ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-02-06 05:23:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: address critical security issues in template metadata

Browse Source 
- Fix SQL injection vulnerability in template-repository.ts
  - Use proper parameterization with SQLite concatenation operator
  - Escape JSON strings correctly for LIKE queries
  - Prevent malicious SQL through filter parameters

- Add input sanitization for OpenAI API calls
  - Sanitize template names and descriptions before sending to API
  - Remove control characters and prompt injection patterns
  - Limit input length to prevent token abuse

- Lower temperature to 0.3 for consistent structured outputs

- Add comprehensive test coverage
  - 100+ new tests for metadata functionality
  - Security-focused tests for SQL injection prevention
  - Integration tests with real database operations

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-09-15 00:51:41 +02:00
parent 1e586c0b23
commit c18c4e7584
9 changed files with 2257 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

556
tests/unit/templates/batch-processor.test.ts Normal file
View File

@@ -0,0 +1,556 @@
import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
import * as fs from 'fs';
import * as path from 'path';
import { BatchProcessor, BatchProcessorOptions } from '../../../src/templates/batch-processor';
import { MetadataRequest } from '../../../src/templates/metadata-generator';
// Mock fs operations
vi.mock('fs');
const mockedFs = vi.mocked(fs);
// Mock OpenAI
const mockClient = {
files: {
create: vi.fn(),
content: vi.fn(),
del: vi.fn()
},
batches: {
create: vi.fn(),
retrieve: vi.fn()
}
};
vi.mock('openai', () => {
return {
default: vi.fn().mockImplementation(() => mockClient)
};
});
// Mock MetadataGenerator
const mockGenerator = {
createBatchRequest: vi.fn(),
parseResult: vi.fn()
};
class MockMetadataGenerator {
createBatchRequest = mockGenerator.createBatchRequest;
parseResult = mockGenerator.parseResult;
}
vi.mock('../../../src/templates/metadata-generator', () => {
return {
MetadataGenerator: MockMetadataGenerator
};
});
// Mock logger
vi.mock('../../../src/utils/logger', () => ({
logger: {
info: vi.fn(),
warn: vi.fn(),
error: vi.fn(),
debug: vi.fn()
}
}));
describe('BatchProcessor', () => {
let processor: BatchProcessor;
let options: BatchProcessorOptions;
let mockStream: any;
beforeEach(() => {
vi.clearAllMocks();
options = {
apiKey: 'test-api-key',
model: 'gpt-4o-mini',
batchSize: 3,
outputDir: './test-temp'
};
// Mock stream for file writing
mockStream = {
write: vi.fn(),
end: vi.fn(),
on: vi.fn((event, callback) => {
if (event === 'finish') {
setTimeout(callback, 0);
}
})
};
// Mock fs operations
mockedFs.existsSync = vi.fn().mockReturnValue(false);
mockedFs.mkdirSync = vi.fn();
mockedFs.createWriteStream = vi.fn().mockReturnValue(mockStream);
mockedFs.createReadStream = vi.fn().mockReturnValue({});
mockedFs.unlinkSync = vi.fn();
processor = new BatchProcessor(options);
});
afterEach(() => {
vi.restoreAllMocks();
});
describe('constructor', () => {
it('should create output directory if it does not exist', () => {
expect(mockedFs.existsSync).toHaveBeenCalledWith('./test-temp');
expect(mockedFs.mkdirSync).toHaveBeenCalledWith('./test-temp', { recursive: true });
});
it('should not create directory if it already exists', () => {
mockedFs.existsSync = vi.fn().mockReturnValue(true);
mockedFs.mkdirSync = vi.fn();
new BatchProcessor(options);
expect(mockedFs.mkdirSync).not.toHaveBeenCalled();
});
it('should use default options when not provided', () => {
const minimalOptions = { apiKey: 'test-key' };
const proc = new BatchProcessor(minimalOptions);
expect(proc).toBeDefined();
// Default batchSize is 100, outputDir is './temp'
});
});
describe('processTemplates', () => {
const mockTemplates: MetadataRequest[] = [
{ templateId: 1, name: 'Template 1', nodes: ['n8n-nodes-base.webhook'] },
{ templateId: 2, name: 'Template 2', nodes: ['n8n-nodes-base.slack'] },
{ templateId: 3, name: 'Template 3', nodes: ['n8n-nodes-base.httpRequest'] },
{ templateId: 4, name: 'Template 4', nodes: ['n8n-nodes-base.code'] }
];
it('should process templates in batches correctly', async () => {
// Mock file operations
const mockFile = { id: 'file-123' };
mockClient.files.create.mockResolvedValue(mockFile);
// Mock batch job
const mockBatchJob = {
id: 'batch-123',
status: 'completed',
output_file_id: 'output-file-123'
};
mockClient.batches.create.mockResolvedValue(mockBatchJob);
mockClient.batches.retrieve.mockResolvedValue(mockBatchJob);
// Mock results
const mockFileContent = 'result1\nresult2\nresult3';
mockClient.files.content.mockResolvedValue({ text: () => Promise.resolve(mockFileContent) });
const mockParsedResults = [
{ templateId: 1, metadata: { categories: ['automation'] } },
