ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-02-06 05:23:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
798 Commits 50 Branches 138 Tags
79ef853e8c84d5a6f7a2bf744a7e016ce6dd7a05
Commit Graph

4 Commits

Author SHA1 Message Date
czlonkowski
a94ff0586c security: improve path validation and git command safety 
Enhance input validation for documentation fetcher constructor and replace
shell command execution with safer alternatives using argument arrays.

Changes:
- Add comprehensive path validation with sanitization
- Replace execSync with spawnSync using argument arrays
- Add HTTPS-only validation for repository URLs
- Extend security test coverage

Version: 2.18.6 → 2.18.7

Thanks to @ErbaZZ for responsible disclosure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-11 17:05:16 +02:00
czlonkowski
b106550520 security: fix CRITICAL timing attack and command injection vulnerabilities (Issue #265) 
This commit addresses 2 critical security vulnerabilities identified in the
security audit.

## CRITICAL-02: Timing Attack Vulnerability (CVSS 8.5)

**Problem:** Non-constant-time string comparison in authentication allowed
timing attacks to discover tokens character-by-character through statistical
timing analysis (estimated 24-48 hours to compromise).

**Fix:** Implemented crypto.timingSafeEqual for all token comparisons

**Changes:**
- Added AuthManager.timingSafeCompare() constant-time comparison utility
- Fixed src/utils/auth.ts:27 - validateToken method
- Fixed src/http-server-single-session.ts:1087 - Single-session HTTP auth
- Fixed src/http-server.ts:315 - Fixed HTTP server auth
- Added 11 unit tests with timing variance analysis (<10% variance proven)

## CRITICAL-01: Command Injection Vulnerability (CVSS 8.8)

**Problem:** User-controlled nodeType parameter injected into shell commands
via execSync, allowing remote code execution, data exfiltration, and network
scanning.

**Fix:** Eliminated all shell execution, replaced with Node.js fs APIs

**Changes:**
- Replaced execSync() with fs.readdir() in enhanced-documentation-fetcher.ts
- Added multi-layer input sanitization: /[^a-zA-Z0-9._-]/g
- Added directory traversal protection (blocks .., /, relative paths)
- Added path.basename() for additional safety
- Added final path verification (ensures result within expected directory)
- Added 9 integration tests covering all attack vectors

## Test Results

All Tests Passing:
- Unit tests: 11/11  (timing-safe comparison)
- Integration tests: 9/9  (command injection prevention)
- Timing variance: <10%  (proves constant-time)
- All existing tests:  (no regressions)

## Breaking Changes

None - All changes are backward compatible.

## References

- Security Audit: Issue #265
- Implementation Plan: docs/local/security-implementation-plan-issue-265.md
- Audit Analysis: docs/local/security-audit-analysis-issue-265.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-06 14:09:06 +02:00
czlonkowski
b50025081a mostly working 2025-06-09 17:23:00 +02:00
czlonkowski
3d7fdeba02 feat: Complete overhaul to enhanced documentation-only MCP server 
- Removed all workflow execution capabilities per user requirements
- Implemented enhanced documentation extraction with operations and API mappings
- Fixed credential code extraction for all nodes
- Fixed package info extraction (name and version)
- Enhanced operations parser to handle n8n markdown format
- Fixed documentation search to prioritize app nodes over trigger nodes
- Comprehensive test coverage for Slack node extraction
- All node information now includes:
  - Complete operations list (42 for Slack)
  - API method mappings with documentation URLs
  - Source code and credential definitions
  - Package metadata
  - Related resources and templates

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-06-08 11:07:51 +00:00