ros/n8n-mcp
1
0
Fork 0
mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-03-26 04:03:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
security/issue-265-pr3-high-priority-issues
n8n-mcp/eslint.config.js
czlonkowski 217825c6e1 feat: implement Phase 2 security fixes (partial - HIGH-01, HIGH-04, HIGH-08, MEDIUM-02, MEDIUM-05) 
Implements 5 of 8 security fixes from Issue #265 Phase 2:

 COMPLETED:

- **MEDIUM-05: Dependency Audit Documentation**
  - Added Security & Dependencies section to README.md
  - Documents that n8n package vulnerabilities are upstream responsibilities
  - Explains our direct dependencies are kept up to date
  - Provides security update workflow

- **HIGH-01: SQL Injection ESLint Safeguards**
  - Installed ESLint with TypeScript support
  - Created eslint.config.js with no-restricted-syntax rule
  - Blocks template literals in db.exec() calls
  - Added JSDoc @security comments to 8 existing db.exec() calls
  - All static SQL statements documented and safe

- **MEDIUM-02: Input Length Limits**
  - Reduced express.json() body size from 10mb to 1mb
  - Added URL length validation middleware (2048 char limit)
  - Returns HTTP 414 for oversized URLs
  - Logs input_validation_failure events

- **HIGH-08: Security Headers**
  - Installed helmet package
  - Configured comprehensive CSP, Referrer-Policy, HSTS, Permissions-Policy
  - Disabled x-powered-by header
  - All security headers now present on responses

- **HIGH-04: Error Sanitization Consistency**
  - Updated Express global error handler
  - Now uses sanitizeErrorForClient() method
  - Ensures no stack traces or internal details leak in any mode
  - Production-safe error responses

 REMAINING (to be completed):
- HIGH-06: CORS production validation
- HIGH-05: Multi-tenant shared mode safety check
- MEDIUM-04: Audit logging event field verification

Files modified:
- README.md (new Security & Dependencies section)
- package.json, package-lock.json (eslint, helmet dependencies)
- eslint.config.js (new ESLint flat config)
- src/http-server-single-session.ts (security headers, input limits, error handler)
- src/templates/template-repository.ts (JSDoc security comments)
- src/scripts/fetch-templates.ts (JSDoc security comments)

Part of Issue #265 security audit remediation.
Next: Complete remaining 3 fixes, add tests, version bump to 2.16.4.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-10-06 19:41:35 +02:00

29 lines
792 B
JavaScript
Raw Permalink Blame History

import tseslint from '@typescript-eslint/eslint-plugin';
import tsparser from '@typescript-eslint/parser';
export default [
{
files: ['src/**/*.ts'],
languageOptions: {
parser: tsparser,
parserOptions: {
ecmaVersion: 2020,
sourceType: 'module',
project: './tsconfig.json'
}
},
plugins: {
'@typescript-eslint': tseslint
},
rules: {
'no-restricted-syntax': [
'error',
{
selector: 'CallExpression[callee.property.name="exec"] TemplateLiteral',
message: 'SECURITY: Template literals in db.exec() can lead to SQL injection. Use parameterized queries with db.prepare().all() instead. See: https://github.com/czlonkowski/n8n-mcp/issues/265 (HIGH-01)'
}
]
}
}
];
Reference in New Issue View Git Blame Copy Permalink