[网络安全]CVE-2026-27498漏洞复现
如果无法立即升级,管理员应考虑以下临时缓解措施:将工作流的创建和编辑权限限制为仅限完全信任的用户,和/或通过将 `n8n-nodes-base.readWriteFile` 添加到 `NODES_EXCLUDE` 环境变量来禁用“从磁盘读取/写入文件”节点。因为没有设置 GIT_SSH_COMMAND,底层的 simple-git 库就会去读取磁盘上的 .git/config 文件。如果攻击者能往
·
漏洞来源
漏洞描述
n8n 是一个开源工作流自动化平台。在 2.2.0 和 1.123.8 版本之前,拥有创建或修改工作流权限的已认证用户可以利用 git 操作链接“从磁盘读取/写入文件”节点,从而实现远程代码执行。攻击者通过写入特定的配置文件并触发 git 操作,即可在 n8n 主机上执行任意 shell 命令。此问题已在 n8n 2.2.0 和 1.123.8 版本中修复。用户应升级到这些版本或更高版本以修复此漏洞。如果无法立即升级,管理员应考虑以下临时缓解措施:将工作流的创建和编辑权限限制为仅限完全信任的用户,和/或通过将 `n8n-nodes-base.readWriteFile` 添加到 `NODES_EXCLUDE` 环境变量来禁用“从磁盘读取/写入文件”节点。这些临时解决方案并不能完全消除风险,仅应作为短期缓解措施。
漏洞分析
漏洞文件在packages/nodes-base/nodes/Git/Git.node.ts
import { access, mkdir } from 'fs/promises';
import type {
IExecuteFunctions,
INodeExecutionData,
INodeType,
INodeTypeDescription,
} from 'n8n-workflow';
import { NodeConnectionTypes } from 'n8n-workflow';
import type { LogOptions, SimpleGit, SimpleGitOptions } from 'simple-git';
import simpleGit from 'simple-git';
import { URL } from 'url';
import {
addConfigFields,
addFields,
cloneFields,
commitFields,
logFields,
pushFields,
tagFields,
} from './descriptions';
export class Git implements INodeType {
description: INodeTypeDescription = {
displayName: 'Git',
name: 'git',
icon: 'file:git.svg',
group: ['transform'],
version: 1,
description: 'Control git.',
defaults: {
name: 'Git',
},
usableAsTool: true,
inputs: [NodeConnectionTypes.Main],
outputs: [NodeConnectionTypes.Main],
credentials: [
{
name: 'gitPassword',
required: true,
displayOptions: {
show: {
authentication: ['gitPassword'],
},
},
},
],
properties: [
{
displayName: 'Authentication',
name: 'authentication',
type: 'options',
options: [
{
name: 'Authenticate',
value: 'gitPassword',
},
{
name: 'None',
value: 'none',
},
],
displayOptions: {
show: {
operation: ['clone', 'push'],
},
},
default: 'none',
description: 'The way to authenticate',
},
{
displayName: 'Operation',
name: 'operation',
type: 'options',
noDataExpression: true,
default: 'log',
options: [
{
name: 'Add',
value: 'add',
description: 'Add a file or folder to commit',
action: 'Add a file or folder to commit',
},
{
name: 'Add Config',
value: 'addConfig',
description: 'Add configuration property',
action: 'Add configuration property',
},
{
name: 'Clone',
value: 'clone',
description: 'Clone a repository',
action: 'Clone a repository',
},
{
name: 'Commit',
value: 'commit',
description: 'Commit files or folders to git',
action: 'Commit files or folders to git',
},
{
name: 'Fetch',
value: 'fetch',
description: 'Fetch from remote repository',
action: 'Fetch from remote repository',
},
{
name: 'List Config',
value: 'listConfig',
description: 'Return current configuration',
action: 'Return current configuration',
},
{
name: 'Log',
value: 'log',
description: 'Return git commit history',
action: 'Return git commit history',
},
{
name: 'Pull',
value: 'pull',
description: 'Pull from remote repository',
action: 'Pull from remote repository',
},
{
name: 'Push',
value: 'push',
description: 'Push to remote repository',
action: 'Push to remote repository',
},
{
name: 'Push Tags',
value: 'pushTags',
description: 'Push Tags to remote repository',
action: 'Push tags to remote repository',
},
{
name: 'Status',
value: 'status',
description: 'Return status of current repository',
action: 'Return status of current repository',
},
{
name: 'Tag',
value: 'tag',
description: 'Create a new tag',
action: 'Create a new tag',
},
{
name: 'User Setup',
value: 'userSetup',
description: 'Set the user',
action: 'Set up a user',
},
],
},
{
displayName: 'Repository Path',
name: 'repositoryPath',
type: 'string',
displayOptions: {
hide: {
operation: ['clone'],
},
},
default: '',
placeholder: '/tmp/repository',
required: true,
description: 'Local path of the git repository to operate on',
},
{
displayName: 'New Repository Path',
name: 'repositoryPath',
