Merge commit from fork

Author: ivov

packages/@n8n/task-runner/src/js-task-runner/__tests__/js-task-runner.test.ts

@@ -131,6 +131,26 @@ describe('JsTaskRunner', () => {
 		});
 	};
 
+	describe('Buffer security', () => {
+		it('should redirect Buffer.allocUnsafe to Buffer.alloc', async () => {
+			const outcome = await executeForAllItems({
+				code: 'const buf = Buffer.allocUnsafe(10); return [{ json: { allZeros: buf.every(b => b === 0) } }]',
+				inputItems: [{ a: 1 }],
+			});
+
+			expect(outcome.result).toEqual([wrapIntoJson({ allZeros: true })]);
+		});
+
+		it('should redirect Buffer.allocUnsafeSlow to Buffer.alloc', async () => {
+			const outcome = await executeForAllItems({
+				code: 'const buf = Buffer.allocUnsafeSlow(10); return [{ json: { allZeros: buf.every(b => b === 0) } }]',
+				inputItems: [{ a: 1 }],
+			});
+
+			expect(outcome.result).toEqual([wrapIntoJson({ allZeros: true })]);
+		});
+	});
+
 	describe('console', () => {
 		test.each<[CodeExecutionMode]>([['runOnceForAllItems'], ['runOnceForEachItem']])(
 			'should make an rpc call for console log in %s mode',

packages/@n8n/task-runner/src/js-task-runner/js-task-runner.ts

@@ -211,9 +211,19 @@ export class JsTaskRunner extends TaskRunner {
 	}
 
 	private getNativeVariables() {
+		const { mode } = this;
 		return {
 			// Exposed Node.js globals
-			Buffer,
+			Buffer: new Proxy(Buffer, {
+				get(target, prop) {
+					if (mode === 'insecure') return target[prop as keyof typeof Buffer];
+					if (prop === 'allocUnsafe' || prop === 'allocUnsafeSlow') {
+						// eslint-disable-next-line @typescript-eslint/unbound-method
+						return Buffer.alloc;
+					}
+					return target[prop as keyof typeof Buffer];
+				},
+			}),
 			setTimeout,
 			setInterval,
 			setImmediate,