n8n-security-testing
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
Chinesen8n Security Testing
n8n 安全性测试
<default_to_action>
When testing n8n security:
- SCAN for credential exposure in workflows
- VERIFY encryption of sensitive data
- TEST OAuth token handling
- CHECK for insecure data transmission
- VALIDATE input sanitization
Quick Security Checklist:
- No credentials in workflow JSON
- No credentials in execution logs
- OAuth tokens properly encrypted
- API keys not in version control
- Webhook authentication enabled
- Input data sanitized
Critical Success Factors:
- Scan all workflow exports
- Test credential rotation
- Verify encryption at rest
- Check audit logging </default_to_action>
<default_to_action>
测试n8n安全性时:
- 扫描工作流中的凭证暴露情况
- 验证敏感数据的加密状态
- 测试OAuth令牌处理流程
- 检查是否存在不安全的数据传输
- 验证输入数据清理机制
快速安全检查清单:
- 工作流JSON中无凭证信息
- 执行日志中无凭证信息
- OAuth令牌已正确加密
- API密钥未纳入版本控制
- Webhook身份验证已启用
- 输入数据已完成清理
关键成功因素:
- 扫描所有工作流导出文件
- 测试凭证轮换流程
- 验证静态数据加密
- 检查审计日志 </default_to_action>
Quick Reference Card
快速参考卡片
Security Risk Areas
安全风险领域
| Area | Risk Level | Testing Focus |
|---|---|---|
| Credential Storage | Critical | Encryption, exposure |
| Webhook Security | High | Authentication, validation |
| Expression Injection | High | Input sanitization |
| Data Leakage | Medium | Logging, error messages |
| OAuth Flows | Medium | Token handling, refresh |
| 领域 | 风险等级 | 测试重点 |
|---|---|---|
| 凭证存储 | 极高 | 加密、暴露情况 |
| Webhook安全 | 高 | 身份验证、有效性验证 |
| 表达式注入 | 高 | 输入数据清理 |
| 数据泄露 | 中 | 日志记录、错误信息 |
| OAuth流程 | 中 | 令牌处理、刷新机制 |
Credential Types
凭证类型
| Type | Exposure Risk | Rotation |
|---|---|---|
| API Keys | High if exposed | Manual |
| OAuth Tokens | Medium (short-lived) | Automatic |
| Passwords | Critical | Manual |
| Webhooks | Medium | Generate new |
| 类型 | 暴露风险 | 轮换方式 |
|---|---|---|
| API密钥 | 暴露后风险极高 | 手动轮换 |
| OAuth令牌 | 中等(短期有效) | 自动轮换 |
| 密码 | 极高 | 手动轮换 |
| Webhook | 中等 | 生成新凭证 |
Credential Security Testing
凭证安全测试
Scan for Exposed Credentials
扫描暴露的凭证
typescript
// Scan workflow JSON for credential exposure
async function scanForExposedCredentials(workflowId: string): Promise<CredentialScanResult> {
const workflow = await getWorkflow(workflowId);
const workflowJson = JSON.stringify(workflow, null, 2);
const sensitivePatterns = [
// API Keys
{ name: 'Generic API Key', pattern: /api[_-]?key["\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?/gi },
{ name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/g },
{ name: 'AWS Secret Key', pattern: /[a-zA-Z0-9/+=]{40}/g },
// Tokens
{ name: 'Bearer Token', pattern: /bearer\s+[a-zA-Z0-9_-]{20,}/gi },
{ name: 'JWT Token', pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g },
{ name: 'Slack Token', pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g },
// Passwords
{ name: 'Password Field', pattern: /"password":\s*"[^"]+"/gi },
{ name: 'Secret Field', pattern: /"secret":\s*"[^"]+"/gi },
// OAuth
{ name: 'Client Secret', pattern: /client[_-]?secret["\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?/gi },
{ name: 'Refresh Token', pattern: /refresh[_-]?token["\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?/gi }
];
const findings: CredentialFinding[] = [];
for (const pattern of sensitivePatterns) {
const matches = workflowJson.match(pattern.pattern);
if (matches) {
for (const match of matches) {
findings.push({
type: pattern.name,
location: findLocationInWorkflow(workflow, match),
severity: 'CRITICAL',
recommendation: `Remove ${pattern.name} from workflow. Use n8n credentials instead.`
});
}
}
}
return {
workflowId,
scanned: true,
findingsCount: findings.length,
findings,
secure: findings.length === 0
};
}typescript
// Scan workflow JSON for credential exposure
async function scanForExposedCredentials(workflowId: string): Promise<CredentialScanResult> {
const workflow = await getWorkflow(workflowId);
const workflowJson = JSON.stringify(workflow, null, 2);
const sensitivePatterns = [
// API Keys
{ name: 'Generic API Key', pattern: /api[_-]?key["\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?/gi },
{ name: 'AWS Access Key', pattern: /AKIA[0-9A-Z]{16}/g },