type: 'string',
displayOptions: {
show: {
operation: ['clone'],
},
},
default: '',
placeholder: '/tmp/repository',
required: true,
description: 'Local path to which the git repository should be cloned into',
},
...addFields,
...addConfigFields,
...cloneFields,
...commitFields,
...logFields,
...pushFields,
...tagFields,
// ...userSetupFields,
],
};
async execute(this: IExecuteFunctions): Promise<INodeExecutionData[][]> {
const items = this.getInputData();
const prepareRepository = async (repositoryPath: string): Promise<string> => {
const authentication = this.getNodeParameter('authentication', 0) as string;
if (authentication === 'gitPassword') {
const gitCredentials = await this.getCredentials('gitPassword');
const url = new URL(repositoryPath);
url.username = gitCredentials.username as string;
url.password = gitCredentials.password as string;
return url.toString();
}
return repositoryPath;
};
const operation = this.getNodeParameter('operation', 0);
const returnItems: INodeExecutionData[] = [];
for (let itemIndex = 0; itemIndex < items.length; itemIndex++) {
try {
const repositoryPath = this.getNodeParameter('repositoryPath', itemIndex, '') as string;
const options = this.getNodeParameter('options', itemIndex, {});
if (operation === 'clone') {
// Create repository folder if it does not exist
try {
await access(repositoryPath);
} catch (error) {
await mkdir(repositoryPath);
}
}
const gitOptions: Partial<SimpleGitOptions> = {
baseDir: repositoryPath,
};
const git: SimpleGit = simpleGit(gitOptions)
// Tell git not to ask for any information via the terminal like for
// example the username. As nobody will be able to answer it would
// n8n keep on waiting forever.
.env('GIT_TERMINAL_PROMPT', '0');
if (operation === 'add') {
// ----------------------------------
// add
// ----------------------------------
const pathsToAdd = this.getNodeParameter('pathsToAdd', itemIndex, '') as string;
await git.add(pathsToAdd.split(','));
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'addConfig') {
// ----------------------------------
// addConfig
// ----------------------------------
const key = this.getNodeParameter('key', itemIndex, '') as string;
const value = this.getNodeParameter('value', itemIndex, '') as string;
let append = false;
if (options.mode === 'append') {
append = true;
}
await git.addConfig(key, value, append);
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'clone') {
// ----------------------------------
// clone
// ----------------------------------
let sourceRepository = this.getNodeParameter('sourceRepository', itemIndex, '') as string;
sourceRepository = await prepareRepository(sourceRepository);
await git.clone(sourceRepository, '.');
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'commit') {
// ----------------------------------
// commit
// ----------------------------------
const message = this.getNodeParameter('message', itemIndex, '') as string;
let pathsToAdd: string[] | undefined = undefined;
if (options.files !== undefined) {
pathsToAdd = (options.pathsToAdd as string).split(',');
}
await git.commit(message, pathsToAdd);
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'fetch') {
// ----------------------------------
// fetch
// ----------------------------------
await git.fetch();
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'log') {
// ----------------------------------
// log
// ----------------------------------
const logOptions: LogOptions = {};
const returnAll = this.getNodeParameter('returnAll', itemIndex, false);
if (!returnAll) {
logOptions.maxCount = this.getNodeParameter('limit', itemIndex, 100);
}
if (options.file) {
logOptions.file = options.file as string;
}
const log = await git.log(logOptions);
returnItems.push(
// @ts-ignore
...this.helpers.returnJsonArray(log.all).map((item) => {
return {
...item,
pairedItem: { item: itemIndex },
