n8n-mcp

ros/n8n-mcp

Fork 0

mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-03-26 20:23:08 +00:00

Commit Graph

Author	SHA1	Message	Date
czlonkowski	217825c6e1	feat: implement Phase 2 security fixes (partial - HIGH-01, HIGH-04, HIGH-08, MEDIUM-02, MEDIUM-05) Implements 5 of 8 security fixes from Issue #265 Phase 2: ✅ COMPLETED: - MEDIUM-05: Dependency Audit Documentation - Added Security & Dependencies section to README.md - Documents that n8n package vulnerabilities are upstream responsibilities - Explains our direct dependencies are kept up to date - Provides security update workflow - HIGH-01: SQL Injection ESLint Safeguards - Installed ESLint with TypeScript support - Created eslint.config.js with no-restricted-syntax rule - Blocks template literals in db.exec() calls - Added JSDoc @security comments to 8 existing db.exec() calls - All static SQL statements documented and safe - MEDIUM-02: Input Length Limits - Reduced express.json() body size from 10mb to 1mb - Added URL length validation middleware (2048 char limit) - Returns HTTP 414 for oversized URLs - Logs input_validation_failure events - HIGH-08: Security Headers - Installed helmet package - Configured comprehensive CSP, Referrer-Policy, HSTS, Permissions-Policy - Disabled x-powered-by header - All security headers now present on responses - HIGH-04: Error Sanitization Consistency - Updated Express global error handler - Now uses sanitizeErrorForClient() method - Ensures no stack traces or internal details leak in any mode - Production-safe error responses ⏳ REMAINING (to be completed): - HIGH-06: CORS production validation - HIGH-05: Multi-tenant shared mode safety check - MEDIUM-04: Audit logging event field verification Files modified: - README.md (new Security & Dependencies section) - package.json, package-lock.json (eslint, helmet dependencies) - eslint.config.js (new ESLint flat config) - src/http-server-single-session.ts (security headers, input limits, error handler) - src/templates/template-repository.ts (JSDoc security comments) - src/scripts/fetch-templates.ts (JSDoc security comments) Part of Issue #265 security audit remediation. Next: Complete remaining 3 fixes, add tests, version bump to 2.16.4. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-10-06 19:41:35 +02:00

Author

SHA1

Message

Date

czlonkowski

217825c6e1

feat: implement Phase 2 security fixes (partial - HIGH-01, HIGH-04, HIGH-08, MEDIUM-02, MEDIUM-05)

Implements 5 of 8 security fixes from Issue #265 Phase 2:

✅ COMPLETED:

- **MEDIUM-05: Dependency Audit Documentation**
  - Added Security & Dependencies section to README.md
  - Documents that n8n package vulnerabilities are upstream responsibilities
  - Explains our direct dependencies are kept up to date
  - Provides security update workflow

- **HIGH-01: SQL Injection ESLint Safeguards**
  - Installed ESLint with TypeScript support
  - Created eslint.config.js with no-restricted-syntax rule
  - Blocks template literals in db.exec() calls
  - Added JSDoc @security comments to 8 existing db.exec() calls
  - All static SQL statements documented and safe

- **MEDIUM-02: Input Length Limits**
  - Reduced express.json() body size from 10mb to 1mb
  - Added URL length validation middleware (2048 char limit)
  - Returns HTTP 414 for oversized URLs
  - Logs input_validation_failure events

- **HIGH-08: Security Headers**
  - Installed helmet package
  - Configured comprehensive CSP, Referrer-Policy, HSTS, Permissions-Policy
  - Disabled x-powered-by header
  - All security headers now present on responses

- **HIGH-04: Error Sanitization Consistency**
  - Updated Express global error handler
  - Now uses sanitizeErrorForClient() method
  - Ensures no stack traces or internal details leak in any mode
  - Production-safe error responses

⏳ REMAINING (to be completed):
- HIGH-06: CORS production validation
- HIGH-05: Multi-tenant shared mode safety check
- MEDIUM-04: Audit logging event field verification

Files modified:
- README.md (new Security & Dependencies section)
- package.json, package-lock.json (eslint, helmet dependencies)
- eslint.config.js (new ESLint flat config)
- src/http-server-single-session.ts (security headers, input limits, error handler)
- src/templates/template-repository.ts (JSDoc security comments)
- src/scripts/fetch-templates.ts (JSDoc security comments)

Part of Issue #265 security audit remediation.
Next: Complete remaining 3 fixes, add tests, version bump to 2.16.4.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-10-06 19:41:35 +02:00

1 Commits