{ name: 'AWS Secret Key', pattern: /[a-zA-Z0-9/+=]{40}/g },
// Tokens
{ name: 'Bearer Token', pattern: /bearer\s+[a-zA-Z0-9_-]{20,}/gi },
{ name: 'JWT Token', pattern: /eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*/g },
{ name: 'Slack Token', pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}/g },
// Passwords
{ name: 'Password Field', pattern: /"password":\s*"[^"]+"/gi },
{ name: 'Secret Field', pattern: /"secret":\s*"[^"]+"/gi },
// OAuth
{ name: 'Client Secret', pattern: /client[_-]?secret["\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?/gi },
{ name: 'Refresh Token', pattern: /refresh[_-]?token["\s:=]+["']?([a-zA-Z0-9_-]{20,})["']?/gi }
];
const findings: CredentialFinding[] = [];
for (const pattern of sensitivePatterns) {
const matches = workflowJson.match(pattern.pattern);
if (matches) {
for (const match of matches) {
findings.push({
type: pattern.name,
location: findLocationInWorkflow(workflow, match),
severity: 'CRITICAL',
recommendation: `Remove ${pattern.name} from workflow. Use n8n credentials instead.`
});
}
}
}
return {
workflowId,
scanned: true,
findingsCount: findings.length,
findings,
secure: findings.length === 0
};
}Verify Credential Encryption
验证凭证加密
typescript
// Verify credentials are encrypted at rest
async function verifyCredentialEncryption(credentialId: string): Promise<EncryptionResult> {
// Get credential metadata (not the actual credential)
const credential = await getCredentialMetadata(credentialId);
// Check if credential data is encrypted
const encryptionChecks = {
// Check if stored data looks encrypted (not plain text)
isEncrypted: !isPlainText(credential.data),
// Check encryption algorithm
algorithm: credential.encryptionAlgorithm || 'unknown',
// Check key derivation
keyDerivation: credential.keyDerivation || 'unknown',
// Check if using instance encryption key
instanceEncryption: credential.useInstanceKey || false
};
return {
credentialId,
credentialName: credential.name,
credentialType: credential.type,
encryption: encryptionChecks,
secure: encryptionChecks.isEncrypted && encryptionChecks.algorithm !== 'unknown',
recommendations: generateEncryptionRecommendations(encryptionChecks)
};
}
// Check if data appears to be plain text
function isPlainText(data: string): boolean {
// Plain text credentials often have recognizable patterns
const plainTextPatterns = [
/^[a-zA-Z0-9_-]+$/, // Simple alphanumeric
/^sk-[a-zA-Z0-9]+$/, // API key format
/^Bearer\s/, // Bearer token
];
return plainTextPatterns.some(p => p.test(data));
}typescript
// Verify credentials are encrypted at rest
async function verifyCredentialEncryption(credentialId: string): Promise<EncryptionResult> {
// Get credential metadata (not the actual credential)
const credential = await getCredentialMetadata(credentialId);
// Check if credential data is encrypted
const encryptionChecks = {
// Check if stored data looks encrypted (not plain text)
isEncrypted: !isPlainText(credential.data),
// Check encryption algorithm
algorithm: credential.encryptionAlgorithm || 'unknown',
// Check key derivation
keyDerivation: credential.keyDerivation || 'unknown',
// Check if using instance encryption key
instanceEncryption: credential.useInstanceKey || false
};
return {
credentialId,
credentialName: credential.name,
credentialType: credential.type,
encryption: encryptionChecks,
secure: encryptionChecks.isEncrypted && encryptionChecks.algorithm !== 'unknown',
recommendations: generateEncryptionRecommendations(encryptionChecks)
};
}
// Check if data appears to be plain text
function isPlainText(data: string): boolean {
// Plain text credentials often have recognizable patterns
const plainTextPatterns = [
/^[a-zA-Z0-9_-]+$/, // Simple alphanumeric
/^sk-[a-zA-Z0-9]+$/, // API key format
/^Bearer\s/, // Bearer token
];
return plainTextPatterns.some(p => p.test(data));
}Test Credential Rotation
测试凭证轮换
typescript
// Test credential rotation process
async function testCredentialRotation(credentialId: string): Promise<RotationTestResult> {
const credential = await getCredentialMetadata(credentialId);
const rotationTests = {
// Check if credential has rotation metadata