};
}),
);
} else if (operation === 'pull') {
// ----------------------------------
// pull
// ----------------------------------
await git.pull();
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'push') {
// ----------------------------------
// push
// ----------------------------------
if (options.repository) {
const targetRepository = await prepareRepository(options.targetRepository as string);
await git.push(targetRepository);
} else {
const authentication = this.getNodeParameter('authentication', 0) as string;
if (authentication === 'gitPassword') {
// Try to get remote repository path from git repository itself to add
// authentication data
const config = await git.listConfig();
let targetRepository;
for (const fileName of Object.keys(config.values)) {
if (config.values[fileName]['remote.origin.url']) {
targetRepository = config.values[fileName]['remote.origin.url'];
break;
}
}
targetRepository = await prepareRepository(targetRepository as string);
await git.push(targetRepository);
} else {
await git.push();
}
}
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'pushTags') {
// ----------------------------------
// pushTags
// ----------------------------------
await git.pushTags();
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
} else if (operation === 'listConfig') {
// ----------------------------------
// listConfig
// ----------------------------------
const config = await git.listConfig();
const data = [];
for (const fileName of Object.keys(config.values)) {
data.push({
_file: fileName,
...config.values[fileName],
});
}
returnItems.push(
...this.helpers.returnJsonArray(data).map((item) => {
return {
...item,
pairedItem: { item: itemIndex },
};
}),
);
} else if (operation === 'status') {
// ----------------------------------
// status
// ----------------------------------
const status = await git.status();
returnItems.push(
// @ts-ignore
...this.helpers.returnJsonArray([status]).map((item) => {
return {
...item,
pairedItem: { item: itemIndex },
};
}),
);
} else if (operation === 'tag') {
// ----------------------------------
// tag
// ----------------------------------
const name = this.getNodeParameter('name', itemIndex, '') as string;
await git.addTag(name);
returnItems.push({
json: {
success: true,
},
pairedItem: {
item: itemIndex,
},
});
}
} catch (error) {
if (this.continueOnFail()) {
returnItems.push({
json: {
error: error.toString(),
},
pairedItem: {
item: itemIndex,
},
});
continue;
}
throw error;
}
}
return [returnItems];
}
}接下来逐帧分析漏洞
首先,我们需要在代码中找到 Git 命令被调用的位置。 在 Node.js 中,执行系统命令通常使用 child_process 模块或其封装库(如 execa)。因此我们需要寻找类似 execa('git', ...) 的代码。
Git.node.ts 中的代码逻辑大致如下:
这是一个 Git 节点。它的职责是接收用户的输入(如 fetch, pull),然后调用系统底层的 Git 命令
const git: SimpleGit = simpleGit(gitOptions)
// Tell git not to ask for any information via the terminal like for
// example the username. As nobody will be able to answer it would
// n8n keep on waiting forever.
.env('GIT_TERMINAL_PROMPT', '0');仔细看这段代码。它只设置了一个环境变量:GIT_TERMINAL_PROMPT。它没有设置 GIT_SSH_COMMAND,也没有设置 GIT_SSH 只设置了 GIT_TERMINAL_PROMPT。 因为没有设置 GIT_SSH_COMMAND,底层的 simple-git 库就会去读取磁盘上的 .git/config 文件。 如果攻击者能往 .git/config 里写入恶意配置(这是另一个节点的事,但这个节点不拦着),这里的代码就会执行。
当代码运行到这一行时,它会调用系统 Git。系统 Git 读取了被攻击者污染的配置。然后系统 Git 决定去执行 ssh,而攻击者配置的 ssh 其实是一个恶意脚本。最后Node.js 进程(n8n)执行了系统命令(RCE)
回到 gitOptions 的定义:
baseDir: repositoryPath, // 用户输入的路径repositoryPath 是用户可控的。这段代码没有任何钩子(Hook)或验证机制来检查该目录下的 .git/config 是否包含危险的 sshCommand 指令。
攻击者可以利用 File Node 写入恶意配置 -> Git Node 读取该路径 -> Git Node 盲目执行 fetch -> 系统执行 sshCommand 中的恶意命令。
漏洞修复
它新增了一个名为 blockFilePatterns 的配置项
这个配置是全局安全配置的一部分。这意味着所有涉及文件读写的节点(如 ReadFile、WriteFile、Execute Command 等)在执行前,都会被强制检查目标路径是否匹配这个黑名单。无论攻击者试图读取 .git/config 还是写入 .git/hooks/pre-push,该正则表达式都会匹配成功。系统检测到匹配后,会直接抛出错误或拒绝操作,从而阻断攻击。
腾讯云面向开发者汇聚海量精品云计算使用和开发经验,营造开放的云计算技术生态圈。
更多推荐
10
0- 0
已为社区贡献7条内容
所有评论(0)