Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(core): Security audit #5034

Merged
merged 64 commits into from
Jan 5, 2023
Merged

feat(core): Security audit #5034

merged 64 commits into from
Jan 5, 2023

Conversation

ivov
Copy link
Contributor

@ivov ivov commented Dec 27, 2022
edited
Loading

This PR adds functionality to generate a security audit, with five reports:

  • credentials risk report
    • Credentials not used in any workflow
    • Credentials not used in any active workflow
    • Credentials not used in recently executed workflows
  • database risk report
    • Expressions in "Execute Query" fields in SQL nodes
    • Expressions in "Query Parameters" fields in SQL nodes
    • Unused "Query Parameters" fields in SQL nodes
  • filesystem risk report
    • Nodes that interact with the filesystem
  • nodes risk report
    • Official risky nodes
    • Community nodes
    • Custom nodes
  • instance risk report
    • Unprotected webhooks in instance
    • Outdated instance
    • Security settings (omitted on cloud)

Each report contains title, description, recommendation and location (flagged node or credential), settings (instance security settings) or details (for custom and community nodes)

Functionality exposed via:

  • CLI command: ./packages/cli/bin/n8n audit
  • Public API: POST /audit (owner only)
  • n8n node: audit:generate operation

Spec:

  • None, loosely based on RFC.

Out of scope, to cover in future if useful:

  • Community nodes not used in recently executed workflows
  • Community node installed despite being in n8n's denylist
  • Custom nodes not used in recently executed workflows
  • Expressions suspected of attempting RCE
  • "Execute Query" fields suspected of attempting SQL injection
  • Nodes and creds whose config disables SSL
  • Settings for NODE_FUNCTION_ALLOW_BUILTIN and NODE_FUNCTION_ALLOW_EXTERNAL
  • Report in other formats like HTML

@ivov ivov marked this pull request as draft December 27, 2022 09:29
@n8n-assistant n8n-assistant bot added core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team node/improvement New feature or request labels Dec 27, 2022
ivov added 25 commits December 27, 2022 10:40
@ivov
⚡ Use logger
917f7a2
@ivov
🧪 Fix test
901e2dd
@ivov
🔀 Merge master
21f9093
@ivov
⚡ Switch logger with stdout
7daace8
@ivov
🎨 Set new logo
3081004
@ivov
⚡ Fill out Public API schema
823b4ff
@ivov
✏️ Fix typo
563b08f
@ivov
⚡ Break dependency cycle
b9f5b5a
@ivov
⚡ Add security settings values
af96431
@ivov
🧪 Test security settings
159fe82
@ivov
⚡ Add publicly accessible instance warning
bac0cd8
@ivov
⚡ Add metric to CLI command
69cc867
@ivov
✏️ Fix typo
961e0ca
@ivov
🔥 Remove unneeded path alias
cd9c701
@ivov
📘 Add type import
a49f04b
@ivov
🔥 Remove inferrable output type
543cd55
@ivov
🔀 Merge master
6b1e32b
@ivov
⚡ Set description at correct level
aebeaac
@ivov
⚡ Rename constant for consistency
c266fb2
@ivov
⚡ Sort URLs
10c7882
@ivov
⚡ Rename local var
f8eb850
@ivov
⚡ Shorten name
ea7c38a
@ivov
✏️ Improve phrasing
bf60021
@ivov
⚡ Improve naming
51dad69
@ivov
⚡ Fix casing
45dd192
@ivov ivov requested review from krynble and netroy January 5, 2023 09:45
@ivov ivov removed the request for review from krynble January 5, 2023 11:59
@ivov ivov merged commit d548161 into master Jan 5, 2023
@ivov ivov deleted the security-audit branch January 5, 2023 12:28
@n8n-assistant n8n-assistant bot added the Upcoming Release Will be part of the upcoming release label Jan 5, 2023
@janober
Copy link
Member

janober commented Jan 5, 2023

Got released with n8n@0.210.0

@janober janober removed the Upcoming Release Will be part of the upcoming release label Jan 5, 2023
@netroy netroy mentioned this pull request Jan 30, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@krynble krynble krynble approved these changes

@netroy netroy netroy approved these changes

Assignees
No one assigned
Labels
core Enhancement outside /nodes-base and /editor-ui n8n team Authored by the n8n team node/improvement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ivov @janober @netroy @krynble