prevent fs write helper from re-resolving

mfsiega · mfsiega · commit 2e752b41ea2b · 2025-12-05T16:59:51.000+01:00
diff --git a/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts b/packages/core/src/execution-engine/node-execution-context/utils/__tests__/file-system-helper-functions.test.ts
@@ -1,7 +1,7 @@
 import { SecurityConfig } from '@n8n/config';
 import { Container } from '@n8n/di';
 import type { INode } from 'n8n-workflow';
-import { createReadStream } from 'node:fs';
+import { constants, createReadStream } from 'node:fs';
 import { access as fsAccess, realpath as fsRealpath } from 'node:fs/promises';
 import { join } from 'node:path';
 
@@ -304,7 +304,7 @@ describe('getFileSystemHelperFunctions', () => {
 				helperFunctions.writeContentToFile(
 					await helperFunctions.resolvePath(instanceSettings.n8nFolder + '/test.txt'),
 					'content',
-					'w',
+					constants.O_WRONLY | constants.O_CREAT | constants.O_TRUNC,
 				),
 			).rejects.toThrow('not writable');
 		});
diff --git a/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts b/packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts
@@ -36,7 +36,7 @@ const getAllowedPaths = () => {
 	return allowedPaths;
 };
 
-const resolvePath = async (path: PathLike): Promise<ResolvedFilePath> => {
+async function resolvePath(path: PathLike): Promise<ResolvedFilePath> {
 	try {
 		return (await fsRealpath(path)) as ResolvedFilePath; // apply brand, since we know it's resolved now
 	} catch (error: unknown) {
@@ -45,7 +45,7 @@ const resolvePath = async (path: PathLike): Promise<ResolvedFilePath> => {
 		}
 		throw error;
 	}
-};
+}
 
 function isFilePathBlocked(resolvedFilePath: ResolvedFilePath): boolean {
 	const allowedPaths = getAllowedPaths();
@@ -98,11 +98,10 @@ export const getFileSystemHelperFunctions = (node: INode): FileSystemHelperFunct
 			stream.once('error', (error) => {
 				if ((error as NodeJS.ErrnoException).code === 'ELOOP') {
 					reject(
-						new NodeOperationError(
-							node,
-							`The file "${String(resolvedFilePath)}" could not be opened.`,
-							{ level: 'warning' },
-						),
+						new NodeOperationError(node, error, {
+							level: 'warning',
+							description: 'Symlinks are not allowed.',
+						}),
 					);
 				} else {
 					reject(error);
@@ -126,7 +125,10 @@ export const getFileSystemHelperFunctions = (node: INode): FileSystemHelperFunct
 				},
 			);
 		}
-		return await fsWriteFile(resolvedFilePath, content, { encoding: 'binary', flag });
+		return await fsWriteFile(resolvedFilePath, content, {
+			encoding: 'binary',
+			flag: (flag ?? 0) | constants.O_NOFOLLOW,
+		});
 	},
 	resolvePath,
 	isFilePathBlocked,
diff --git a/packages/nodes-base/nodes/Files/ReadWriteFile/actions/write.operation.ts b/packages/nodes-base/nodes/Files/ReadWriteFile/actions/write.operation.ts
@@ -10,6 +10,7 @@ import type { Readable } from 'stream';
 import { updateDisplayOptions } from '@utils/utilities';
 
 import { errorMapper } from '../helpers/utils';
+import { constants } from 'node:fs';
 
 export const properties: INodeProperties[] = [
 	{
@@ -68,7 +69,9 @@ export async function execute(this: IExecuteFunctions, items: INodeExecutionData
 			const dataPropertyName = this.getNodeParameter('dataPropertyName', itemIndex);
 			fileName = this.getNodeParameter('fileName', itemIndex) as string;
 			const options = this.getNodeParameter('options', itemIndex, {});
-			const flag: string = options.append ? 'a' : 'w';
+			const flag: number = options.append
+				? constants.O_APPEND
+				: constants.O_WRONLY | constants.O_CREAT | constants.O_TRUNC;
 
 			item = items[itemIndex];
 
diff --git a/packages/nodes-base/nodes/WriteBinaryFile/WriteBinaryFile.node.ts b/packages/nodes-base/nodes/WriteBinaryFile/WriteBinaryFile.node.ts
@@ -5,6 +5,7 @@ import type {
 	INodeType,
 	INodeTypeDescription,
 } from 'n8n-workflow';
+import { constants } from 'node:fs';
 import type { Readable } from 'stream';
 
 export class WriteBinaryFile implements INodeType {
@@ -75,7 +76,9 @@ export class WriteBinaryFile implements INodeType {
 
 				const options = this.getNodeParameter('options', 0, {});
 
-				const flag: string = options.append ? 'a' : 'w';
+				const flag: number = options.append
+					? constants.O_APPEND
+					: constants.O_WRONLY | constants.O_CREAT | constants.O_TRUNC;
 
 				item = items[itemIndex];
 
diff --git a/packages/workflow/src/interfaces.ts b/packages/workflow/src/interfaces.ts
@@ -694,7 +694,7 @@ export interface BaseHelperFunctions {
 	returnJsonArray(jsonData: IDataObject | IDataObject[]): INodeExecutionData[];
 }
 
-const __brand = Symbol('brand');
+const __brand = Symbol('resolvedFilePath');
 
 export type ResolvedFilePath = string & {
 	[__brand]: 'ResolvedFilePath';
@@ -708,7 +708,7 @@ export interface FileSystemHelperFunctions {
 	writeContentToFile(
 		path: ResolvedFilePath,
 		content: string | Buffer | Readable,
-		flag?: string,
+		flag?: number,
 	): Promise<void>;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -694,7 +694,7 @@ export interface BaseHelperFunctions {`
`694`	`694`	`returnJsonArray(jsonData: IDataObject \| IDataObject[]): INodeExecutionData[];`
`695`	`695`	`}`
`696`	`696`
`697`		`-const __brand = Symbol('brand');`
	`697`	`+const __brand = Symbol('resolvedFilePath');`
`698`	`698`
`699`	`699`	`export type ResolvedFilePath = string & {`
`700`	`700`	`[__brand]: 'ResolvedFilePath';`
`@@ -708,7 +708,7 @@ export interface FileSystemHelperFunctions {`
`708`	`708`	`writeContentToFile(`
`709`	`709`	`path: ResolvedFilePath,`
`710`	`710`	`content: string \| Buffer \| Readable,`
`711`		`- flag?: string,`
	`711`	`+ flag?: number,`
`712`	`712`	`): Promise<void>;`
`713`	`713`	`}`
`714`	`714`