Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(editor): Prevent clipboard xss injection #10894

Merged
merged 3 commits into from
Sep 20, 2024
Merged

fix(editor): Prevent clipboard xss injection #10894

merged 3 commits into from
Sep 20, 2024
+18 −18

Conversation

r00gm
Copy link
Contributor

@r00gm r00gm commented Sep 20, 2024
edited
Loading

Summary

There is no need for the extra sanitization of the clipboard data, since it's already done in the composable that renders the html.

It also fixes the issue of HTML NODE code

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/SEC-119/xss-vulnerability-when-pasting-into-canvas#comment-3c30c988

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@n8n-assistant n8n-assistant bot added n8n team Authored by the n8n team ui Enhancement in /editor-ui or /design-system labels Sep 20, 2024
@r00gm r00gm requested a review from tomi September 20, 2024 07:50
tomi
tomi approved these changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@tomi tomi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

@github-actions GitHub Actions
Copy link
Contributor

✅ All Cypress E2E specs passed

@cypress Cypress
Copy link

cypress bot commented Sep 20, 2024

n8n    Run #6965

Run Properties:  status check passed Passed #6965  •  git commit 809b4b2ba7: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 r00gm 🗃️ e2e/*
Project n8n
Branch Review prevent-clpiboard-xss-injection
Run status status check passed Passed #6965
Run duration 04m 45s
Commit git commit 809b4b2ba7: 🌳 🖥️ browsers:node18.12.0-chrome107 🤖 r00gm 🗃️ e2e/*
Committer r00gm
View all properties for this run ↗︎
Test results
Tests that failed  Failures 0
Tests that were flaky  Flaky 0
Tests that did not run due to a developer annotating a test with .skip  Pending 0
Tests that did not run due to a failure in a mocha hook  Skipped 0
Tests that passed  Passing 430
View all changes introduced in this branch ↗︎

@tomi tomi added the release/backport Changes that need to be backported to older releases. label Sep 20, 2024
@r00gm r00gm merged commit e20ab59 into master Sep 20, 2024
33 checks passed
@r00gm r00gm deleted the prevent-clpiboard-xss-injection branch September 20, 2024 10:51
mutdmour pushed a commit that referenced this pull request Sep 20, 2024
@r00gm @mutdmour
fix(editor): Prevent clipboard xss injection (#10894)
b1cff1f
@github-actions github-actions bot mentioned this pull request Sep 20, 2024
Merged
ivov pushed a commit that referenced this pull request Sep 20, 2024
@r00gm @ivov
fix(editor): Prevent clipboard xss injection (#10894)
20a99b9
@github-actions github-actions bot mentioned this pull request Sep 20, 2024
Merged
@janober
Copy link
Member

janober commented Sep 20, 2024

Got released with n8n@1.59.4

@z00z00z00
Copy link

Hello @janober @r00gm
May I have confirmation there is no issue ?
On 180fc4b, fix seems to be introduced ; but few minutes later fix is roll backed via
24a1fa9

Is there an issue or not ?

riascho pushed a commit that referenced this pull request Sep 23, 2024
@r00gm @riascho
fix(editor): Prevent clipboard xss injection (#10894)
1646908
@tomi
Copy link
Contributor

tomi commented Sep 24, 2024
edited
Loading

@z00z00z00 the change in commit 180fc4b didn't actually fix all the cases and it introduced other issues. That's why it was reverted. The actual fix is in commit 809b4b2

@z00z00z00
Copy link

z00z00z00 commented Sep 24, 2024
edited
Loading

Thanks @tomi for your reply.
However, this commit does not seem to be part of both releases 1.59.4 & 1.60.1 (or untagged yet ?)
https://github.com/n8n-io/n8n/compare/n8n@1.60.0...n8n@1.60.1
https://github.com/n8n-io/n8n/compare/n8n@1.59.3...n8n@1.59.4

@tomi
Copy link
Contributor

tomi commented Sep 24, 2024

@z00z00z00 Because of how our PR merge & patch release process works, the commit hashes don't match. PRs are squash merged, so all the commits in the PR are squashed into a single commit, which gets its own commit hash. For patch releases we cherry-pick the commits we want to introduce to the patch release, which also results in a separate hashes. The commits that include the fix are:

Hope this clarifies the situation.

@github-actions github-actions bot mentioned this pull request Sep 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tomi tomi tomi approved these changes

Assignees
No one assigned
Labels
n8n team Authored by the n8n team release/backport Changes that need to be backported to older releases. Released ui Enhancement in /editor-ui or /design-system
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@r00gm @janober @z00z00z00 @tomi