Skip to content

fix(core): Sanitize filenames for file operations #23988

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DawidMyslak wants to merge 3 commits into
base: master
Choose a base branch
from
Open

fix(core): Sanitize filenames for file operations #23988

DawidMyslak wants to merge 3 commits into from
+110 −4

Conversation

@DawidMyslak
Copy link
Contributor

@DawidMyslak DawidMyslak commented Jan 7, 2026
edited
Loading

Summary

Improve sanitization for file names.

Related Linear tickets, Github issues, and Community forum posts

https://linear.app/n8n/issue/NODE-4175/

Review / Merge checklist

  • PR title and summary are descriptive. (conventions)
  • Docs updated or follow-up ticket created.
  • Tests included.
  • PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

@DawidMyslak DawidMyslak marked this pull request as ready for review January 7, 2026 16:07
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 7, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 6 files

Prompt for AI agents (all issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/nodes-base/nodes/Ssh/Ssh.node.ts">

<violation number="1" location="packages/nodes-base/nodes/Ssh/Ssh.node.ts:452">
P1: Using `??` instead of `||` causes a regression: when `fileName` is an empty string (the default from `getNodeParameter`), it won't fall back to `binaryData.fileName`. The `??` operator only coalesces `null`/`undefined`, not empty strings. This will result in uploads to paths like `/home/user/` instead of `/home/user/filename.txt`.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team node/improvement New feature or request labels Jan 7, 2026
@codecov
Copy link

codecov bot commented Jan 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 73.33333% with 4 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
packages/nodes-base/nodes/Ssh/Ssh.node.ts 0.00% 3 Missing ⚠️
...execution-context/utils/binary-helper-functions.ts 50.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@DawidMyslak DawidMyslak force-pushed the node-4175-webhook-filename-path-traversal-leads-to-remote-code branch from c6ffa91 to cae3955 Compare January 7, 2026 16:21
@currents-bot
Copy link

currents-bot bot commented Jan 7, 2026
edited
Loading

E2E Tests: n8n tests passed after 12m 41.8s

🟢 609 · 🔴 0 · ⚪️ 38 · 🟣 3

View Run Details

Run Details

  • Project: n8n

  • Groups: 2

  • Framework: Playwright

  • Run Status: Passed

  • Commit: cae3955

  • Spec files: 142

  • Overall tests: 647

  • Duration: 12m 41.8s

  • Parallelization: 16

Groups

GroupId Results Spec Files Progress
multi-main:e2e 🟢 552 · 🔴 0 · ⚪️ 38 · 🟣 1 133 / 133
multi-main:e2e:isolated 🟢 57 · 🔴 0 · ⚪️ 0 · 🟣 2 9 / 9

This message was posted automatically by currents.dev | Integration Settings

@DawidMyslak DawidMyslak changed the title fix(core): Sanitize filenames to prevent path traversal in file operations fix(core): Sanitize filenames for file operations Jan 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@michael-radency michael-radency Awaiting requested review from michael-radency

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team node/improvement New feature or request release/backport Changes that need to be backported to older releases. release/backport-to-beta release/backport-to-stable release/backport-to-v1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@DawidMyslak @ShireenMissi