Merge commit from fork

Author: eilonc-pillar

packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts

@@ -1500,6 +1500,137 @@ describe('JsTaskRunner', () => {
 		});
 	});
 
+	describe('Error.prepareStackTrace RCE prevention', () => {
+		test.each([['runOnceForAllItems'], ['runOnceForEachItem']] as const)(
+			'should block Error.prepareStackTrace access in %s mode',
+			async (mode) => {
+				const execute = mode === 'runOnceForAllItems' ? executeForAllItems : executeForEachItem;
+				const outcome = await execute({
+					code:
+						mode === 'runOnceForAllItems'
+							? 'return [{ json: { result: Error.prepareStackTrace } }]'
+							: 'return { json: { result: Error.prepareStackTrace } }',
+					inputItems: [{ a: 1 }],
+				});
+				expect(outcome.result[0].json.result).toBeUndefined();
+			},
+		);
+
+		test.each([['runOnceForAllItems'], ['runOnceForEachItem']] as const)(
+			'should block Error.captureStackTrace access in %s mode',
+			async (mode) => {
+				const execute = mode === 'runOnceForAllItems' ? executeForAllItems : executeForEachItem;
+				const outcome = await execute({
+					code:
+						mode === 'runOnceForAllItems'
+							? 'return [{ json: { result: Error.captureStackTrace } }]'
+							: 'return { json: { result: Error.captureStackTrace } }',
+					inputItems: [{ a: 1 }],
+				});
+				expect(outcome.result[0].json.result).toBeUndefined();
+			},
+		);
+
+		test.each([['runOnceForAllItems'], ['runOnceForEachItem']] as const)(
+			'should prevent Object.defineProperty from setting Error.prepareStackTrace in %s mode',
+			async (mode) => {
+				const execute = mode === 'runOnceForAllItems' ? executeForAllItems : executeForEachItem;
+				// First try to define prepareStackTrace, then check if it's still undefined
+				const outcome = await execute({
+					code:
+						mode === 'runOnceForAllItems'
+							? `
+								Object.defineProperty(Error, 'prepareStackTrace', { value: () => 'pwned' });
+								return [{ json: { result: Error.prepareStackTrace } }];
+							`
+							: `
+								Object.defineProperty(Error, 'prepareStackTrace', { value: () => 'pwned' });
+								return { json: { result: Error.prepareStackTrace } };
+							`,
+					inputItems: [{ a: 1 }],
+				});
+				// prepareStackTrace should still be undefined because defineProperty is neutered
+				expect(outcome.result[0].json.result).toBeUndefined();
+			},
+		);
+
+		test('should prevent full RCE exploit chain via prepareStackTrace', async () => {
+			// This is the actual exploit payload - should NOT execute system commands
+			// Even though the code runs without throwing, the exploit should not work
+			// because Object.defineProperty is neutered and prepareStackTrace remains undefined
+			const outcome = await executeForAllItems({
+				code: `
+					Object.defineProperty(Error, 'prepareStackTrace', {
+						value: (e, stack) => {
+							const g = stack[0].getThis();
+							return g.global.process.getBuiltinModule('child_process').execSync('echo pwned').toString();
+						}
+					});
+					const result = new Error().stack;
+					// Check if the result contains 'pwned' - if so, exploit succeeded
+					const exploited = typeof result === 'string' && result.includes('pwned');
+					return [{ json: { exploited, result: typeof result } }];
+				`,
+				inputItems: [{ a: 1 }],
+			});
+			// The exploit should fail - prepareStackTrace wasn't actually set
+			// so .stack returns a normal stack trace string, not 'pwned'
+			expect(outcome.result[0].json.exploited).toBe(false);
+			expect(outcome.result[0].json.result).toBe('string'); // Normal stack trace
+		});
+	});
+
+	describe('Object.defineProperty security', () => {
+		test.each([['runOnceForAllItems'], ['runOnceForEachItem']] as const)(
+			'should neuter Object.defineProperty in %s mode',
+			async (mode) => {
+				const execute = mode === 'runOnceForAllItems' ? executeForAllItems : executeForEachItem;
+				const outcome = await execute({
+					code:
+						mode === 'runOnceForAllItems'
+							? `
+								const obj = {};
+								Object.defineProperty(obj, 'test', { value: 123 });
+								return [{ json: { hasProperty: 'test' in obj, value: obj.test } }];
+							`
+							: `
+								const obj = {};
+								Object.defineProperty(obj, 'test', { value: 123 });
+								return { json: { hasProperty: 'test' in obj, value: obj.test } };
+							`,
+					inputItems: [{ a: 1 }],
+				});
+				// defineProperty is neutered, property won't be defined
+				expect(outcome.result[0].json.hasProperty).toBe(false);
+				expect(outcome.result[0].json.value).toBeUndefined();
+			},
+		);
+
+		test.each([['runOnceForAllItems'], ['runOnceForEachItem']] as const)(
+			'should neuter Object.defineProperties in %s mode',
+			async (mode) => {
+				const execute = mode === 'runOnceForAllItems' ? executeForAllItems : executeForEachItem;
+				const outcome = await execute({
+					code:
+						mode === 'runOnceForAllItems'
+							? `
+								const obj = {};
+								Object.defineProperties(obj, { a: { value: 1 }, b: { value: 2 } });
+								return [{ json: { hasA: 'a' in obj, hasB: 'b' in obj } }];
+							`
+							: `
+								const obj = {};
+								Object.defineProperties(obj, { a: { value: 1 }, b: { value: 2 } });
+								return { json: { hasA: 'a' in obj, hasB: 'b' in obj } };
+							`,
+					inputItems: [{ a: 1 }],
+				});
+				expect(outcome.result[0].json.hasA).toBe(false);
+				expect(outcome.result[0].json.hasB).toBe(false);
+			},
+		);
+	});
+
 	describe('stack trace', () => {
 		it('should extract correct line number from user-defined function stack trace', async () => {
 			const runner = createRunnerWithOpts({});

packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts

@@ -601,6 +601,18 @@ export class JsTaskRunner extends TaskRunner {
 			'Object.setPrototypeOf = () => false',
 			'Reflect.setPrototypeOf = () => false',
 
+			// prevent Error.prepareStackTrace RCE attack BEFORE disabling defineProperty
+			// This V8 API allows accessing the real global object via stack frame's getThis()
+			'delete Error.prepareStackTrace',
+			'delete Error.captureStackTrace',
+			'Object.defineProperty(Error, "prepareStackTrace", { configurable: false, writable: false, value: undefined })',
+			'Object.defineProperty(Error, "captureStackTrace", { configurable: false, writable: false, value: undefined })',
+
+			// prevent defineProperty attacks (used to bypass sandbox via Error.prepareStackTrace)
+			// Must come AFTER we've locked down Error properties above
+			'Object.defineProperty = () => ({})',
+			'Object.defineProperties = () => ({})',
+
 			// wrap user code
 			`module.exports = async function VmCodeWrapper() {${code}\n}()`,
 		].join('; ');

packages/workflow/src/expression.ts

@@ -50,6 +50,130 @@ setErrorHandler((error: Error) => {
 	if (isExpressionError(error)) throw error;
 });
 
+/**
+ * Creates a safe Object wrapper that removes dangerous static methods
+ * that could be used to bypass property access sanitization.
+ *
+ * Blocked methods:
+ * - defineProperty/defineProperties: Can set properties bypassing access checks
+ * - setPrototypeOf/getPrototypeOf: Can manipulate prototype chains
+ * - getOwnPropertyDescriptor(s): Can introspect sensitive properties
+ * - __defineGetter__/__defineSetter__: Legacy methods that can bypass set traps
+ * - __lookupGetter__/__lookupSetter__: Can introspect getters/setters
+ *
+ * Object.create is wrapped to prevent passing property descriptors (2nd argument)
+ */
+const createSafeObject = (): typeof Object => {
+	const safeCreate = (proto: object | null): object => {
+		// Only allow single-argument create (no property descriptors)
+		return Object.create(proto);
+	};
+
+	// Block dangerous static and prototype methods
+	const blockedMethods = new Set([
+		// Static methods that can bypass property access checks
+		'defineProperty',
+		'defineProperties',
+		'setPrototypeOf',
+		'getPrototypeOf',
+		'getOwnPropertyDescriptor',
+		'getOwnPropertyDescriptors',
+		// Legacy methods that can bypass Proxy set traps
+		'__defineGetter__',
+		'__defineSetter__',
+		'__lookupGetter__',
+		'__lookupSetter__',
+	]);
+
+	// Create a proxy that blocks dangerous methods
+	return new Proxy(Object, {
+		get(target, prop, receiver) {
+			if (blockedMethods.has(prop as string)) {
+				return undefined;
+			}
+
+			// Wrap Object.create to prevent property descriptor argument
+			if (prop === 'create') {
+				return safeCreate;
+			}
+
+			return Reflect.get(target, prop, receiver);
+		},
+		// Block defineProperty trap to prevent __defineGetter__ from working
+		defineProperty() {
+			return false;
+		},
+	});
+};
+
+/**
+ * List of properties that are blocked on Error and all Error subclasses.
+ * These properties can be exploited for sandbox escape via V8's stack trace API.
+ */
+const blockedErrorProperties = new Set([
+	// V8 stack trace manipulation
+	'captureStackTrace',
+	'prepareStackTrace',
+	'stackTraceLimit',
+	// Legacy methods that can bypass Proxy set traps
+	'__defineGetter__',
+	'__defineSetter__',
+	'__lookupGetter__',
+	'__lookupSetter__',
+]);
+
+/**
+ * Creates a safe Error constructor that removes dangerous static methods