hasRotationSchedule: !!credential.rotationSchedule,
lastRotated: credential.lastRotatedAt,
rotationDue: isRotationDue(credential),
// Test OAuth token refresh
oauthRefresh: credential.type.includes('oauth')
? await testOAuthRefresh(credentialId)
: null,
// Check credential age
credentialAge: calculateAge(credential.createdAt),
isStale: calculateAge(credential.createdAt) > 90 // 90 days
};
return {
credentialId,
rotationTests,
recommendations: generateRotationRecommendations(rotationTests)
};
}
// Test OAuth token refresh
async function testOAuthRefresh(credentialId: string): Promise<OAuthRefreshResult> {
try {
// Trigger refresh
const refreshed = await refreshCredential(credentialId);
return {
success: true,
newExpiry: refreshed.expiresAt,
refreshedAt: new Date()
};
} catch (error) {
return {
success: false,
error: error.message,
recommendation: 'Re-authorize OAuth connection'
};
}
}typescript
// Test credential rotation process
async function testCredentialRotation(credentialId: string): Promise<RotationTestResult> {
const credential = await getCredentialMetadata(credentialId);
const rotationTests = {
// Check if credential has rotation metadata
hasRotationSchedule: !!credential.rotationSchedule,
lastRotated: credential.lastRotatedAt,
rotationDue: isRotationDue(credential),
// Test OAuth token refresh
oauthRefresh: credential.type.includes('oauth')
? await testOAuthRefresh(credentialId)
: null,
// Check credential age
credentialAge: calculateAge(credential.createdAt),
isStale: calculateAge(credential.createdAt) > 90 // 90 days
};
return {
credentialId,
rotationTests,
recommendations: generateRotationRecommendations(rotationTests)
};
}
// Test OAuth token refresh
async function testOAuthRefresh(credentialId: string): Promise<OAuthRefreshResult> {
try {
// Trigger refresh
const refreshed = await refreshCredential(credentialId);
return {
success: true,
newExpiry: refreshed.expiresAt,
refreshedAt: new Date()
};
} catch (error) {
return {
success: false,
error: error.message,
recommendation: 'Re-authorize OAuth connection'
};
}
}Webhook Security Testing
Webhook安全测试
Authentication Testing
身份验证测试
typescript
// Test webhook authentication enforcement
async function testWebhookAuthentication(webhookUrl: string): Promise<WebhookAuthResult> {
const authTests = [
// No authentication
{
name: 'No Auth',
headers: {},
expectedStatus: 401
},
// Invalid Basic Auth
{
name: 'Invalid Basic Auth',
headers: { 'Authorization': 'Basic aW52YWxpZDppbnZhbGlk' },
expectedStatus: 401
},
// Invalid Bearer Token
{
name: 'Invalid Bearer',
headers: { 'Authorization': 'Bearer invalid-token-12345' },
expectedStatus: 401
},
// Invalid Header Auth
{
name: 'Invalid Header Auth',
headers: { 'X-API-Key': 'invalid-key' },
expectedStatus: 401
}
];
const results: AuthTestResult[] = [];
for (const test of authTests) {
const response = await fetch(webhookUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
...test.headers
},
body: '{}'
});
results.push({
test: test.name,
status: response.status,
passed: response.status === test.expectedStatus,
actualStatus: response.status,
expectedStatus: test.expectedStatus
});
}
// Check if webhook has ANY auth
const noAuthResponse = results.find(r => r.test === 'No Auth');
const webhookHasAuth = noAuthResponse?.status === 401;
return {
webhookUrl,
hasAuthentication: webhookHasAuth,
testResults: results,
allTestsPassed: results.every(r => r.passed),
recommendation: !webhookHasAuth
? 'CRITICAL: Enable authentication on webhook'
: null
};
}typescript
// Test webhook authentication enforcement
async function testWebhookAuthentication(webhookUrl: string): Promise<WebhookAuthResult> {
const authTests = [
// No authentication
{
name: 'No Auth',
headers: {},
expectedStatus: 401
},
// Invalid Basic Auth
{
name: 'Invalid Basic Auth',
headers: { 'Authorization': 'Basic aW52YWxpZDppbnZhbGlk' },
expectedStatus: 401
},
// Invalid Bearer Token
{
name: 'Invalid Bearer',
headers: { 'Authorization': 'Bearer invalid-token-12345' },
expectedStatus: 401
},
// Invalid Header Auth
{
name: 'Invalid Header Auth',
headers: { 'X-API-Key': 'invalid-key' },
