feat: implement security audit fixes - rate limiting and SSRF protection (Issue #265 PR #2)

This commit implements HIGH-02 (Rate Limiting) and HIGH-03 (SSRF Protection) from the security audit, protecting against brute force attacks and Server-Side Request Forgery. Security Enhancements: - Rate limiting: 20 attempts per 15 minutes per IP (configurable) - SSRF protection: Three security modes (strict/moderate/permissive) - DNS rebinding prevention - Cloud metadata blocking in all modes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-06 13:33:11 +00:00 · 2025-10-06 15:40:07 +02:00
parent 9a00a99011
commit 06cbb40213
15 changed files with 1041 additions and 13 deletions
--- a/tests/integration/security/rate-limiting.test.ts
+++ b/tests/integration/security/rate-limiting.test.ts
@@ -0,0 +1,142 @@
+import { describe, it, expect, beforeAll, afterAll } from 'vitest';
+import { spawn, ChildProcess } from 'child_process';
+import axios from 'axios';
+
+/**
+ * Integration tests for rate limiting
+ *
+ * SECURITY: These tests verify rate limiting prevents brute force attacks
+ * See: https://github.com/czlonkowski/n8n-mcp/issues/265 (HIGH-02)
+ */
+describe('Integration: Rate Limiting', () => {
+  let serverProcess: ChildProcess;
+  const port = 3001;
+  const authToken = 'test-token-for-rate-limiting-test-32-chars';
+
+  beforeAll(async () => {
+    // Start HTTP server with rate limiting
+    serverProcess = spawn('node', ['dist/http-server-single-session.js'], {
+      env: {
+        ...process.env,
+        MCP_MODE: 'http',
+        PORT: port.toString(),
+        AUTH_TOKEN: authToken,
+        NODE_ENV: 'test',
+        AUTH_RATE_LIMIT_WINDOW: '900000', // 15 minutes
+        AUTH_RATE_LIMIT_MAX: '20', // 20 attempts
+      },
+      stdio: 'pipe',
+    });
+
+    // Wait for server to start
+    await new Promise(resolve => setTimeout(resolve, 3000));
+  }, 15000);
+
+  afterAll(() => {
+    if (serverProcess) {
+      serverProcess.kill();
+    }
+  });
+
+  it('should block after max authentication attempts (sequential requests)', async () => {
+    const baseUrl = `http://localhost:${port}/mcp`;
+
+    // IMPORTANT: Use sequential requests to ensure deterministic order
+    // Parallel requests can cause race conditions with in-memory rate limiter
+    for (let i = 1; i <= 25; i++) {
+      const response = await axios.post(
+        baseUrl,
+        { jsonrpc: '2.0', method: 'initialize', id: i },
+        {
+          headers: { Authorization: 'Bearer wrong-token' },
+          validateStatus: () => true, // Don't throw on error status
+        }
+      );
+
+      if (i <= 20) {
+        // First 20 attempts should be 401 (invalid authentication)
+        expect(response.status).toBe(401);
+        expect(response.data.error.message).toContain('Unauthorized');
+      } else {
+        // Attempts 21+ should be 429 (rate limited)
+        expect(response.status).toBe(429);
+        expect(response.data.error.message).toContain('Too many');
+      }
+    }
+  }, 60000);
+
+  it('should include rate limit headers', async () => {
+    const baseUrl = `http://localhost:${port}/mcp`;
+
+    const response = await axios.post(
+      baseUrl,
+      { jsonrpc: '2.0', method: 'initialize', id: 1 },
+      {
+        headers: { Authorization: 'Bearer wrong-token' },
+        validateStatus: () => true,
+      }
+    );
+
+    // Check for standard rate limit headers
+    expect(response.headers['ratelimit-limit']).toBeDefined();
+    expect(response.headers['ratelimit-remaining']).toBeDefined();
+    expect(response.headers['ratelimit-reset']).toBeDefined();
+  }, 15000);
+
+  it('should accept valid tokens within rate limit', async () => {
+    const baseUrl = `http://localhost:${port}/mcp`;
+
+    const response = await axios.post(
+      baseUrl,
+      {
+        jsonrpc: '2.0',
+        method: 'initialize',
+        params: {
+          protocolVersion: '2024-11-05',
+          capabilities: {},
+          clientInfo: { name: 'test', version: '1.0' },
+        },
+        id: 1,
+      },
+      {
+        headers: { Authorization: `Bearer ${authToken}` },
+      }
+    );
+
+    expect(response.status).toBe(200);
+    expect(response.data.result).toBeDefined();
+  }, 15000);
+
+  it('should return JSON-RPC formatted error on rate limit', async () => {
+    const baseUrl = `http://localhost:${port}/mcp`;
+
+    // Exhaust rate limit
+    for (let i = 0; i < 21; i++) {
+      await axios.post(
+        baseUrl,
+        { jsonrpc: '2.0', method: 'initialize', id: i },
+        {
+          headers: { Authorization: 'Bearer wrong-token' },
+          validateStatus: () => true,
+        }
+      );
+    }
+
+    // Get rate limited response
+    const response = await axios.post(
+      baseUrl,
+      { jsonrpc: '2.0', method: 'initialize', id: 999 },
+      {
+        headers: { Authorization: 'Bearer wrong-token' },
+        validateStatus: () => true,
+      }
+    );
+
+    // Verify JSON-RPC error format
+    expect(response.data).toHaveProperty('jsonrpc', '2.0');
+    expect(response.data).toHaveProperty('error');
+    expect(response.data.error).toHaveProperty('code', -32000);
+    expect(response.data.error).toHaveProperty('message');
+    expect(response.data).toHaveProperty('id', null);
+  }, 60000);
+});