fix: address security issues and improve Docker implementation
Security Fixes: - Add command injection prevention in n8n-mcp wrapper with whitelist validation - Fix race condition in database initialization with proper lock directory creation - Add flock availability check with fallback behavior - Implement comprehensive input sanitization in parse-config.js Improvements: - Add debug logging support to parse-config.js (DEBUG_CONFIG=true) - Improve test cleanup error handling with proper error tracking - Increase integration test timeouts for CI compatibility - Update test assertions to check environment variables instead of processes All critical security vulnerabilities identified by code review have been addressed. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
@@ -8,7 +8,17 @@
|
||||
|
||||
const fs = require('fs');
|
||||
|
||||
// Debug logging support
|
||||
const DEBUG = process.env.DEBUG_CONFIG === 'true';
|
||||
|
||||
function debugLog(message) {
|
||||
if (DEBUG) {
|
||||
process.stderr.write(`[parse-config] ${message}\n`);
|
||||
}
|
||||
}
|
||||
|
||||
const configPath = process.argv[2] || '/app/config.json';
|
||||
debugLog(`Using config path: ${configPath}`);
|
||||
|
||||
// Dangerous environment variables that should never be set
|
||||
const DANGEROUS_VARS = new Set([
|
||||
@@ -55,6 +65,7 @@ function shellQuote(str) {
|
||||
|
||||
try {
|
||||
if (!fs.existsSync(configPath)) {
|
||||
debugLog(`Config file not found at: ${configPath}`);
|
||||
process.exit(0); // Silent exit if no config file
|
||||
}
|
||||
|
||||
@@ -63,15 +74,19 @@ try {
|
||||
|
||||
try {
|
||||
configContent = fs.readFileSync(configPath, 'utf8');
|
||||
debugLog(`Read config file, size: ${configContent.length} bytes`);
|
||||
} catch (readError) {
|
||||
// Silent exit on read errors
|
||||
debugLog(`Error reading config: ${readError.message}`);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
try {
|
||||
config = JSON.parse(configContent);
|
||||
debugLog(`Parsed config with ${Object.keys(config).length} top-level keys`);
|
||||
} catch (parseError) {
|
||||
// Silent exit on invalid JSON
|
||||
debugLog(`Error parsing JSON: ${parseError.message}`);
|
||||
process.exit(0);
|
||||
}
|
||||
|
||||
@@ -95,6 +110,7 @@ try {
|
||||
|
||||
// Skip if sanitization resulted in EMPTY_KEY (indicating invalid key)
|
||||
if (sanitizedKey === 'EMPTY_KEY') {
|
||||
debugLog(`Skipping key '${key}': invalid key name`);
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -102,6 +118,7 @@ try {
|
||||
|
||||
// Skip if key is too long
|
||||
if (envKey.length > 255) {
|
||||
debugLog(`Skipping key '${envKey}': too long (${envKey.length} chars)`);
|
||||
continue;
|
||||
}
|
||||
|
||||
@@ -149,6 +166,7 @@ try {
|
||||
|
||||
// Skip dangerous variables
|
||||
if (DANGEROUS_VARS.has(key) || key.startsWith('BASH_FUNC_')) {
|
||||
debugLog(`Warning: Ignoring dangerous variable: ${key}`);
|
||||
process.stderr.write(`Warning: Ignoring dangerous variable: ${key}\n`);
|
||||
continue;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user