fix(core): Stronger allowed path enforcement for read/write Node

[mfsiega]

Summary

Related Linear tickets, Github issues, and Community forum posts

Review / Merge checklist

• PR title and summary are descriptive. (conventions)
• Docs updated or follow-up ticket created.
• Tests included.
• PR Labeled with release/backport (if the PR is an urgent fix that needs to be backported)

[cubic-dev-ai]

1 issue found across 2 files

Prompt for AI agents (all issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts">

<violation number="1" location="packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts:133">
P1: File handle resource leak: If `fileHandle.stat()` throws or the identity check fails, the opened file handle is never closed. Unlike `writeContentToFile` which uses try/finally, this function lacks cleanup for the error path. Add `await fileHandle.close()` before throwing or wrap in try/catch.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

P1: File handle resource leak: If fileHandle.stat() throws or the identity check fails, the opened file handle is never closed. Unlike writeContentToFile which uses try/finally, this function lacks cleanup for the error path. Add await fileHandle.close() before throwing or wrap in try/catch.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts, line 133:

<comment>File handle resource leak: If `fileHandle.stat()` throws or the identity check fails, the opened file handle is never closed. Unlike `writeContentToFile` which uses try/finally, this function lacks cleanup for the error path. Add `await fileHandle.close()` before throwing or wrap in try/catch.</comment>

<file context>
@@ -108,34 +112,59 @@ export const getFileSystemHelperFunctions = (node: INode): FileSystemHelperFunct
+		// Verify that the handle we&#39;ve opened is the same as the path we checked earlier.
+		// This ensures nothing has changed between checking and reading.
+		const fileHandleIdentity = await fileHandle.stat();
+		if (
+			fileHandleIdentity.dev !== pathIdentity.dev ||
+			fileHandleIdentity.ino !== pathIdentity.ino
</file context>

[codecov]

❌ 3 Tests Failed:

Tests completed	Failed	Passed	Skipped
16398	3	16395	0

View the top 3 failed test(s) by shortest run time

Test Write Binary File Node nodes/WriteBinaryFile/test/WriteBinaryFile.workflow.json

Stack Traces | 0.174s run time

Error: Custom message:
  Equality failed for ".../WriteBinaryFile/test/WriteBinaryFile.workflow.json" at node "Write Binary File"

expect(received).toEqual(expected) // deep equality

- Expected  - 17
+ Received  +  1

  Array [
-   Array [
-     Object {
-       "binary": Object {
-         "data": Object {
-           "data": ".../AABEIAB8AOwMBEgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+.../2gAMAwEAAhEDEQA/AOgqgrXF2zNHJ5aKcD3oNPZ23di/VKG82bkuTh1OMgdaAdOSLtZ6G5ut0iSeWoOAKAdO27NCqUN8oQrcHDqccDrQDpyRNPdRwEKcsx7CobIebPLORwThc0inGMF724jagNpxG4OOM1dIDAgjIPBpkqUOxnR2pmh85pW3nJB9KkNi4yqTssZ6rSNXNX0ehHFfusYDLuI7+tXY4I40ChQcdzQRKcL7Fb7PcQO32cqUY5we1XqZPtH11KsFoFDGYK7sckkZxVqgTnJlEQXMBZYGUoTkZ7VeoH7RvcqwWaIh80K7k5JIq1QJzkyhbMtvdSxMdqnlc1amgjmx5i5I70inNSVpFdrmaWRltkBVerHvUW57B2AUNGxyOaC+VW9xXLVrcGbcjrtkXqKZZxvveeTAL9APSgiooq1ty3RTMj//2Q==",
-           "fileExtension": "jpg",
-           "fileName": "image.jpg",
-           "fileSize": "1.04 kB",
-           "fileType": "image",
-           "mimeType": "image/jpeg",
-         },
-       },
-       "json": Object {
-         "fileName": ".../tmp/n8n-IbbnbC/image-written.jpg",
-       },
-     },
-   ],
+   null,
  ]
    at .../core/nodes-testing/node-test-harness.ts:346:28
    at Array.forEach (<anonymous>)
    at NodeTestHarness.assertOutput (.../core/nodes-testing/node-test-harness.ts:308:18)
    at Object.<anonymous> (.../core/nodes-testing/node-test-harness.ts:85:9)

Test Crypto Node nodes/Crypto/test/CryptoTest.workflow

Stack Traces | 0.27s run time

Error: Data for node "Crypto Hash Binary Data" is missing!
    at .../core/nodes-testing/node-test-harness.ts:260:11
    at Array.map (<anonymous>)
    at NodeTestHarness.getResultNodeData (.../core/nodes-testing/node-test-harness.ts:250:48)
    at NodeTestHarness.assertOutput (.../core/nodes-testing/node-test-harness.ts:307:31)
    at Object.<anonymous> (.../core/nodes-testing/node-test-harness.ts:85:9)