{ templateId: 2, metadata: { categories: ['communication'] } },
{ templateId: 3, metadata: { categories: ['integration'] } }
];
mockGenerator.parseResult.mockReturnValueOnce(mockParsedResults[0])
.mockReturnValueOnce(mockParsedResults[1])
.mockReturnValueOnce(mockParsedResults[2]);
const progressCallback = vi.fn();
const results = await processor.processTemplates(mockTemplates, progressCallback);
// Should create 2 batches (batchSize = 3, templates = 4)
expect(mockClient.batches.create).toHaveBeenCalledTimes(2);
expect(results.size).toBe(3); // 3 successful results
expect(progressCallback).toHaveBeenCalled();
});
it('should handle empty templates array', async () => {
const results = await processor.processTemplates([]);
expect(results.size).toBe(0);
});
it('should handle batch submission errors gracefully', async () => {
mockClient.files.create.mockRejectedValue(new Error('Upload failed'));
const results = await processor.processTemplates([mockTemplates[0]]);
// Should not throw, should return empty results
expect(results.size).toBe(0);
});
it('should handle batch job failures', async () => {
const mockFile = { id: 'file-123' };
mockClient.files.create.mockResolvedValue(mockFile);
const failedBatchJob = {
id: 'batch-123',
status: 'failed'
};
mockClient.batches.create.mockResolvedValue(failedBatchJob);
mockClient.batches.retrieve.mockResolvedValue(failedBatchJob);
const results = await processor.processTemplates([mockTemplates[0]]);
expect(results.size).toBe(0);
});
});
describe('createBatchFile', () => {
it('should create JSONL file with correct format', async () => {
const templates: MetadataRequest[] = [
{ templateId: 1, name: 'Test', nodes: ['node1'] },
{ templateId: 2, name: 'Test2', nodes: ['node2'] }
];
const mockRequest = { custom_id: 'template-1', method: 'POST' };
mockGenerator.createBatchRequest.mockReturnValue(mockRequest);
// Access private method through type assertion
const filename = await (processor as any).createBatchFile(templates, 'test_batch');
expect(mockStream.write).toHaveBeenCalledTimes(2);
expect(mockStream.write).toHaveBeenCalledWith(JSON.stringify(mockRequest) + '\n');
expect(mockStream.end).toHaveBeenCalled();
expect(filename).toContain('test_batch');
});
it('should handle stream errors', async () => {
const templates: MetadataRequest[] = [
{ templateId: 1, name: 'Test', nodes: ['node1'] }
];
// Mock stream error
mockStream.on = vi.fn((event, callback) => {
if (event === 'error') {
setTimeout(() => callback(new Error('Stream error')), 0);
}
});
await expect(
(processor as any).createBatchFile(templates, 'error_batch')
).rejects.toThrow('Stream error');
});
});
describe('uploadFile', () => {
it('should upload file to OpenAI', async () => {
const mockFile = { id: 'uploaded-file-123' };
mockClient.files.create.mockResolvedValue(mockFile);
const result = await (processor as any).uploadFile('/path/to/file.jsonl');
expect(mockClient.files.create).toHaveBeenCalledWith({
file: expect.any(Object),
purpose: 'batch'
});
expect(result).toEqual(mockFile);
});
it('should handle upload errors', async () => {
mockClient.files.create.mockRejectedValue(new Error('Upload failed'));
await expect(
(processor as any).uploadFile('/path/to/file.jsonl')
).rejects.toThrow('Upload failed');
});
});
describe('createBatchJob', () => {
it('should create batch job with correct parameters', async () => {
const mockBatchJob = { id: 'batch-123' };
mockClient.batches.create.mockResolvedValue(mockBatchJob);
const result = await (processor as any).createBatchJob('file-123');
expect(mockClient.batches.create).toHaveBeenCalledWith({
input_file_id: 'file-123',
endpoint: '/v1/chat/completions',
completion_window: '24h'
});
expect(result).toEqual(mockBatchJob);
});
it('should handle batch creation errors', async () => {
mockClient.batches.create.mockRejectedValue(new Error('Batch creation failed'));
await expect(
(processor as any).createBatchJob('file-123')
).rejects.toThrow('Batch creation failed');
});
});
describe('monitorBatchJob', () => {
it('should monitor job until completion', async () => {
const completedJob = { id: 'batch-123', status: 'completed' };
mockClient.batches.retrieve.mockResolvedValue(completedJob);
const result = await (processor as any).monitorBatchJob('batch-123');
expect(mockClient.batches.retrieve).toHaveBeenCalledWith('batch-123');
expect(result).toEqual(completedJob);
});
it('should handle status progression', async () => {
const jobs = [
{ id: 'batch-123', status: 'validating' },
{ id: 'batch-123', status: 'in_progress' },
{ id: 'batch-123', status: 'finalizing' },
{ id: 'batch-123', status: 'completed' }
];
mockClient.batches.retrieve.mockImplementation(() => {
return Promise.resolve(jobs.shift() || jobs[jobs.length - 1]);
});
// Mock sleep to speed up test
