chore: Bundle 2026-W7 (#26214)

Signed-off-by: Oleg Ivaniv <me@olegivaniv.com>
Co-authored-by: Tomi Turtiainen <10324676+tomi@users.noreply.github.com>
Co-authored-by: yehorkardash <yehor.kardash@n8n.io>
Co-authored-by: James Gee <1285296+geemanjs@users.noreply.github.com>
Co-authored-by: Iván Ovejero <ivov.src@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Stephen Wright <sjw948@gmail.com>
Co-authored-by: oleg <me@olegivaniv.com>
Co-authored-by: Albert Alises <albert.alises@gmail.com>
Co-authored-by: Danny Martini <danny@n8n.io>

Author: 10 people

packages/@n8n/nodes-langchain/nodes/trigger/ChatTrigger/GenericFunctions.ts

@@ -37,20 +37,27 @@ export async function validateAuth(context: IWebhookFunctions) {
 	} else if (authentication === 'n8nUserAuth') {
 		const webhookName = context.getWebhookName();
 
-		function getCookie(name: string) {
-			const value = `; ${headers.cookie}`;
-			const parts = value.split(`; ${name}=`);
+		if (webhookName !== 'setup') {
+			function getCookie(name: string) {
+				const value = `; ${headers.cookie}`;
+				const parts = value.split(`; ${name}=`);
 
-			if (parts.length === 2) {
-				return parts.pop()?.split(';').shift();
+				if (parts.length === 2) {
+					return parts.pop()?.split(';').shift();
+				}
+				return '';
 			}
-			return '';
-		}
 
-		const authCookie = getCookie('n8n-auth');
-		if (!authCookie && webhookName !== 'setup') {
-			// Data is not defined on node so can not authenticate
-			throw new ChatTriggerAuthorizationError(500, 'User not authenticated!');
+			const authCookie = getCookie('n8n-auth');
+			if (!authCookie) {
+				throw new ChatTriggerAuthorizationError(401, 'User not authenticated!');
+			}
+
+			try {
+				await context.validateCookieAuth(authCookie);
+			} catch {
+				throw new ChatTriggerAuthorizationError(401, 'Invalid authentication token');
+			}
 		}
 	}
 

packages/@n8n/nodes-langchain/nodes/trigger/ChatTrigger/__test__/GenericFunctions.test.ts