+ * like captureStackTrace and prepareStackTrace which can be exploited for RCE.
+ *
+ * The V8 prepareStackTrace attack works by:
+ * 1. Setting Error.prepareStackTrace to a malicious function
+ * 2. Creating a new Error and accessing its .stack property
+ * 3. V8 calls the prepareStackTrace function with CallSite objects
+ * 4. CallSite.getThis() returns the real global object, escaping the sandbox
+ */
+const createSafeError = (): typeof Error => {
+	return new Proxy(Error, {
+		get(target, prop, receiver) {
+			if (blockedErrorProperties.has(prop as string)) {
+				return undefined;
+			}
+
+			return Reflect.get(target, prop, receiver);
+		},
+		set() {
+			// Prevent setting any properties on Error (like prepareStackTrace)
+			return false;
+		},
+		defineProperty() {
+			// Prevent defineProperty (blocks __defineGetter__ internally)
+			return false;
+		},
+	});
+};
+
+/**
+ * Creates a safe wrapper for Error subclasses (TypeError, SyntaxError, etc.)
+ * While prepareStackTrace is only on Error in V8, we wrap subclasses for defense in depth.
+ */
+const createSafeErrorSubclass = <T extends ErrorConstructor>(ErrorClass: T): T => {
+	return new Proxy(ErrorClass, {
+		get(target, prop, receiver) {
+			if (blockedErrorProperties.has(prop as string)) {
+				return undefined;
+			}
+
+			return Reflect.get(target, prop, receiver);
+		},
+		set() {
+			return false;
+		},
+		defineProperty() {
+			return false;
+		},
+	});
+};
+
 export class Expression {
 	constructor(private readonly workflow: Workflow) {}
 
@@ -111,8 +235,8 @@ export class Expression {
 		data.Interval = Interval;
 		data.Duration = Duration;
 
-		// Objects
-		data.Object = Object;
+		// Objects - use safe wrapper to block dangerous methods like defineProperty
+		data.Object = createSafeObject();
 
 		// Arrays
 		data.Array = Array;
@@ -134,14 +258,15 @@ export class Expression {
 		data.Set = typeof Set !== 'undefined' ? Set : {};
 		data.WeakSet = typeof WeakSet !== 'undefined' ? WeakSet : {};
 
-		// Errors
-		data.Error = Error;
-		data.TypeError = TypeError;
-		data.SyntaxError = SyntaxError;
-		data.EvalError = EvalError;
-		data.RangeError = RangeError;
-		data.ReferenceError = ReferenceError;
-		data.URIError = URIError;
+		// Errors - use safe wrappers to block prepareStackTrace, captureStackTrace,
+		// and other dangerous properties that could enable sandbox escape
+		data.Error = createSafeError();
+		data.TypeError = createSafeErrorSubclass(TypeError);
+		data.SyntaxError = createSafeErrorSubclass(SyntaxError);
+		data.EvalError = createSafeErrorSubclass(EvalError);
+		data.RangeError = createSafeErrorSubclass(RangeError);
+		data.ReferenceError = createSafeErrorSubclass(ReferenceError);
+		data.URIError = createSafeErrorSubclass(URIError);
 
 		// Internationalization
 		data.Intl = typeof Intl !== 'undefined' ? Intl : {};

packages/workflow/test/expression-sandboxing.test.ts

@@ -84,6 +84,16 @@ describe('PrototypeSanitizer', () => {
 			}).toThrowError(errorRegex);
 		});
 
+		it.each([
+			['getPrototypeOf', '{{ Object.getPrototypeOf }}'],
+			['binding', '{{ process.binding }}'],
+			['_load', '{{ module._load }}'],
+		])('should not allow access to %s', (_, expression) => {
+			expect(() => {
+				tournament.execute(expression, { __sanitize: sanitizer, Object, process: {}, module: {} });
+			}).toThrowError(errorRegex);
+		});
+
 		describe('Dollar sign identifier handling', () => {
 			it('should not allow bare $ identifier', () => {
 				expect(() => {