fix(core): Set default for allowed file access dirs

Author: ivov

packages/@n8n/config/src/configs/security.config.ts

@@ -3,18 +3,19 @@ import { Config, Env } from '../decorators';
 @Config
 export class SecurityConfig {
 	/**
-	 * Which directories to limit n8n's access to. Separate multiple dirs with semicolon `;`.
+	 * Dirs that the `ReadWriteFile` and `ReadBinaryFiles` nodes are allowed to access. Separate multiple dirs with semicolon `;`.
+	 * Set to an empty string to disable restrictions (insecure, not recommended for production).
 	 *
-	 * @example N8N_RESTRICT_FILE_ACCESS_TO=/home/user/.n8n;/home/user/n8n-data
+	 * @example N8N_RESTRICT_FILE_ACCESS_TO=/home/john/my-n8n-files
 	 */
 	@Env('N8N_RESTRICT_FILE_ACCESS_TO')
-	restrictFileAccessTo: string = '';
+	restrictFileAccessTo: string = '~/.n8n-files';
 
 	/**
-	 * Whether to block access to all files at:
-	 * - the ".n8n" directory,
-	 * - the static cache dir at ~/.cache/n8n/public, and
-	 * - user-defined config files.
+	 * Whether to block users from accessing files at dirs internally used by n8n:
+	 * - `~/.n8n`
+	 * - `~/.cache/n8n/public`
+	 * - any dirs specified by `N8N_CONFIG_FILES`, `N8N_CUSTOM_EXTENSIONS`, `N8N_BINARY_DATA_STORAGE_PATH`, `N8N_UM_EMAIL_TEMPLATES_INVITE`, and `UM_EMAIL_TEMPLATES_PWRESET`.
 	 */
 	@Env('N8N_BLOCK_FILE_ACCESS_TO_N8N_FILES')
 	blockFileAccessToN8nFiles: boolean = true;

packages/@n8n/config/test/config.test.ts

@@ -317,7 +317,7 @@ describe('GlobalConfig', () => {
 			cert: '',
 		},
 		security: {
-			restrictFileAccessTo: '',
+			restrictFileAccessTo: '~/.n8n-files',
 			blockFileAccessToN8nFiles: true,
 			daysAbandonedWorkflow: 90,
 			contentSecurityPolicy: '{}',

packages/core/src/execution-engine/node-execution-context/utils/file-system-helper-functions.ts

@@ -1,4 +1,5 @@
 import { isContainedWithin, safeJoinPath } from '@n8n/backend-common';
+import { SecurityConfig } from '@n8n/config';
 import { Container } from '@n8n/di';
 import type { FileSystemHelperFunctions, INode } from 'n8n-workflow';
 import { NodeOperationError } from 'n8n-workflow';
@@ -8,28 +9,29 @@ import {
 	writeFile as fsWriteFile,
 	realpath as fsRealpath,
 } from 'node:fs/promises';
+import { homedir } from 'node:os';
 import { resolve } from 'node:path';
 
 import {
 	BINARY_DATA_STORAGE_PATH,
 	BLOCK_FILE_ACCESS_TO_N8N_FILES,
 	CONFIG_FILES,
 	CUSTOM_EXTENSION_ENV,
-	RESTRICT_FILE_ACCESS_TO,
 	UM_EMAIL_TEMPLATES_INVITE,
 	UM_EMAIL_TEMPLATES_PWRESET,
 } from '@/constants';
 import { InstanceSettings } from '@/instance-settings';
 
 const getAllowedPaths = () => {
-	const restrictFileAccessTo = process.env[RESTRICT_FILE_ACCESS_TO];
-	if (!restrictFileAccessTo) {
-		return [];
-	}
+	const { restrictFileAccessTo } = Container.get(SecurityConfig);
+	if (restrictFileAccessTo === '') return [];
+
 	const allowedPaths = restrictFileAccessTo
 		.split(';')
 		.map((path) => path.trim())
-		.filter((path) => path);
+		.filter((path) => path)
+		.map((path) => (path.startsWith('~') ? path.replace('~', homedir()) : path));
+
 	return allowedPaths;
 };