ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-01-29 22:12:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: enhance template sanitization and prevent secret leaks

Browse Source 
- Add Airtable PAT and GitHub token patterns to template sanitizer
- Add batch error files to .gitignore (may contain API tokens)
- Document sanitization requirement in MEMORY_TEMPLATE_UPDATE.md
- Prevents accidental secret commits during template updates

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-09-30 10:57:14 +02:00
parent 2057f98e76
commit d862f4961d
3 changed files with 16 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@@ -89,6 +89,10 @@ docker-compose.override.yml
temp/ temp/
tmp/ tmp/
# Batch processing error files (may contain API tokens from templates)
docs/batch_*.jsonl
**/batch_*_error.jsonl
# Database files # Database files
# Database files - nodes.db is now tracked directly # Database files - nodes.db is now tracked directly
# data/*.db # data/*.db

6
MEMORY_TEMPLATE_UPDATE.md
View File

@@ -130,10 +130,16 @@ sqlite3 data/nodes.db "SELECT COUNT(*) FROM templates"
# 4. Generate AI metadata for new templates (optional, requires OPENAI_API_KEY) # 4. Generate AI metadata for new templates (optional, requires OPENAI_API_KEY)
npm run fetch:templates -- --metadata-only npm run fetch:templates -- --metadata-only
# 5. IMPORTANT: Sanitize templates before pushing database
npm run build
npm run sanitize:templates
``` ```
Templates are independent of n8n version - they're just workflow JSON data. Templates are independent of n8n version - they're just workflow JSON data.
**CRITICAL**: Always run `npm run sanitize:templates` before pushing the database to remove API tokens from template workflows.
**Note**: New templates fetched via `--update` mode will NOT have AI-generated metadata by default. You need to run `--metadata-only` separately to generate metadata for templates that don't have it yet. **Note**: New templates fetched via `--update` mode will NOT have AI-generated metadata by default. You need to run `--metadata-only` separately to generate metadata for templates that don't have it yet.
## Troubleshooting ## Troubleshooting

6
src/utils/template-sanitizer.ts
View File

@@ -19,11 +19,17 @@ export const defaultSanitizerConfig: SanitizerConfig = {
tokenPatterns: [ tokenPatterns: [
/apify_api_[A-Za-z0-9]+/g, /apify_api_[A-Za-z0-9]+/g,
/sk-[A-Za-z0-9]+/g, // OpenAI tokens /sk-[A-Za-z0-9]+/g, // OpenAI tokens
/pat[A-Za-z0-9_]{40,}/g, // Airtable Personal Access Tokens
/ghp_[A-Za-z0-9]{36,}/g, // GitHub Personal Access Tokens
/gho_[A-Za-z0-9]{36,}/g, // GitHub OAuth tokens
/Bearer\s+[A-Za-z0-9\-._~+\/]+=*/g // Generic bearer tokens /Bearer\s+[A-Za-z0-9\-._~+\/]+=*/g // Generic bearer tokens
], ],
replacements: new Map([ replacements: new Map([
['apify_api_', 'apify_api_YOUR_TOKEN_HERE'], ['apify_api_', 'apify_api_YOUR_TOKEN_HERE'],
['sk-', 'sk-YOUR_OPENAI_KEY_HERE'], ['sk-', 'sk-YOUR_OPENAI_KEY_HERE'],
['pat', 'patYOUR_AIRTABLE_TOKEN_HERE'],
['ghp_', 'ghp_YOUR_GITHUB_TOKEN_HERE'],
['gho_', 'gho_YOUR_GITHUB_TOKEN_HERE'],
['Bearer ', 'Bearer YOUR_TOKEN_HERE'] ['Bearer ', 'Bearer YOUR_TOKEN_HERE']
]) ])
}; };