Merge pull request #4 from n8n-io/n8n-3776-expressions-xss-part-2

N8N-3776-expressions-xss-part-2
n8n-io · Jun 8, 2022 · 37cbae9 · 37cbae9
2 parents 63f7f8f + 6b06b42
commit 37cbae9
Show file tree

Hide file tree

Showing 7 changed files with 6,774 additions and 29 deletions.
diff --git a/dist/csp.tmpl.js b/dist/csp.tmpl.js
@@ -7547,6 +7547,8 @@ var tmpl = (function () {
 
     if (expr.slice(0, 11) !== 'try{return ') expr = 'return ' + expr;
 
+    expr = 'var ' + (typeof window !== 'object' ? 'global' : 'window') + ' = {}; ' + expr;
+
     return safeEval.func('E', expr + ';')
   }
 
@@ -7640,6 +7642,7 @@ var tmpl = (function () {
       expr = !cnt ? _wrapExpr(expr, asText)
            : cnt > 1 ? '[' + list.join(',') + '].join(" ").trim()' : list[0];
     }
+
     return expr
 
     function skipBraces (ch, re) {

diff --git a/dist/es6.tmpl.js b/dist/es6.tmpl.js
@@ -377,6 +377,8 @@ var tmpl = (function () {
 
     if (expr.slice(0, 11) !== 'try{return ') expr = 'return ' + expr
 
+    expr = 'var ' + (typeof window !== 'object' ? 'global' : 'window') + ' = {}; ' + expr
+
     return new Function('E', expr + ';')    // eslint-disable-line no-new-func
   }
 
@@ -470,6 +472,7 @@ var tmpl = (function () {
       expr = !cnt ? _wrapExpr(expr, asText)
            : cnt > 1 ? '[' + list.join(',') + '].join(" ").trim()' : list[0]
     }
+
     return expr
 
     function skipBraces (ch, re) {

diff --git a/dist/tmpl.js b/dist/tmpl.js
@@ -372,6 +372,8 @@
 
       if (expr.slice(0, 11) !== 'try{return ') expr = 'return ' + expr
 
+      expr = 'var ' + (typeof window !== 'object' ? 'global' : 'window') + ' = {}; ' + expr
+
       return new Function('E', expr + ';')    // eslint-disable-line no-new-func
     }
 
@@ -465,6 +467,7 @@
         expr = !cnt ? _wrapExpr(expr, asText)
              : cnt > 1 ? '[' + list.join(',') + '].join(" ").trim()' : list[0]
       }
+
       return expr
 
       function skipBraces (ch, re) {