@@ -0,0 +1,156 @@
+import { mock } from 'jest-mock-extended';
+import type { ICredentialDataDecryptedObject, IWebhookFunctions } from 'n8n-workflow';
+
+import { ChatTriggerAuthorizationError } from '../error';
+import { validateAuth } from '../GenericFunctions';
+
+describe('validateAuth', () => {
+	const mockContext = mock<IWebhookFunctions>();
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+	});
+
+	describe('authentication = none', () => {
+		it('should pass without error', async () => {
+			mockContext.getNodeParameter.calledWith('authentication').mockReturnValue('none');
+
+			await expect(validateAuth(mockContext)).resolves.toBeUndefined();
+		});
+	});
+
+	describe('authentication = basicAuth', () => {
+		beforeEach(() => {
+			mockContext.getNodeParameter.calledWith('authentication').mockReturnValue('basicAuth');
+		});
+
+		it('should throw 500 when credentials are not defined', async () => {
+			mockContext.getCredentials.mockRejectedValue(new Error('No credentials'));
+
+			await expect(validateAuth(mockContext)).rejects.toThrow(ChatTriggerAuthorizationError);
+			await expect(validateAuth(mockContext)).rejects.toMatchObject({
+				responseCode: 500,
+			});
+		});
+
+		it('should throw 401 when no auth header is provided', async () => {
+			mockContext.getCredentials.mockResolvedValue({
+				user: 'admin',
+				password: 'secret',
+			} as ICredentialDataDecryptedObject);
+			mockContext.getRequestObject.mockReturnValue({
+				headers: {},
+			} as never);
+
+			await expect(validateAuth(mockContext)).rejects.toThrow(ChatTriggerAuthorizationError);
+			await expect(validateAuth(mockContext)).rejects.toMatchObject({
+				responseCode: 401,
+			});
+		});
+
+		it('should throw 403 when credentials are wrong', async () => {
+			mockContext.getCredentials.mockResolvedValue({
+				user: 'admin',
+				password: 'secret',
+			} as ICredentialDataDecryptedObject);
+			mockContext.getRequestObject.mockReturnValue({
+				headers: {
+					authorization: 'Basic ' + Buffer.from('admin:wrong').toString('base64'),
+				},
+			} as never);
+
+			await expect(validateAuth(mockContext)).rejects.toThrow(ChatTriggerAuthorizationError);
+			await expect(validateAuth(mockContext)).rejects.toMatchObject({
+				responseCode: 403,
+			});
+		});
+
+		it('should pass with correct credentials', async () => {
+			mockContext.getCredentials.mockResolvedValue({
+				user: 'admin',
+				password: 'secret',
+			} as ICredentialDataDecryptedObject);
+			mockContext.getRequestObject.mockReturnValue({
+				headers: {
+					authorization: 'Basic ' + Buffer.from('admin:secret').toString('base64'),
+				},
+			} as never);
+
+			await expect(validateAuth(mockContext)).resolves.toBeUndefined();
+		});
+	});
+
+	describe('authentication = n8nUserAuth', () => {
+		beforeEach(() => {
+			mockContext.getNodeParameter.calledWith('authentication').mockReturnValue('n8nUserAuth');
+		});
+
+		it('should skip validation for setup webhook', async () => {
+			mockContext.getWebhookName.mockReturnValue('setup');
+			mockContext.getHeaderData.mockReturnValue({});
+
+			await expect(validateAuth(mockContext)).resolves.toBeUndefined();
+		});
+
+		it('should throw 401 when no n8n-auth cookie is present', async () => {
+			mockContext.getWebhookName.mockReturnValue('default');
+			mockContext.getHeaderData.mockReturnValue({});
+
+			await expect(validateAuth(mockContext)).rejects.toThrow(ChatTriggerAuthorizationError);
+			await expect(validateAuth(mockContext)).rejects.toMatchObject({
+				responseCode: 401,
+				message: 'User not authenticated!',
+			});
+		});
+
+		it('should throw 401 when cookie has a fake/invalid token', async () => {
+			mockContext.getWebhookName.mockReturnValue('default');
+			mockContext.getHeaderData.mockReturnValue({
+				cookie: 'n8n-auth=anything',
+			});
+			mockContext.validateCookieAuth.mockRejectedValue(new Error('Unauthorized'));
+
+			await expect(validateAuth(mockContext)).rejects.toThrow(ChatTriggerAuthorizationError);
+			await expect(validateAuth(mockContext)).rejects.toMatchObject({
+				responseCode: 401,
+				message: 'Invalid authentication token',
+			});
+		});
+
+		it('should throw 401 when validateCookieAuth rejects (revoked token)', async () => {
+			mockContext.getWebhookName.mockReturnValue('default');
+			mockContext.getHeaderData.mockReturnValue({
+				cookie: 'n8n-auth=some.revoked.token',
+			});
+			mockContext.validateCookieAuth.mockRejectedValue(new Error('Unauthorized'));
+
+			await expect(validateAuth(mockContext)).rejects.toThrow(ChatTriggerAuthorizationError);
+			await expect(validateAuth(mockContext)).rejects.toMatchObject({
+				responseCode: 401,
+				message: 'Invalid authentication token',
+			});
+		});
+
+		it('should pass with a valid token', async () => {
+			mockContext.getWebhookName.mockReturnValue('default');
+			mockContext.getHeaderData.mockReturnValue({
+				cookie: 'n8n-auth=valid.jwt.token',
+			});
+			mockContext.validateCookieAuth.mockResolvedValue(undefined);
+
+			await expect(validateAuth(mockContext)).resolves.toBeUndefined();
+			expect(mockContext.validateCookieAuth).toHaveBeenCalledWith('valid.jwt.token');
+		});
+
+		it('should pass when cookie has other cookies alongside n8n-auth', async () => {
+			mockContext.getWebhookName.mockReturnValue('default');
+			mockContext.getHeaderData.mockReturnValue({
+				cookie: 'other=value; n8n-auth=valid.jwt.token; another=thing',
+			});
+			mockContext.validateCookieAuth.mockResolvedValue(undefined);
+
+			await expect(validateAuth(mockContext)).resolves.toBeUndefined();
+			expect(mockContext.validateCookieAuth).toHaveBeenCalledWith('valid.jwt.token');
+		});
+	});
+});

packages/@n8n/nodes-langchain/nodes/trigger/ChatTrigger/__test__/templates.test.ts