expectedStatus: 401
}
];
const results: AuthTestResult[] = [];
for (const test of authTests) {
const response = await fetch(webhookUrl, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
...test.headers
},
body: '{}'
});
results.push({
test: test.name,
status: response.status,
passed: response.status === test.expectedStatus,
actualStatus: response.status,
expectedStatus: test.expectedStatus
});
}
// Check if webhook has ANY auth
const noAuthResponse = results.find(r => r.test === 'No Auth');
const webhookHasAuth = noAuthResponse?.status === 401;
return {
webhookUrl,
hasAuthentication: webhookHasAuth,
testResults: results,
allTestsPassed: results.every(r => r.passed),
recommendation: !webhookHasAuth
? 'CRITICAL: Enable authentication on webhook'
: null
};
}Input Validation Testing
输入验证测试
typescript
// Test webhook input validation
async function testWebhookInputValidation(webhookUrl: string): Promise<InputValidationResult> {
const maliciousPayloads = [
// XSS attempts
{
name: 'XSS Script Tag',
payload: { text: '<script>alert("xss")</script>' },
check: 'sanitized'
},
{
name: 'XSS Event Handler',
payload: { text: '<img onerror="alert(1)" src="x">' },
check: 'sanitized'
},
// SQL Injection
{
name: 'SQL Injection',
payload: { id: "1; DROP TABLE users; --" },
check: 'escaped'
},
// Command Injection
{
name: 'Command Injection',
payload: { filename: '; rm -rf /' },
check: 'rejected'
},
// Path Traversal
{
name: 'Path Traversal',
payload: { path: '../../../etc/passwd' },
check: 'rejected'
},
// JSON Injection
{
name: 'JSON Injection',
payload: { data: '{"admin": true}' },
check: 'escaped'
},
// Oversized payload
{
name: 'Oversized Payload',
payload: { data: 'x'.repeat(10000000) }, // 10MB
check: 'rejected'
}
];
const results: ValidationTestResult[] = [];
for (const test of maliciousPayloads) {
try {
const response = await fetch(webhookUrl, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(test.payload)
});
const responseBody = await response.text();
results.push({
test: test.name,
status: response.status,
handled: response.status !== 500, // Not a server error
sanitized: !responseBody.includes(test.payload.text || test.payload.data),
recommendation: response.status === 500
? `Input not handled safely: ${test.name}`
: null
});
} catch (error) {
results.push({
test: test.name,
handled: false,
error: error.message
});
}
}
return {
webhookUrl,
testsRun: maliciousPayloads.length,
passed: results.filter(r => r.handled).length,
failed: results.filter(r => !r.handled).length,
results,
secure: results.every(r => r.handled)
};
}typescript
// Test webhook input validation
async function testWebhookInputValidation(webhookUrl: string): Promise<InputValidationResult> {
const maliciousPayloads = [
// XSS attempts
{
name: 'XSS Script Tag',
payload: { text: '<script>alert("xss")</script>' },
check: 'sanitized'
},
{
name: 'XSS Event Handler',
payload: { text: '<img onerror="alert(1)" src="x">' },
check: 'sanitized'
},
// SQL Injection
{
name: 'SQL Injection',
payload: { id: "1; DROP TABLE users; --" },
check: 'escaped'
},
// Command Injection
{
name: 'Command Injection',
payload: { filename: '; rm -rf /' },
check: 'rejected'
},
// Path Traversal
{
name: 'Path Traversal',
payload: { path: '../../../etc/passwd' },
check: 'rejected'
},
// JSON Injection
{
name: 'JSON Injection',
payload: { data: '{"admin": true}' },
check: 'escaped'
},
// Oversized payload
{
name: 'Oversized Payload',
payload: { data: 'x'.repeat(10000000) }, // 10MB
check: 'rejected'
}
];
const results: ValidationTestResult[] = [];
for (const test of maliciousPayloads) {
try {
const response = await fetch(webhookUrl, {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(test.payload)
});
const responseBody = await response.text();
results.push({
test: test.name,
status: response.status,
handled: response.status !== 500, // Not a server error
sanitized: !responseBody.includes(test.payload.text || test.payload.data),
recommendation: response.status === 500
? `Input not handled safely: ${test.name}`
: null
});
} catch (error) {
results.push({
test: test.name,
handled: false,
error: error.message
