mirror of
https://github.com/n8n-io/n8n.git
synced 2024-11-15 17:14:05 -08:00
d548161632
* ✨ Implement security audit * ⚡ Use logger * 🧪 Fix test * ⚡ Switch logger with stdout * 🎨 Set new logo * ⚡ Fill out Public API schema * ✏️ Fix typo * ⚡ Break dependency cycle * ⚡ Add security settings values * 🧪 Test security settings * ⚡ Add publicly accessible instance warning * ⚡ Add metric to CLI command * ✏️ Fix typo * 🔥 Remove unneeded path alias * 📘 Add type import * 🔥 Remove inferrable output type * ⚡ Set description at correct level * ⚡ Rename constant for consistency * ⚡ Sort URLs * ⚡ Rename local var * ⚡ Shorten name * ✏️ Improve phrasing * ⚡ Improve naming * ⚡ Fix casing * ✏️ Add docline * ✏️ Relocate comment * ⚡ Add singular/plurals * 🔥 Remove unneeded await * ✏️ Improve test description * ⚡ Optimize with sets * ⚡ Adjust post master merge * ✏️ Improve naming * ⚡ Adjust in spy * 🧪 Fix outdated instance test * 🧪 Make diagnostics check consistent * ⚡ Refactor `getAllExistingCreds` * ⚡ Create helper `getNodeTypes` * 🐛 Fix `InternalHooksManager` call * 🚚 Rename `execution` to `nodes` risk * ⚡ Add options to CLI command * ⚡ Make days configurable * :revert: Undo changes to `BaseCommand` * ⚡ Improve CLI command UX * ⚡ Change no-report return value Empty array to trigger empty state on FE. * ⚡ Add empty check to `reportInstanceRisk` * 🧪 Extend Jest `expect` * 📘 Augment `jest.Matchers` * 🧪 Set extend as setup file * 🔧 Override lint rule for `.d.ts` * ⚡ Use new matcher * ⚡ Update check * 📘 Improve typings * ⚡ Adjust instance risk check * ✏️ Rename `execution` → `nodes` in Public API schema * ✏️ Add clarifying comment * ✏️ Fix typo * ⚡ Validate categories in CLI command * ✏️ Improve naming * ✏️ Make audit reference consistent * 📘 Fix typing * ⚡ Use `finally` in CLI command
256 lines
5.6 KiB
TypeScript
256 lines
5.6 KiB
TypeScript
import { v4 as uuid } from 'uuid';
|
|
import * as Db from '@/Db';
|
|
import { audit } from '@/audit';
|
|
import { INSTANCE_REPORT, WEBHOOK_VALIDATOR_NODE_TYPES } from '@/audit/constants';
|
|
import {
|
|
getRiskSection,
|
|
saveManualTriggerWorkflow,
|
|
MOCK_09990_N8N_VERSION,
|
|
simulateOutdatedInstanceOnce,
|
|
simulateUpToDateInstance,
|
|
} from './utils';
|
|
import * as testDb from '../shared/testDb';
|
|
import { toReportTitle } from '@/audit/utils';
|
|
import config from '@/config';
|
|
|
|
let testDbName = '';
|
|
|
|
beforeAll(async () => {
|
|
const initResult = await testDb.init();
|
|
testDbName = initResult.testDbName;
|
|
|
|
simulateUpToDateInstance();
|
|
});
|
|
|
|
beforeEach(async () => {
|
|
await testDb.truncate(['Workflow'], testDbName);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await testDb.terminate(testDbName);
|
|
});
|
|
|
|
test('should report webhook lacking authentication', async () => {
|
|
const targetNodeId = uuid();
|
|
|
|
const details = {
|
|
name: 'My Test Workflow',
|
|
active: true,
|
|
nodeTypes: {},
|
|
connections: {},
|
|
nodes: [
|
|
{
|
|
parameters: {
|
|
path: uuid(),
|
|
options: {},
|
|
},
|
|
id: targetNodeId,
|
|
name: 'Webhook',
|
|
type: 'n8n-nodes-base.webhook',
|
|
typeVersion: 1,
|
|
position: [0, 0] as [number, number],
|
|
webhookId: uuid(),
|
|
},
|
|
],
|
|
};
|
|
|
|
await Db.collections.Workflow.save(details);
|
|
|
|
const testAudit = await audit(['instance']);
|
|
|
|
const section = getRiskSection(
|
|
testAudit,
|
|
INSTANCE_REPORT.RISK,
|
|
INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS,
|
|
);
|
|
|
|
if (!section.location) {
|
|
fail('Expected section to have locations');
|
|
}
|
|
|
|
expect(section.location).toHaveLength(1);
|
|
|
|
expect(section.location[0].nodeId).toBe(targetNodeId);
|
|
});
|
|
|
|
test('should not report webhooks having basic or header auth', async () => {
|
|
const promises = ['basicAuth', 'headerAuth'].map(async (authType) => {
|
|
const details = {
|
|
name: 'My Test Workflow',
|
|
active: true,
|
|
nodeTypes: {},
|
|
connections: {},
|
|
nodes: [
|
|
{
|
|
parameters: {
|
|
path: uuid(),
|
|
authentication: authType,