const originalSleep = (processor as any).sleep;
(processor as any).sleep = vi.fn().mockResolvedValue(undefined);
const result = await (processor as any).monitorBatchJob('batch-123');
expect(result.status).toBe('completed');
expect(mockClient.batches.retrieve).toHaveBeenCalledTimes(4);
// Restore original sleep method
(processor as any).sleep = originalSleep;
});
it('should throw error for failed jobs', async () => {
const failedJob = { id: 'batch-123', status: 'failed' };
mockClient.batches.retrieve.mockResolvedValue(failedJob);
await expect(
(processor as any).monitorBatchJob('batch-123')
).rejects.toThrow('Batch job failed with status: failed');
});
it('should handle expired jobs', async () => {
const expiredJob = { id: 'batch-123', status: 'expired' };
mockClient.batches.retrieve.mockResolvedValue(expiredJob);
await expect(
(processor as any).monitorBatchJob('batch-123')
).rejects.toThrow('Batch job failed with status: expired');
});
it('should handle cancelled jobs', async () => {
const cancelledJob = { id: 'batch-123', status: 'cancelled' };
mockClient.batches.retrieve.mockResolvedValue(cancelledJob);
await expect(
(processor as any).monitorBatchJob('batch-123')
).rejects.toThrow('Batch job failed with status: cancelled');
});
it('should timeout after max attempts', async () => {
const inProgressJob = { id: 'batch-123', status: 'in_progress' };
mockClient.batches.retrieve.mockResolvedValue(inProgressJob);
// Mock sleep to speed up test
(processor as any).sleep = vi.fn().mockResolvedValue(undefined);
await expect(
(processor as any).monitorBatchJob('batch-123')
).rejects.toThrow('Batch job monitoring timed out');
});
});
describe('retrieveResults', () => {
it('should download and parse results correctly', async () => {
const batchJob = { output_file_id: 'output-123' };
const fileContent = '{"custom_id": "template-1"}\n{"custom_id": "template-2"}';
mockClient.files.content.mockResolvedValue({
text: () => Promise.resolve(fileContent)
});
const mockResults = [
{ templateId: 1, metadata: { categories: ['test'] } },
{ templateId: 2, metadata: { categories: ['test2'] } }
];
mockGenerator.parseResult.mockReturnValueOnce(mockResults[0])
.mockReturnValueOnce(mockResults[1]);
const results = await (processor as any).retrieveResults(batchJob);
expect(mockClient.files.content).toHaveBeenCalledWith('output-123');
expect(mockGenerator.parseResult).toHaveBeenCalledTimes(2);
expect(results).toHaveLength(2);
});
it('should throw error when no output file available', async () => {
const batchJob = { output_file_id: null };
await expect(
(processor as any).retrieveResults(batchJob)
).rejects.toThrow('No output file available for batch job');
});
it('should handle malformed result lines gracefully', async () => {
const batchJob = { output_file_id: 'output-123' };
const fileContent = '{"valid": "json"}\ninvalid json line\n{"another": "valid"}';
mockClient.files.content.mockResolvedValue({
text: () => Promise.resolve(fileContent)
});
const mockValidResult = { templateId: 1, metadata: { categories: ['test'] } };
mockGenerator.parseResult.mockReturnValue(mockValidResult);
const results = await (processor as any).retrieveResults(batchJob);
// Should parse valid lines and skip invalid ones
expect(results).toHaveLength(2);
expect(mockGenerator.parseResult).toHaveBeenCalledTimes(2);
});
it('should handle file download errors', async () => {
const batchJob = { output_file_id: 'output-123' };
mockClient.files.content.mockRejectedValue(new Error('Download failed'));
await expect(
(processor as any).retrieveResults(batchJob)
).rejects.toThrow('Download failed');
});
});
describe('cleanup', () => {
it('should clean up all files successfully', async () => {
await (processor as any).cleanup('local-file.jsonl', 'input-123', 'output-456');
expect(mockedFs.unlinkSync).toHaveBeenCalledWith('local-file.jsonl');
expect(mockClient.files.del).toHaveBeenCalledWith('input-123');
expect(mockClient.files.del).toHaveBeenCalledWith('output-456');
});
it('should handle local file deletion errors gracefully', async () => {
mockedFs.unlinkSync = vi.fn().mockImplementation(() => {
throw new Error('File not found');
});
// Should not throw error
await expect(
(processor as any).cleanup('nonexistent.jsonl', 'input-123')
).resolves.toBeUndefined();
});
it('should handle OpenAI file deletion errors gracefully', async () => {
mockClient.files.del.mockRejectedValue(new Error('Delete failed'));
// Should not throw error
await expect(
(processor as any).cleanup('local-file.jsonl', 'input-123', 'output-456')
).resolves.toBeUndefined();
});
it('should work without output file ID', async () => {
await (processor as any).cleanup('local-file.jsonl', 'input-123');
expect(mockedFs.unlinkSync).toHaveBeenCalledWith('local-file.jsonl');
