fix(core): Prevent shared user details being saved alongside executio…

…n data (#5334) * 🔨 - Remove `shared` key from execution save data * 👕 - Using import type where needed * remove console.log * 🔨 - Create new clean workflowData instead of removing shared If IWorkflowBase changes in future, TS will error out here ensuring it's kept up to date * 🔨 - use lodash.pick for less verbosity * 🔨 - fix lodash imports
n8n-io · Feb 2, 2023 · 6ca49f9 · 6ca49f9
1 parent 93a2dac
commit 6ca49f9
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/packages/cli/src/WorkflowExecuteAdditionalData.ts b/packages/cli/src/WorkflowExecuteAdditionalData.ts
@@ -41,6 +41,7 @@ import {
 	WorkflowHooks,
 } from 'n8n-workflow';
 
+import pick from 'lodash.pick';
 import { LessThanOrEqual } from 'typeorm';
 import { DateUtils } from 'typeorm/util/DateUtils';
 import config from '@/config';
@@ -583,13 +584,28 @@ function hookFunctionsSave(parentProcessMode?: string): IWorkflowExecuteHooks {
 						}
 					}
 
+					// Although it is treated as IWorkflowBase here, it's being instantiated elsewhere with properties that may be sensitive
+					// As a result, we should create an IWorkflowBase object with only the data we want to save in it.
+					const pristineWorkflowData: IWorkflowBase = pick(this.workflowData, [
+						'id',
+						'name',
+						'active',
+						'createdAt',
+						'updatedAt',
+						'nodes',
+						'connections',
+						'settings',
+						'staticData',
+						'pinData',
+					]);
+
 					const fullExecutionData: IExecutionDb = {
 						data: fullRunData.data,
 						mode: fullRunData.mode,
 						finished: fullRunData.finished ? fullRunData.finished : false,
 						startedAt: fullRunData.startedAt,
 						stoppedAt: fullRunData.stoppedAt,
-						workflowData: this.workflowData,
+						workflowData: pristineWorkflowData,
 						waitTill: fullRunData.waitTill,
 					};