@@ -15,6 +15,7 @@ describe('ChatTrigger Templates Security', () => {
 		allowedFilesMimeTypes: '',
 		customCss: '',
 		enableStreaming: false,
+		initialMessages: '',
 	};
 
 	describe('XSS Prevention in initialMessages', () => {
@@ -213,6 +214,54 @@ describe('ChatTrigger Templates Security', () => {
 		});
 	});
 
+	describe('XSS Prevention in allowedFilesMimeTypes', () => {
+		it('should prevent script injection through allowedFilesMimeTypes', () => {
+			const maliciousInput = '</script><script>alert(document.cookie)</script>';
+
+			const result = createPage({
+				...defaultParams,
+				allowFileUploads: true,
+				allowedFilesMimeTypes: maliciousInput,
+			});
+
+			expect(result).not.toContain('<script>alert(document.cookie)</script>');
+			expect(result).not.toContain('</script><script>');
+			expect(result).not.toContain('alert(document.cookie)');
+		});
+
+		it('should sanitize common XSS payloads in allowedFilesMimeTypes', () => {
+			const xssPayloads = [
+				{ input: '<img src=x onerror=alert(1)>', dangerous: ['onerror=', '<img'] },
+				{ input: '<svg onload=alert(1)>', dangerous: ['onload=', '<svg'] },
+				{ input: 'javascript:alert(1)', dangerous: ['javascript:'] },
+			];
+
+			xssPayloads.forEach(({ input, dangerous }) => {
+				const result = createPage({
+					...defaultParams,
+					allowFileUploads: true,
+					allowedFilesMimeTypes: input,
+				});
+
+				dangerous.forEach((dangerousContent) => {
+					expect(result).not.toContain(dangerousContent);
+				});
+			});
+		});
+
+		it('should preserve legitimate MIME types', () => {
+			const legitimateMimeTypes = 'image/*,text/plain,application/pdf';
+
+			const result = createPage({
+				...defaultParams,
+				allowFileUploads: true,
+				allowedFilesMimeTypes: legitimateMimeTypes,
+			});
+
+			expect(result).toContain(legitimateMimeTypes);
+		});
+	});
+
 	describe('getSanitizedInitialMessages function', () => {
 		it('should sanitize XSS payloads', () => {
 			const maliciousInput = '</script>"%09<script>alert(document.cookie)</script>';

packages/@n8n/nodes-langchain/nodes/trigger/ChatTrigger/templates.ts

@@ -77,7 +77,7 @@ export function createPage({
 		: 'none';
 	const sanitizedShowWelcomeScreen = !!showWelcomeScreen;
 	const sanitizedAllowFileUploads = !!allowFileUploads;
-	const sanitizedAllowedFilesMimeTypes = allowedFilesMimeTypes?.toString() ?? '';
+	const sanitizedAllowedFilesMimeTypes = sanitizeUserInput(allowedFilesMimeTypes?.toString() ?? '');
 	const sanitizedCustomCss = sanitizeHtml(`<style>${customCss?.toString() ?? ''}</style>`, {
 		allowedTags: ['style'],
 		allowedAttributes: false,

packages/@n8n/task-runner-python/src/constants.py

@@ -149,6 +149,7 @@
     "obj",
     "__thisclass__",
     "__self_class__",
+    "__objclass__",
     # introspection attributes
     "__base__",
     "__class__",

packages/@n8n/task-runner-python/tests/unit/test_task_analyzer.py

@@ -150,6 +150,19 @@ def test_name_mangled_attributes_blocked(self, analyzer: TaskAnalyzer) -> None:
                 analyzer.validate(code)
             assert "name-mangled" in exc_info.value.description.lower()
 
+    def test_objclass_attribute_blocked(self, analyzer: TaskAnalyzer) -> None:
+        exploit_attempts = [
+            "str.__or__.__objclass__",
+            "str.__init__.__objclass__",
+            "type_ref = str.__or__.__objclass__",
+            "object_ref = str.__init__.__objclass__",
+        ]
+
+        for code in exploit_attempts:
+            with pytest.raises(SecurityViolationError) as exc_info:
+                analyzer.validate(code)
+            assert "__objclass__" in exc_info.value.description
+
     def test_attribute_error_obj_blocked(self, analyzer: TaskAnalyzer) -> None:
         exploit_attempts = [
             "e.obj",