From 879d204bdbefa064868dd540e66512f5d497fd91 Mon Sep 17 00:00:00 2001
From: RomanDavydchuk <roman.davydchuk@n8n.io>
Date: Wed, 18 Jun 2025 11:48:05 +0300
Subject: [PATCH] fix(Execute Sub-workflow Node): Don't expose the file contens
 when reading the workflow from a file and it's not valid JSON (#16416)

---
 .../ExecuteWorkflow/GenericFunctions.test.ts  | 30 +++++++++++++++++++
 .../ExecuteWorkflow/GenericFunctions.ts       |  4 ++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.test.ts

diff --git a/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.test.ts b/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.test.ts
new file mode 100644
index 00000000000..2cfbfb8429a
--- /dev/null
+++ b/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.test.ts
@@ -0,0 +1,30 @@
+import { mockDeep, type DeepMockProxy } from 'jest-mock-extended';
+import type { IExecuteFunctions, ILoadOptionsFunctions, INode } from 'n8n-workflow';
+
+import { getWorkflowInfo } from './GenericFunctions';
+
+jest.mock('fs/promises', () => ({
+	readFile: jest.fn().mockResolvedValue('sensitive data'),
+}));
+
+describe('ExecuteWorkflow node - GenericFunctions', () => {
+	let executeFunctionsMock: DeepMockProxy<ILoadOptionsFunctions | IExecuteFunctions>;
+
+	beforeEach(() => {
+		jest.clearAllMocks();
+		executeFunctionsMock = mockDeep<ILoadOptionsFunctions | IExecuteFunctions>();
+	});
+
+	describe('getWorkflowInfo', () => {
+		it('should throw an error without the file content when source is localFile and the file is not json', async () => {
+			executeFunctionsMock.getNode.mockReturnValue({
+				typeVersion: 1,
+			} as INode);
+			executeFunctionsMock.getNodeParameter.mockReturnValue('path/to/file');
+
+			await expect(getWorkflowInfo.call(executeFunctionsMock, 'localFile', 0)).rejects.toThrow(
+				'The file content is not valid JSON',
+			);
+		});
+	});
+});
diff --git a/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts b/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts
index 450a268dfa1..7ce2c867e27 100644
--- a/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts
+++ b/packages/nodes-base/nodes/ExecuteWorkflow/ExecuteWorkflow/GenericFunctions.ts
@@ -45,7 +45,9 @@ export async function getWorkflowInfo(
 			throw error;
 		}
 
-		workflowInfo.code = jsonParse(workflowJson);
+		workflowInfo.code = jsonParse(workflowJson, {
+			errorMessage: 'The file content is not valid JSON', // pass a custom error message to not expose the file contents
+		});
 	} else if (source === 'parameter') {
 		// Read workflow from parameter
 		const workflowJson = this.getNodeParameter('workflowJson', itemIndex) as string;