71cd20bf95
Security Fixes: - Add command injection prevention in n8n-mcp wrapper with whitelist validation - Fix race condition in database initialization with proper lock directory creation - Add flock availability check with fallback behavior - Implement comprehensive input sanitization in parse-config.js Improvements: - Add debug logging support to parse-config.js (DEBUG_CONFIG=true) - Improve test cleanup error handling with proper error tracking - Increase integration test timeouts for CI compatibility - Update test assertions to check environment variables instead of processes All critical security vulnerabilities identified by code review have been addressed. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
40 lines
1.2 KiB
Bash
40 lines
1.2 KiB
Bash
#!/bin/sh
|
|
# n8n-mcp wrapper script for Docker
|
|
# Transforms "n8n-mcp serve" to proper start command
|
|
|
|
# Validate arguments to prevent command injection
|
|
validate_args() {
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
# Allowed arguments - extend this list as needed
|
|
--port=*|--host=*|--verbose|--quiet|--help|-h|--version|-v)
|
|
# Valid arguments
|
|
;;
|
|
*)
|
|
# Allow empty arguments
|
|
if [ -z "$arg" ]; then
|
|
continue
|
|
fi
|
|
# Reject any other arguments for security
|
|
echo "Error: Invalid argument: $arg" >&2
|
|
echo "Allowed arguments: --port=<port>, --host=<host>, --verbose, --quiet, --help, --version" >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
if [ "$1" = "serve" ]; then
|
|
# Transform serve command to start with HTTP mode
|
|
export MCP_MODE="http"
|
|
shift # Remove "serve" from arguments
|
|
|
|
# Validate remaining arguments
|
|
validate_args "$@"
|
|
|
|
exec node /app/dist/mcp/index.js "$@"
|
|
else
|
|
# For non-serve commands, pass through without validation
|
|
# This allows flexibility for other subcommands
|
|
exec node /app/dist/mcp/index.js "$@"
|
|
fi |