent('https://google.com')); | ||
|
|
||
| expect(evaluate('={{Boolean(1)}}')).toEqual(Boolean(1)); | ||
| expect(evaluate('={{Symbol(1).toString()}}')).toEqual(Symbol(1).toString()); | ||
| }); | ||
| }); | ||
| }) |