perf(core): Lazyload security audit reporters (#7696)

Also converting to service. Followup to https://github.com/n8n-io/n8n/pull/7663
2025-12-20 03:12:15 +00:00 · 2023-11-13 11:50:43 +01:00
parent a08fca51d9
commit b2ca050031
24 changed files with 779 additions and 718 deletions
--- a/packages/cli/test/integration/security-audit/InstanceRiskReporter.test.ts
+++ b/packages/cli/test/integration/security-audit/InstanceRiskReporter.test.ts
@@ -0,0 +1,261 @@
+import { v4 as uuid } from 'uuid';
+import { SecurityAuditService } from '@/security-audit/SecurityAudit.service';
+import { INSTANCE_REPORT, WEBHOOK_VALIDATOR_NODE_TYPES } from '@/security-audit/constants';
+import {
+	getRiskSection,
+	saveManualTriggerWorkflow,
+	MOCK_09990_N8N_VERSION,
+	simulateOutdatedInstanceOnce,
+	simulateUpToDateInstance,
+} from './utils';
+import * as testDb from '../shared/testDb';
+import { toReportTitle } from '@/security-audit/utils';
+import config from '@/config';
+import { generateNanoId } from '@db/utils/generators';
+import { WorkflowRepository } from '@db/repositories/workflow.repository';
+import Container from 'typedi';
+
+let securityAuditService: SecurityAuditService;
+
+beforeAll(async () => {
+	await testDb.init();
+
+	securityAuditService = new SecurityAuditService(Container.get(WorkflowRepository));
+
+	simulateUpToDateInstance();
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow']);
+});
+
+afterAll(async () => {
+	await testDb.terminate();
+});
+
+test('should report webhook lacking authentication', async () => {
+	const targetNodeId = uuid();
+
+	const details = {
+		id: generateNanoId(),
+		name: 'My Test Workflow',
+		active: true,
+		nodeTypes: {},
+		connections: {},
+		nodes: [
+			{
+				parameters: {
+					path: uuid(),
+					options: {},
+				},
+				id: targetNodeId,
+				name: 'Webhook',
+				type: 'n8n-nodes-base.webhook',
+				typeVersion: 1,
+				position: [0, 0] as [number, number],
+				webhookId: uuid(),
+			},
+		],
+	};
+
+	await Container.get(WorkflowRepository).save(details);
+
+	const testAudit = await securityAuditService.run(['instance']);
+
+	const section = getRiskSection(
+		testAudit,
+		INSTANCE_REPORT.RISK,
+		INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS,
+	);
+
+	if (!section.location) {
+		fail('Expected section to have locations');
+	}
+
+	expect(section.location).toHaveLength(1);
+
+	expect(section.location[0].nodeId).toBe(targetNodeId);
+});
+
+test('should not report webhooks having basic or header auth', async () => {
+	const promises = ['basicAuth', 'headerAuth'].map(async (authType) => {
+		const details = {
+			id: generateNanoId(),
+			name: 'My Test Workflow',
+			active: true,
+			nodeTypes: {},
+			connections: {},
+			nodes: [
+				{
+					parameters: {
+						path: uuid(),
+						authentication: authType,
+						options: {},
+					},
+					id: uuid(),
+					name: 'Webhook',
+					type: 'n8n-nodes-base.webhook',
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+					webhookId: uuid(),
+				},
+			],
+		};
+
+		return Container.get(WorkflowRepository).save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await securityAuditService.run(['instance']);
+
+	if (Array.isArray(testAudit)) fail('Audit is empty');
+
+	const report = testAudit[toReportTitle('instance')];
+
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
+	}
+});
+
+test('should not report webhooks validated by direct children', async () => {
+	const promises = [...WEBHOOK_VALIDATOR_NODE_TYPES].map(async (nodeType) => {
+		const details = {
+			id: generateNanoId(),
+			name: 'My Test Workflow',
+			active: true,
+			nodeTypes: {},
+			nodes: [
+				{
+					parameters: {
+						path: uuid(),
+						options: {},
+					},
+					id: uuid(),
+					name: 'Webhook',
+					type: 'n8n-nodes-base.webhook',
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+					webhookId: uuid(),
+				},
+				{
+					id: uuid(),
+					name: 'My Node',
+					type: nodeType,
+					typeVersion: 1,
+					position: [0, 0] as [number, number],
+				},
+			],
+			connections: {
+				Webhook: {
+					main: [
+						[
+							{
+								node: 'My Node',
+								type: 'main',
+								index: 0,
+							},
+						],
+					],
+				},
+			},
+		};
+
+		return Container.get(WorkflowRepository).save(details);
+	});
+
+	await Promise.all(promises);
+
+	const testAudit = await securityAuditService.run(['instance']);
+	if (Array.isArray(testAudit)) fail('audit is empty');
+
+	const report = testAudit[toReportTitle('instance')];
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
+	}
+});
+
+test('should not report non-webhook node', async () => {
+	await saveManualTriggerWorkflow();
+
+	const testAudit = await securityAuditService.run(['instance']);
+	if (Array.isArray(testAudit)) fail('audit is empty');
+
+	const report = testAudit[toReportTitle('instance')];
+
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.UNPROTECTED_WEBHOOKS);
+	}
+});
+
+test('should report outdated instance when outdated', async () => {
+	simulateOutdatedInstanceOnce();
+
+	const testAudit = await securityAuditService.run(['instance']);
+
+	const section = getRiskSection(
+		testAudit,
+		INSTANCE_REPORT.RISK,
+		INSTANCE_REPORT.SECTIONS.OUTDATED_INSTANCE,
+	);
+
+	if (!section.nextVersions) {
+		fail('Expected section to have next versions');
+	}
+
+	expect(section.nextVersions).toHaveLength(1);
+
+	expect(section.nextVersions[0].name).toBe(MOCK_09990_N8N_VERSION.name);
+});
+
+test('should not report outdated instance when up to date', async () => {
+	const testAudit = await securityAuditService.run(['instance']);
+	if (Array.isArray(testAudit)) fail('audit is empty');
+
+	const report = testAudit[toReportTitle('instance')];
+	if (!report) {
+		fail('Expected test audit to have instance risk report');
+	}
+
+	for (const section of report.sections) {
+		expect(section.title).not.toBe(INSTANCE_REPORT.SECTIONS.OUTDATED_INSTANCE);
+	}
+});
+
+test('should report security settings', async () => {
+	config.set('diagnostics.enabled', true);
+
+	const testAudit = await securityAuditService.run(['instance']);
+
+	const section = getRiskSection(
+		testAudit,
+		INSTANCE_REPORT.RISK,
+		INSTANCE_REPORT.SECTIONS.SECURITY_SETTINGS,
+	);
+
+	expect(section.settings).toMatchObject({
+		features: {
+			communityPackagesEnabled: true,
+			versionNotificationsEnabled: true,
+			templatesEnabled: true,
+			publicApiEnabled: false,
+		},
+		auth: {
+			authExcludeEndpoints: 'none',
+		},
+		nodes: { nodesExclude: 'none', nodesInclude: 'none' },
+		telemetry: { diagnosticsEnabled: true },
+	});
+});