expect(mockClient.files.del).toHaveBeenCalledWith('input-123');
expect(mockClient.files.del).toHaveBeenCalledTimes(1); // Only input file
});
});
describe('createBatches', () => {
it('should split templates into correct batch sizes', () => {
const templates: MetadataRequest[] = [
{ templateId: 1, name: 'T1', nodes: [] },
{ templateId: 2, name: 'T2', nodes: [] },
{ templateId: 3, name: 'T3', nodes: [] },
{ templateId: 4, name: 'T4', nodes: [] },
{ templateId: 5, name: 'T5', nodes: [] }
];
const batches = (processor as any).createBatches(templates);
expect(batches).toHaveLength(2); // 3 + 2 templates
expect(batches[0]).toHaveLength(3);
expect(batches[1]).toHaveLength(2);
});
it('should handle single template correctly', () => {
const templates = [{ templateId: 1, name: 'T1', nodes: [] }];
const batches = (processor as any).createBatches(templates);
expect(batches).toHaveLength(1);
expect(batches[0]).toHaveLength(1);
});
it('should handle empty templates array', () => {
const batches = (processor as any).createBatches([]);
expect(batches).toHaveLength(0);
});
});
describe('file system security', () => {
it('should sanitize file paths to prevent directory traversal', async () => {
// Test with malicious batch name
const maliciousBatchName = '../../../etc/passwd';
const templates = [{ templateId: 1, name: 'Test', nodes: [] }];
await (processor as any).createBatchFile(templates, maliciousBatchName);
// Should create file in the designated output directory, not escape it
const writtenPath = mockedFs.createWriteStream.mock.calls[0][0];
expect(writtenPath).toMatch(/^\.\/test-temp\//);
expect(writtenPath).not.toContain('../');
});
it('should handle very long file names gracefully', async () => {
const longBatchName = 'a'.repeat(300); // Very long name
const templates = [{ templateId: 1, name: 'Test', nodes: [] }];
await expect(
(processor as any).createBatchFile(templates, longBatchName)
).resolves.toBeDefined();
});
});
describe('memory management', () => {
it('should clean up files even on processing errors', async () => {
const templates = [{ templateId: 1, name: 'Test', nodes: [] }];
// Mock file upload to fail
mockClient.files.create.mockRejectedValue(new Error('Upload failed'));
const submitBatch = (processor as any).submitBatch.bind(processor);
await expect(
submitBatch(templates, 'error_test')
).rejects.toThrow('Upload failed');
// File should still be cleaned up
expect(mockedFs.unlinkSync).toHaveBeenCalled();
});
it('should handle concurrent batch processing correctly', async () => {
const templates = Array.from({ length: 10 }, (_, i) => ({
templateId: i + 1,
name: `Template ${i + 1}`,
nodes: ['node']
}));
// Mock successful processing
mockClient.files.create.mockResolvedValue({ id: 'file-123' });
const completedJob = {
id: 'batch-123',
status: 'completed',
output_file_id: 'output-123'
};
mockClient.batches.create.mockResolvedValue(completedJob);
mockClient.batches.retrieve.mockResolvedValue(completedJob);
mockClient.files.content.mockResolvedValue({
text: () => Promise.resolve('{"custom_id": "template-1"}')
});
mockGenerator.parseResult.mockReturnValue({
templateId: 1,
metadata: { categories: ['test'] }
});
const results = await processor.processTemplates(templates);
expect(results.size).toBeGreaterThan(0);
expect(mockClient.batches.create).toHaveBeenCalled();
});
});
});

268
tests/unit/templates/metadata-generator.test.ts
View File

@@ -200,4 +200,272 @@ describe('MetadataGenerator', () => {
expect(result.success).toBe(false);
});
});
describe('Input Sanitization and Security', () => {
it('should handle malicious template names safely', () => {
const maliciousTemplate: MetadataRequest = {
templateId: 123,
name: '<script>alert("xss")</script>',
description: 'javascript:alert(1)',
nodes: ['n8n-nodes-base.webhook']
};
const request = generator.createBatchRequest(maliciousTemplate);
const userMessage = request.body.messages[1].content;
// Should contain the malicious content as-is (OpenAI will handle it)
// but should not cause any injection in our code
expect(userMessage).toContain('<script>alert("xss")</script>');
expect(userMessage).toContain('javascript:alert(1)');
expect(request.body.model).toBe('gpt-4o-mini');
});
it('should handle extremely long template names', () => {
const longName = 'A'.repeat(10000); // Very long name
const template: MetadataRequest = {
templateId: 456,
name: longName,
nodes: ['n8n-nodes-base.webhook']
};
const request = generator.createBatchRequest(template);
expect(request.custom_id).toBe('template-456');
expect(request.body.messages[1].content).toContain(longName);
});
it('should handle special characters in node names', () => {
const template: MetadataRequest = {
templateId: 789,
name: 'Test Workflow',
nodes: [
'n8n-nodes-base.webhook',
'@n8n/custom-node.with.dots',
'custom-package/node-with-slashes',
