Settings directory locked against tool access
Computer-use tools can no longer access or modify the gateway settings directory, preventing self-configuration tampering through filesystem operations or shell commands.
The gateway settings directory is now protected from computer-use tools. Filesystem read, filesystem write, and shell command tools are blocked from accessing ~/.n8n-gateway/ at multiple enforcement layers — permission checks, path resolution, and sandbox configuration. This prevents tools from modifying their own configuration, which could otherwise allow privilege escalation or configuration bypass. The protection also accounts for symlink-based path traversal attempts.
Additionally, shell commands that exit with non-zero status codes are now correctly marked as errors in tool results. Previously, failed shell commands returned success indicators despite abnormal termination.
These changes apply to the n8n computer-use package, hardening the tool execution environment for workflows that involve AI-driven automation.
View Original GitHub Description
Summary
Prevents computer-use tools (filesystem read/write and sandboxed shell) from accessing the gateway settings directory (~/.n8n-gateway/). Adds isProtectedSettingsPath check at the permission layer (GatewaySession.check), the filesystem utility layer (buildFilesystemResource with symlink defense), and the sandbox configuration (denyRead/denyWrite).
Also marks shell commands with non-zero exit codes as isError: true in tool results.
Related Linear tickets, Github issues, and Community forum posts
https://linear.app/n8n/issue/NODE-4815
Review / Merge checklist
- PR title and summary are descriptive. (conventions)
- Docs updated or follow-up ticket created.
- Tests included.
- PR Labeled with
release/backport(if the PR is an urgent fix that needs to be backported) - I have seen this code, I have run this code, and I take responsibility for this code.