fix(providers): inject n8n sessions into custom bodies#9527
fix(providers): inject n8n sessions into custom bodies#9527mldangelo-oai wants to merge 2 commits into
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 3f76cdf150
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| } | ||
|
|
||
| const sessionField = this.config.sessionField || 'sessionId'; | ||
| return body[sessionField] === undefined ? { ...body, [sessionField]: sessionId } : body; |
There was a problem hiding this comment.
When a string body template renders/parses to a JSON array or other non-object JSON value and vars.sessionId is set, this helper now treats it as an object because only strings are excluded. The spread then converts arrays into objects like {"0": ..., "sessionId": ...}, corrupting payloads that were previously sent as arrays; injection should be limited to plain object bodies.
Useful? React with 👍 / 👎.
![promptfoo-scanner[bot]](https://avatars.githubusercontent.com/in/2172945?s=60&v=4){kind=small}
There was a problem hiding this comment.
👍 All Clear
I reviewed the n8n provider changes that add a helper to inject a session identifier into request bodies across default and custom body paths. The update centralizes prior logic without expanding capabilities or changing prompt handling semantics. Based on the diff, there are no new LLM security risks such as prompt injection, data exfiltration, secrets-in-prompts, insecure output handling, excessive agency, or jailbreak issues.
Minimum severity threshold: 🟡 Medium | To re-scan after changes, comment @promptfoo-scanner
Learn more
…n-session-field-custom-body-20260529
1 participant
Summary
Root cause
The n8n provider only added
sessionFieldto its default body. Custom object and JSON-object templates silently omitted the supplied session ID unless users manually repeated{{sessionId}}in the template.Validation
npx vitest run test/providers/n8n.test.ts --sequence.shuffle=falsenpm run fnpm run lBase issue
npm run tsccurrently fails on unchangedmainfixtures undertest/providers/anthropic/andtest/providers/claude-agent-sdk.test.tsbecauseoutput_tokens_detailsis not present in the installedUsagetype. This PR does not touch those files or types.