'node_with_underscore',
'node-with-unicode-名前'
]
};
const request = generator.createBatchRequest(template);
const userMessage = request.body.messages[1].content;
expect(userMessage).toContain('HTTP/Webhooks');
expect(userMessage).toContain('custom-node.with.dots');
});
it('should handle empty or undefined descriptions safely', () => {
const template: MetadataRequest = {
templateId: 100,
name: 'Test',
description: undefined,
nodes: ['n8n-nodes-base.webhook']
};
const request = generator.createBatchRequest(template);
const userMessage = request.body.messages[1].content;
// Should not include undefined or null in the message
expect(userMessage).not.toContain('undefined');
expect(userMessage).not.toContain('null');
expect(userMessage).toContain('Test');
});
it('should limit context size for very large workflows', () => {
const manyNodes = Array.from({ length: 1000 }, (_, i) => `n8n-nodes-base.node${i}`);
const template: MetadataRequest = {
templateId: 200,
name: 'Huge Workflow',
nodes: manyNodes,
workflow: {
nodes: Array.from({ length: 500 }, (_, i) => ({ id: `node${i}` })),
connections: {}
}
};
const request = generator.createBatchRequest(template);
const userMessage = request.body.messages[1].content;
// Should handle large amounts of data gracefully
expect(userMessage.length).toBeLessThan(50000); // Reasonable limit
expect(userMessage).toContain('Huge Workflow');
});
});
describe('Error Handling and Edge Cases', () => {
it('should handle malformed OpenAI responses', () => {
const malformedResults = [
{
custom_id: 'template-111',
response: {
body: {
choices: [{
message: {
content: '{"invalid": json syntax}'
},
finish_reason: 'stop'
}]
}
}
},
{
custom_id: 'template-222',
response: {
body: {
choices: [{
message: {
content: null
},
finish_reason: 'stop'
}]
}
}
},
{
custom_id: 'template-333',
response: {
body: {
choices: []
}
}
}
];
malformedResults.forEach(result => {
const parsed = generator.parseResult(result);
expect(parsed.error).toBeDefined();
expect(parsed.metadata).toBeDefined();
expect(parsed.metadata.complexity).toBe('medium'); // Default metadata
});
});
it('should handle Zod validation failures', () => {
const invalidResponse = {
custom_id: 'template-444',
response: {
body: {
choices: [{
message: {
content: JSON.stringify({
categories: ['too', 'many', 'categories', 'here', 'way', 'too', 'many'],
complexity: 'invalid-complexity',
use_cases: [],
estimated_setup_minutes: -5, // Invalid negative time
required_services: 'not-an-array',
key_features: null,
target_audience: ['too', 'many', 'audiences', 'here']
})
},
finish_reason: 'stop'
}]
}
}
};
const result = generator.parseResult(invalidResponse);
expect(result.templateId).toBe(444);
expect(result.error).toBeDefined();
expect(result.metadata).toEqual(generator['getDefaultMetadata']());
});
it('should handle network timeouts gracefully in generateSingle', async () => {
// Mock OpenAI to simulate timeout
const mockClient = generator['client'];
const originalCreate = mockClient.chat.completions.create;
mockClient.chat.completions.create = vi.fn().mockRejectedValue(
new Error('Request timed out')
);
const template: MetadataRequest = {
templateId: 555,
name: 'Timeout Test',
nodes: ['n8n-nodes-base.webhook']
};
const result = await generator.generateSingle(template);
// Should return default metadata instead of throwing
expect(result).toEqual(generator['getDefaultMetadata']());
// Restore original method
mockClient.chat.completions.create = originalCreate;
});
});
describe('Node Summarization Logic', () => {
it('should group similar nodes correctly', () => {
const template: MetadataRequest = {
templateId: 666,
name: 'Complex Workflow',
nodes: [
'n8n-nodes-base.webhook',
'n8n-nodes-base.httpRequest',
'n8n-nodes-base.postgres',
'n8n-nodes-base.mysql',
'n8n-nodes-base.slack',
'n8n-nodes-base.gmail',
'@n8n/n8n-nodes-langchain.openAi',
'@n8n/n8n-nodes-langchain.agent',
'n8n-nodes-base.googleSheets',
'n8n-nodes-base.excel'
]
};
const request = generator.createBatchRequest(template);
const userMessage = request.body.messages[1].content;
expect(userMessage).toContain('HTTP/Webhooks (2)');
expect(userMessage).toContain('Database (2)');
expect(userMessage).toContain('Communication (2)');
expect(userMessage).toContain('AI/ML (2)');
expect(userMessage).toContain('Spreadsheets (2)');
});
it('should handle unknown node types gracefully', () => {
const template: MetadataRequest = {
templateId: 777,
name: 'Unknown Nodes',
nodes: [
'custom-package.unknownNode',
'another-package.weirdNodeType',
'someNodeTrigger',
'anotherNode'
]
};
const request = generator.createBatchRequest(template);
const userMessage = request.body.messages[1].content;
// Should handle unknown nodes without crashing
expect(userMessage).toContain('unknownNode');