Test ReadWriteFile Node nodes/Files/ReadWriteFile/test/ReadWriteFile.workflow.json

Stack Traces | 0.398s run time

Error: Custom message:
  Equality failed for ".../ReadWriteFile/test/ReadWriteFile.workflow.json" at node "Write to Disk"

expect(received).toEqual(expected) // deep equality

- Expected  - 21
+ Received  +  1

  Array [
-   Array [
-     Object {
-       "binary": Object {
-         "data": Object {
-           "data": ".../AABEIAB8AOwMBEgACEQEDEQH/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8/T19vf4+fr/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8/T19vf4+.../2gAMAwEAAhEDEQA/AOgqgrXF2zNHJ5aKcD3oNPZ23di/VKG82bkuTh1OMgdaAdOSLtZ6G5ut0iSeWoOAKAdO27NCqUN8oQrcHDqccDrQDpyRNPdRwEKcsx7CobIebPLORwThc0inGMF724jagNpxG4OOM1dIDAgjIPBpkqUOxnR2pmh85pW3nJB9KkNi4yqTssZ6rSNXNX0ehHFfusYDLuI7+tXY4I40ChQcdzQRKcL7Fb7PcQO32cqUY5we1XqZPtH11KsFoFDGYK7sckkZxVqgTnJlEQXMBZYGUoTkZ7VeoH7RvcqwWaIh80K7k5JIq1QJzkyhbMtvdSxMdqnlc1amgjmx5i5I70inNSVpFdrmaWRltkBVerHvUW57B2AUNGxyOaC+VW9xXLVrcGbcjrtkXqKZZxvveeTAL9APSgiooq1ty3RTMj//2Q==",
-           "fileExtension": "jpg",
-           "fileName": "image.jpg",
-           "fileSize": "1.04 kB",
-           "fileType": "image",
-           "mimeType": "image/jpeg",
-         },
-       },
-       "json": Object {
-         "fileExtension": "jpg",
-         "fileName": ".../tmp/n8n-8MtOrx/image-written.jpg",
-         "fileSize": "1.04 kB",
-         "fileType": "image",
-         "mimeType": "image/jpeg",
-       },
-     },
-   ],
+   null,
  ]
    at .../core/nodes-testing/node-test-harness.ts:346:28
    at Array.forEach (<anonymous>)
    at NodeTestHarness.assertOutput (.../core/nodes-testing/node-test-harness.ts:308:18)
    at Object.<anonymous> (.../core/nodes-testing/node-test-harness.ts:85:9)

To view more test analytics, go to the Test Analytics Dashboard
_{📋 Got 3 mins? Take this short survey to help us improve Test Analytics.}

[blacksmith-sh]

Found 5 test failures on Blacksmith runners:

Failures

Test	View Logs
Test Crypto Node/Test Crypto Node nodes/Crypto/test/CryptoTest.workflow	View Logs
Test ReadWriteFile Node/Test ReadWriteFile Node nodes/Files/ReadWriteFile/test/ ReadWriteFile.workflow.json	View Logs
Test Write Binary File Node/Test Write Binary File Node nodes/WriteBinaryFile/test/ WriteBinaryFile.workflow.json	View Logs
tests/e2e/ai/langchain-vectorstores.spec.ts/ Langchain Integration @capability:proxy › Advanced Workflow Features › should render ru nItems for sub-nodes and allow switching between them	View Logs
tests/e2e/workflows/executions/list.spec.ts/ Executions Filter › should keep popover open when selecting from dropdown inside it	View Logs

[blacksmith-sh]

Found 3 test failures on Blacksmith runners:

Failures

Test	View Logs
Test Crypto Node/Test Crypto Node nodes/Crypto/test/CryptoTest.workflow	View Logs
Test ReadWriteFile Node/Test ReadWriteFile Node nodes/Files/ReadWriteFile/test/ ReadWriteFile.workflow.json	View Logs
Test Write Binary File Node/Test Write Binary File Node nodes/WriteBinaryFile/test/ WriteBinaryFile.workflow.json	View Logs

[currents-bot]

❌

E2E Tests: n8n tests failed after 9m 32.9s

🟢 570 · 🔴 2 · ⚪️ 26 · 🟣 4

View Run Details

Run Details

• Project: n8n

• Groups: 2

• Framework: Playwright

• Run Status: Failed

• Commit: dc955f9

• Spec files: 135

• Overall tests: 629

• Duration: 9m 32.9s

• Parallelization: 15

Failed Spec Files

Spec File	Failures
tests/e2e/ai/langchain-vectorstores.spec.ts	1
tests/e2e/workflows/executions/list.spec.ts	1

Groups

GroupId	Results	Spec Files Progress
multi-main:e2e	🟢 513 · 🔴 2 · ⚪️ 26 · 🟣 4	121 / 126
multi-main:e2e:isolated	🟢 57 · 🔴 0 · ⚪️ 0	9 / 9

---

This message was posted automatically by currents.dev | Integration Settings