|
|
options: {},
|
|
},
|
|
id: uuid(),
|
|
name: 'Webhook',
|
|
type: 'n8n-nodes-base.webhook',
|
|
typeVersion: 1,
|
|
position: [0, 0] as [number, number],
|
|
webhookId: uuid(),
|
|
},
|
|
],
|
|
};
|
|
|
|
return Db.collections.Workflow.save(details);
|
|
});
|
|
|
|
await Promise.all(promises);
|
|
|
|
const testAudit = await audit(['instance']);
|
|
|
|
const report = testAudit?.[toReportTitle('instance')];
|
|
|
|
if (!report) {
|
|
fail('Expected test audit to have instance risk report');
|
|
}
|
|
|
|
for (const section of report.sections) {
|
|
expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
|
|
}
|
|
});
|
|
|
|
test('should not report webhooks validated by direct children', async () => {
|
|
const promises = [...WEBHOOK_VALIDATOR_NODE_TYPES].map(async (nodeType) => {
|
|
const details = {
|
|
name: 'My Test Workflow',
|
|
active: true,
|
|
nodeTypes: {},
|
|
nodes: [
|
|
{
|
|
parameters: {
|
|
path: uuid(),
|
|
options: {},
|
|
},
|
|
id: uuid(),
|
|
name: 'Webhook',
|
|
type: 'n8n-nodes-base.webhook',
|
|
typeVersion: 1,
|
|
position: [0, 0] as [number, number],
|
|
webhookId: uuid(),
|
|
},
|
|
{
|
|
id: uuid(),
|
|
name: 'My Node',
|
|
type: nodeType,
|
|
typeVersion: 1,
|
|
position: [0, 0] as [number, number],
|
|
},
|
|
],
|
|
connections: {
|
|
Webhook: {
|
|
main: [
|
|
[
|
|
{
|
|
node: 'My Node',
|
|
type: 'main',
|
|
index: 0,
|
|
},
|
|
],
|
|
],
|
|
},
|
|
},
|
|
};
|
|
|
|
return Db.collections.Workflow.save(details);
|
|
});
|
|
|
|
await Promise.all(promises);
|
|
|
|
const testAudit = await audit(['instance']);
|
|
|
|
const report = testAudit?.[toReportTitle('instance')];
|
|
|
|
if (!report) {
|
|
fail('Expected test audit to have instance risk report');
|
|
}
|
|
|
|
for (const section of report.sections) {
|
|
expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
|
|
}
|
|
});
|
|
|
|
test('should not report non-webhook node', async () => {
|
|
await saveManualTriggerWorkflow();
|
|
|
|
const testAudit = await audit(['instance']);
|
|
|
|
const report = testAudit?.[toReportTitle('instance')];
|
|
|
|
if (!report) {
|
|
fail('Expected test audit to have instance risk report');
|
|
}
|
|
|
|
for (const section of report.sections) {
|
|
expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
|
|
}
|
|
});
|
|
|
|
test('should report outdated instance when outdated', async () => {
|
|
simulateOutdatedInstanceOnce();
|
|
|
|
const testAudit = await audit(['instance']);
|
|
|
|
const section = getRiskSection(
|
|
testAudit,
|
|
INSTANCE_REPORT.RISK,
|
|
INSTANCE_REPORT.SECTIONS.OUTDATED_INSTANCE,
|
|
);
|
|
|
|
if (!section.nextVersions) {
|
|
fail('Expected section to have next versions');
|
|
}
|
|
|
|
expect(section.nextVersions).toHaveLength(1);
|
|
|
|
expect(section.nextVersions[0].name).toBe(MOCK_09990_N8N_VERSION.name);
|
|
});
|
|
|
|
test('should not report outdated instance when up to date', async () => {
|
|
const testAudit = await audit(['instance']);
|
|
|
|
const report = testAudit?.[toReportTitle('instance')];
|
|
|
|
if (!report) {
|
|
fail('Expected test audit to have instance risk report');
|
|
}
|
|
|
|
for (const section of report.sections) {
|
|
expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.OUTDATED_INSTANCE);
|
|
}
|
|
});
|
|
|
|
test('should report security settings', async () => {
|
|
config.set('diagnostics.enabled', true);
|
|
|
|
const testAudit = await audit(['instance']);
|
|
|
|
const section = getRiskSection(
|
|
testAudit,
|
|
INSTANCE_REPORT.RISK,
|
|
INSTANCE_REPORT.SECTIONS.SECURITY_SETTINGS,
|
|
);
|
|
|
|
expect(section.settings).toMatchObject({
|
|
features: {
|
|
communityPackagesEnabled: true,
|
|
versionNotificationsEnabled: true,
|
|
templatesEnabled: true,
|
|
publicApiEnabled: false,
|
|
userManagementEnabled: true,
|
|
},
|
|
auth: {
|
|
authExcludeEndpoints: 'none',
|
|
basicAuthActive: false,
|
|
jwtAuthActive: false,
|
|
},
|
|
nodes: { nodesExclude: 'none', nodesInclude: 'none' },
|
|
telemetry: { diagnosticsEnabled: true },
|
|
});
|
|
});
|