expect(userMessage).toContain('weirdNodeType');
expect(userMessage).toContain('someNode'); // Trigger suffix removed
});
it('should limit node summary length', () => {
const manyNodes = Array.from({ length: 50 }, (_, i) =>
`n8n-nodes-base.customNode${i}`
);
const template: MetadataRequest = {
templateId: 888,
name: 'Many Nodes',
nodes: manyNodes
};
const request = generator.createBatchRequest(template);
const userMessage = request.body.messages[1].content;
// Should limit to top 10 groups
const summaryLine = userMessage.split('\n').find(line =>
line.includes('Nodes Used (50)')
);
expect(summaryLine).toBeDefined();
const nodeGroups = summaryLine!.split(': ')[1].split(', ');
expect(nodeGroups.length).toBeLessThanOrEqual(10);
});
});
});

532
tests/unit/templates/template-repository-security.test.ts Normal file
View File

@@ -0,0 +1,532 @@
import { describe, it, expect, beforeEach, vi } from 'vitest';
import { TemplateRepository } from '../../../src/templates/template-repository';
import { DatabaseAdapter, PreparedStatement, RunResult } from '../../../src/database/database-adapter';
// Mock logger
vi.mock('../../../src/utils/logger', () => ({
logger: {
info: vi.fn(),
warn: vi.fn(),
error: vi.fn(),
debug: vi.fn()
}
}));
// Mock template sanitizer
vi.mock('../../../src/utils/template-sanitizer', () => {
class MockTemplateSanitizer {
sanitizeWorkflow = vi.fn((workflow) => ({ sanitized: workflow, wasModified: false }));
detectTokens = vi.fn(() => []);
}
return {
TemplateSanitizer: MockTemplateSanitizer
};
});
// Create mock database adapter
class MockDatabaseAdapter implements DatabaseAdapter {
private statements = new Map<string, MockPreparedStatement>();
private execCalls: string[] = [];
private _fts5Support = true;
prepare = vi.fn((sql: string) => {
if (!this.statements.has(sql)) {
this.statements.set(sql, new MockPreparedStatement(sql));
}
return this.statements.get(sql)!;
});
exec = vi.fn((sql: string) => {
this.execCalls.push(sql);
});
close = vi.fn();
pragma = vi.fn();
transaction = vi.fn((fn: () => any) => fn());
checkFTS5Support = vi.fn(() => this._fts5Support);
inTransaction = false;
// Test helpers
_setFTS5Support(supported: boolean) {
this._fts5Support = supported;
}
_getStatement(sql: string) {
return this.statements.get(sql);
}
_getExecCalls() {
return this.execCalls;
}
_clearExecCalls() {
this.execCalls = [];
}
}
class MockPreparedStatement implements PreparedStatement {
public mockResults: any[] = [];
public capturedParams: any[][] = [];
run = vi.fn((...params: any[]): RunResult => {
this.capturedParams.push(params);
return { changes: 1, lastInsertRowid: 1 };
});
get = vi.fn((...params: any[]) => {
this.capturedParams.push(params);
return this.mockResults[0] || null;
});
all = vi.fn((...params: any[]) => {
this.capturedParams.push(params);
return this.mockResults;
});
iterate = vi.fn();
pluck = vi.fn(() => this);
expand = vi.fn(() => this);
raw = vi.fn(() => this);
columns = vi.fn(() => []);
bind = vi.fn(() => this);
constructor(private sql: string) {}
// Test helpers
_setMockResults(results: any[]) {
this.mockResults = results;
}
_getCapturedParams() {
return this.capturedParams;
}
}
describe('TemplateRepository - Security Tests', () => {
let repository: TemplateRepository;
let mockAdapter: MockDatabaseAdapter;
beforeEach(() => {
vi.clearAllMocks();
mockAdapter = new MockDatabaseAdapter();
repository = new TemplateRepository(mockAdapter);
});
describe('SQL Injection Prevention', () => {
describe('searchTemplatesByMetadata', () => {
it('should prevent SQL injection in category parameter', () => {
const maliciousCategory = "'; DROP TABLE templates; --";
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
category: maliciousCategory,
limit: 10,
offset: 0
});
// Should use parameterized queries, not inject SQL
const capturedParams = stmt._getCapturedParams();
expect(capturedParams.length).toBeGreaterThan(0);
expect(capturedParams[0]).toContain(`%"${maliciousCategory}"%`);
// Verify the SQL doesn't contain the malicious content directly
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).not.toContain('DROP TABLE');
expect(prepareCall).toContain('json_extract(metadata_json, \'$.categories\') LIKE ?');
});
it('should prevent SQL injection in requiredService parameter', () => {
const maliciousService = "'; UNION SELECT * FROM sqlite_master; --";
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
requiredService: maliciousService,
limit: 10,
offset: 0
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(`%"${maliciousService}"%`);
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).not.toContain('UNION SELECT');
expect(prepareCall).toContain('json_extract(metadata_json, \'$.required_services\') LIKE ?');
});
it('should prevent SQL injection in targetAudience parameter', () => {
