fix: address critical security issues in template metadata

- Fix SQL injection vulnerability in template-repository.ts - Use proper parameterization with SQLite concatenation operator - Escape JSON strings correctly for LIKE queries - Prevent malicious SQL through filter parameters - Add input sanitization for OpenAI API calls - Sanitize template names and descriptions before sending to API - Remove control characters and prompt injection patterns - Limit input length to prevent token abuse - Lower temperature to 0.3 for consistent structured outputs - Add comprehensive test coverage - 100+ new tests for metadata functionality - Security-focused tests for SQL injection prevention - Integration tests with real database operations Co-Authored-By: Claude <noreply@anthropic.com>
2026-02-06 05:23:08 +00:00 · 2025-09-15 00:51:41 +02:00
parent 1e586c0b23
commit c18c4e7584
9 changed files with 2257 additions and 21 deletions
--- a/tests/unit/mcp/tools.test.ts
+++ b/tests/unit/mcp/tools.test.ts
@@ -371,8 +371,109 @@ describe('n8nDocumentationToolsFinal', () => {
      });
    });

+    describe('search_templates_by_metadata', () => {
+      const tool = n8nDocumentationToolsFinal.find(t => t.name === 'search_templates_by_metadata');
+
+      it('should exist in the tools array', () => {
+        expect(tool).toBeDefined();
+        expect(tool?.name).toBe('search_templates_by_metadata');
+      });
+
+      it('should have proper description', () => {
+        expect(tool?.description).toContain('Search templates by AI-generated metadata');
+        expect(tool?.description).toContain('category');
+        expect(tool?.description).toContain('complexity');
+      });
+
+      it('should have correct input schema structure', () => {
+        expect(tool?.inputSchema.type).toBe('object');
+        expect(tool?.inputSchema.properties).toBeDefined();
+        expect(tool?.inputSchema.required).toBeUndefined(); // All parameters are optional
+      });
+
+      it('should have category parameter with proper schema', () => {
+        const categoryProp = tool?.inputSchema.properties?.category;
+        expect(categoryProp).toBeDefined();
+        expect(categoryProp.type).toBe('string');
+        expect(categoryProp.description).toContain('category');
+      });
+
+      it('should have complexity parameter with enum values', () => {
+        const complexityProp = tool?.inputSchema.properties?.complexity;
+        expect(complexityProp).toBeDefined();
+        expect(complexityProp.enum).toEqual(['simple', 'medium', 'complex']);
+        expect(complexityProp.description).toContain('complexity');
+      });
+
+      it('should have time-based parameters with numeric constraints', () => {
+        const maxTimeProp = tool?.inputSchema.properties?.maxSetupMinutes;
+        const minTimeProp = tool?.inputSchema.properties?.minSetupMinutes;
+        
+        expect(maxTimeProp).toBeDefined();
+        expect(maxTimeProp.type).toBe('number');
+        expect(maxTimeProp.maximum).toBe(480);
+        expect(maxTimeProp.minimum).toBe(5);
+        
+        expect(minTimeProp).toBeDefined();
+        expect(minTimeProp.type).toBe('number');
+        expect(minTimeProp.maximum).toBe(480);
+        expect(minTimeProp.minimum).toBe(5);
+      });
+
+      it('should have service and audience parameters', () => {
+        const serviceProp = tool?.inputSchema.properties?.requiredService;
+        const audienceProp = tool?.inputSchema.properties?.targetAudience;
+        
+        expect(serviceProp).toBeDefined();
+        expect(serviceProp.type).toBe('string');
+        expect(serviceProp.description).toContain('service');
+        
+        expect(audienceProp).toBeDefined();
+        expect(audienceProp.type).toBe('string');
+        expect(audienceProp.description).toContain('audience');
+      });
+
+      it('should have pagination parameters', () => {
+        const limitProp = tool?.inputSchema.properties?.limit;
+        const offsetProp = tool?.inputSchema.properties?.offset;
+        
+        expect(limitProp).toBeDefined();
+        expect(limitProp.type).toBe('number');
+        expect(limitProp.default).toBe(20);
+        expect(limitProp.maximum).toBe(100);
+        expect(limitProp.minimum).toBe(1);
+        
+        expect(offsetProp).toBeDefined();
+        expect(offsetProp.type).toBe('number');
+        expect(offsetProp.default).toBe(0);
+        expect(offsetProp.minimum).toBe(0);
+      });
+
+      it('should include all expected properties', () => {
+        const properties = Object.keys(tool?.inputSchema.properties || {});
+        const expectedProperties = [
+          'category',
+          'complexity', 
+          'maxSetupMinutes',
+          'minSetupMinutes',
+          'requiredService',
+          'targetAudience',
+          'limit',
+          'offset'
+        ];
+        
+        expectedProperties.forEach(prop => {
+          expect(properties).toContain(prop);
+        });
+      });
+
+      it('should have appropriate additionalProperties setting', () => {
+        expect(tool?.inputSchema.additionalProperties).toBe(false);
+      });
+    });
+
    describe('Enhanced pagination support', () => {
-      const paginatedTools = ['list_node_templates', 'search_templates', 'get_templates_for_task'];
+      const paginatedTools = ['list_node_templates', 'search_templates', 'get_templates_for_task', 'search_templates_by_metadata'];

      paginatedTools.forEach(toolName => {
        describe(toolName, () => {