const maliciousAudience = "administrators'; DELETE FROM templates WHERE '1'='1";
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
targetAudience: maliciousAudience,
limit: 10,
offset: 0
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(`%"${maliciousAudience}"%`);
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).not.toContain('DELETE FROM');
expect(prepareCall).toContain('json_extract(metadata_json, \'$.target_audience\') LIKE ?');
});
it('should safely handle special characters in parameters', () => {
const specialChars = "test'with\"quotes\\and%wildcards_and[brackets]";
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
category: specialChars,
limit: 10,
offset: 0
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(`%"${specialChars}"%`);
// Should use parameterized query
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).toContain('json_extract(metadata_json, \'$.categories\') LIKE ?');
});
it('should prevent injection through numeric parameters', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
// Try to inject through numeric parameters
repository.searchTemplatesByMetadata({
maxSetupMinutes: 999999999, // Large number
minSetupMinutes: -999999999, // Negative number
limit: 10,
offset: 0
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(999999999);
expect(capturedParams[0]).toContain(-999999999);
// Should use CAST and parameterized queries
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).toContain('CAST(json_extract(metadata_json, \'$.estimated_setup_minutes\') AS INTEGER)');
});
});
describe('getSearchTemplatesByMetadataCount', () => {
it('should use parameterized queries for count operations', () => {
const maliciousCategory = "'; DROP TABLE templates; SELECT COUNT(*) FROM sqlite_master WHERE name LIKE '%";
const stmt = new MockPreparedStatement('');
stmt._setMockResults([{ count: 0 }]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.getSearchTemplatesByMetadataCount({
category: maliciousCategory
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(`%"${maliciousCategory}"%`);
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).not.toContain('DROP TABLE');
expect(prepareCall).toContain('SELECT COUNT(*) as count FROM templates');
});
});
describe('updateTemplateMetadata', () => {
it('should safely handle metadata with special characters', () => {
const maliciousMetadata = {
categories: ["automation'; DROP TABLE templates; --"],
complexity: "simple",
use_cases: ['SQL injection"test'],
estimated_setup_minutes: 30,
required_services: ['api"with\\"quotes'],
key_features: ["feature's test"],
target_audience: ['developers\\administrators']
};
const stmt = new MockPreparedStatement('');
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.updateTemplateMetadata(123, maliciousMetadata);
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0][0]).toBe(JSON.stringify(maliciousMetadata));
expect(capturedParams[0][1]).toBe(123);
// Should use parameterized UPDATE
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).toContain('UPDATE templates SET metadata_json = ?');
expect(prepareCall).not.toContain('DROP TABLE');
});
});
describe('batchUpdateMetadata', () => {
it('should safely handle batch updates with malicious data', () => {
const maliciousData = new Map();
maliciousData.set(1, { categories: ["'; DROP TABLE templates; --"] });
maliciousData.set(2, { categories: ["normal category"] });
const stmt = new MockPreparedStatement('');
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.batchUpdateMetadata(maliciousData);
const capturedParams = stmt._getCapturedParams();
expect(capturedParams).toHaveLength(2);
// Both calls should be parameterized
expect(capturedParams[0][0]).toContain('"; DROP TABLE templates; --');
expect(capturedParams[0][1]).toBe(1);
expect(capturedParams[1][0]).toContain('normal category');
expect(capturedParams[1][1]).toBe(2);
});
});
});
describe('JSON Extraction Security', () => {
it('should safely extract categories from JSON', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.getUniqueCategories();
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).toContain('json_extract(metadata_json, \'$.categories\')');
expect(prepareCall).toContain('json_each(');
expect(prepareCall).not.toContain('eval(');
expect(prepareCall).not.toContain('exec(');
});
it('should safely extract target audiences from JSON', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.getUniqueTargetAudiences();
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).toContain('json_extract(metadata_json, \'$.target_audience\')');
expect(prepareCall).toContain('json_each(');
});
it('should safely handle complex JSON structures', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.getTemplatesByCategory('test');
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).toContain('json_extract(metadata_json, \'$.categories\') LIKE ?');
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain('%"test"%');
});
});
describe('Input Validation and Sanitization', () => {
it('should handle null and undefined parameters safely', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
category: undefined as any,
complexity: null as any,
limit: 10,
offset: 0
});
// Should not break and should exclude undefined/null filters
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
expect(prepareCall).toContain('metadata_json IS NOT NULL');
expect(prepareCall).not.toContain('undefined');
expect(prepareCall).not.toContain('null');
});
it('should handle empty string parameters', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
category: '',
requiredService: '',
targetAudience: '',
limit: 10,
offset: 0
});
// Empty strings should still be processed (might be valid searches)
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain('%""%');
});
it('should validate numeric ranges', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
maxSetupMinutes: Number.MAX_SAFE_INTEGER,
minSetupMinutes: Number.MIN_SAFE_INTEGER,
limit: 10,
offset: 0
});
// Should handle extreme values without breaking
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(Number.MAX_SAFE_INTEGER);
expect(capturedParams[0]).toContain(Number.MIN_SAFE_INTEGER);
});
it('should handle Unicode and international characters', () => {
const unicodeCategory = '自動化'; // Japanese for "automation"
const emojiAudience = '👩‍💻 developers';
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
category: unicodeCategory,
targetAudience: emojiAudience,
limit: 10,
offset: 0
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(`%"${unicodeCategory}"%`);
expect(capturedParams[0]).toContain(`%"${emojiAudience}"%`);
});
});
describe('Database Schema Security', () => {
it('should use proper column names without injection', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
category: 'test',
limit: 10,
offset: 0
});
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
// Should reference proper column names
expect(prepareCall).toContain('metadata_json');
expect(prepareCall).toContain('templates');
// Should not contain dynamic column names that could be injected
expect(prepareCall).not.toMatch(/SELECT \* FROM \w+;/);
expect(prepareCall).not.toContain('information_schema');
expect(prepareCall).not.toContain('sqlite_master');
});
it('should use proper JSON path syntax', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.getUniqueCategories();
const prepareCall = mockAdapter.prepare.mock.calls[0][0];
// Should use safe JSON path syntax
expect(prepareCall).toContain('$.categories');
expect(prepareCall).not.toContain('$[');
expect(prepareCall).not.toContain('eval(');
});
});
describe('Transaction Safety', () => {
it('should handle transaction rollback on metadata update errors', () => {
const stmt = new MockPreparedStatement('');
stmt.run = vi.fn().mockImplementation(() => {
throw new Error('Database error');
});
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
const maliciousData = new Map();
maliciousData.set(1, { categories: ["'; DROP TABLE templates; --"] });
expect(() => {
repository.batchUpdateMetadata(maliciousData);
}).toThrow('Database error');
// Transaction should have been attempted
expect(mockAdapter.transaction).toHaveBeenCalled();
});
});
describe('Error Message Security', () => {
it('should not expose sensitive information in error messages', () => {
const stmt = new MockPreparedStatement('');
stmt.get = vi.fn().mockImplementation(() => {
throw new Error('SQLITE_ERROR: syntax error near "DROP TABLE"');
});
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
expect(() => {
repository.getSearchTemplatesByMetadataCount({
category: "'; DROP TABLE templates; --"
});
}).toThrow(); // Should throw, but not expose SQL details
});
});
describe('Performance and DoS Protection', () => {
it('should handle large limit values safely', () => {
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
limit: 999999999, // Very large limit
offset: 0
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0]).toContain(999999999);
// Should still work but might be limited by database constraints
expect(mockAdapter.prepare).toHaveBeenCalled();
});
it('should handle very long string parameters', () => {
const veryLongString = 'a'.repeat(100000); // 100KB string
const stmt = new MockPreparedStatement('');
stmt._setMockResults([]);
mockAdapter.prepare = vi.fn().mockReturnValue(stmt);
repository.searchTemplatesByMetadata({
category: veryLongString,
limit: 10,
offset: 0
});
const capturedParams = stmt._getCapturedParams();
expect(capturedParams[0][0]).toContain(veryLongString);
// Should handle without breaking
expect(mockAdapter.prepare).toHaveBeenCalled();
});
});
});