});
}
}
return {
webhookUrl,
testsRun: maliciousPayloads.length,
passed: results.filter(r => r.handled).length,
failed: results.filter(r => !r.handled).length,
results,
secure: results.every(r => r.handled)
};
}Expression Security Testing
表达式安全测试
Detect Dangerous Expressions
检测危险表达式
typescript
// Scan expressions for security vulnerabilities
async function scanExpressionsForSecurity(workflowId: string): Promise<ExpressionSecurityResult> {
const workflow = await getWorkflow(workflowId);
const expressions = extractExpressions(workflow);
const dangerousPatterns = [
// Code execution
{ name: 'eval()', pattern: /eval\s*\(/g, severity: 'CRITICAL' },
{ name: 'Function()', pattern: /new\s+Function\s*\(/g, severity: 'CRITICAL' },
{ name: 'setTimeout string', pattern: /setTimeout\s*\(\s*["'`]/g, severity: 'HIGH' },
{ name: 'setInterval string', pattern: /setInterval\s*\(\s*["'`]/g, severity: 'HIGH' },
// File system access
{ name: 'require()', pattern: /require\s*\(/g, severity: 'HIGH' },
{ name: 'import()', pattern: /import\s*\(/g, severity: 'HIGH' },
{ name: 'fs access', pattern: /\bfs\./g, severity: 'HIGH' },
// Process/child execution
{ name: 'child_process', pattern: /child_process/g, severity: 'CRITICAL' },
{ name: 'process.', pattern: /process\./g, severity: 'MEDIUM' },
{ name: 'exec()', pattern: /exec\s*\(/g, severity: 'CRITICAL' },
{ name: 'spawn()', pattern: /spawn\s*\(/g, severity: 'CRITICAL' },
// Network access
{ name: 'fetch()', pattern: /fetch\s*\(/g, severity: 'MEDIUM' },
{ name: 'XMLHttpRequest', pattern: /XMLHttpRequest/g, severity: 'MEDIUM' },
// Prototype pollution
{ name: '__proto__', pattern: /__proto__/g, severity: 'HIGH' },
{ name: 'constructor.prototype', pattern: /constructor\.prototype/g, severity: 'HIGH' }
];
const findings: SecurityFinding[] = [];
for (const expr of expressions) {
for (const pattern of dangerousPatterns) {
if (pattern.pattern.test(expr.expression)) {
findings.push({
node: expr.nodeName,
parameter: expr.parameter,
expression: expr.expression,
pattern: pattern.name,
severity: pattern.severity,
recommendation: `Remove ${pattern.name} from expression. Use safer alternatives.`
});
}
}
}
return {
workflowId,
expressionsScanned: expressions.length,
findings,
secure: findings.length === 0,
criticalIssues: findings.filter(f => f.severity === 'CRITICAL').length,
highIssues: findings.filter(f => f.severity === 'HIGH').length
};
}typescript
// Scan expressions for security vulnerabilities
async function scanExpressionsForSecurity(workflowId: string): Promise<ExpressionSecurityResult> {
const workflow = await getWorkflow(workflowId);
const expressions = extractExpressions(workflow);
const dangerousPatterns = [
// Code execution
{ name: 'eval()', pattern: /eval\s*\(/g, severity: 'CRITICAL' },
{ name: 'Function()', pattern: /new\s+Function\s*\(/g, severity: 'CRITICAL' },
{ name: 'setTimeout string', pattern: /setTimeout\s*\(\s*["'`]/g, severity: 'HIGH' },
{ name: 'setInterval string', pattern: /setInterval\s*\(\s*["'`]/g, severity: 'HIGH' },
// File system access
{ name: 'require()', pattern: /require\s*\(/g, severity: 'HIGH' },
{ name: 'import()', pattern: /import\s*\(/g, severity: 'HIGH' },
{ name: 'fs access', pattern: /\bfs\./g, severity: 'HIGH' },
// Process/child execution
{ name: 'child_process', pattern: /child_process/g, severity: 'CRITICAL' },
{ name: 'process.', pattern: /process\./g, severity: 'MEDIUM' },
{ name: 'exec()', pattern: /exec\s*\(/g, severity: 'CRITICAL' },
{ name: 'spawn()', pattern: /spawn\s*\(/g, severity: 'CRITICAL' },
// Network access
{ name: 'fetch()', pattern: /fetch\s*\(/g, severity: 'MEDIUM' },
{ name: 'XMLHttpRequest', pattern: /XMLHttpRequest/g, severity: 'MEDIUM' },
// Prototype pollution
{ name: '__proto__', pattern: /__proto__/g, severity: 'HIGH' },
{ name: 'constructor.prototype', pattern: /constructor\.prototype/g, severity: 'HIGH' }
];
const findings: SecurityFinding[] = [];
for (const expr of expressions) {
for (const pattern of dangerousPatterns) {
if (pattern.pattern.test(expr.expression)) {
findings.push({
node: expr.nodeName,
parameter: expr.parameter,
expression: expr.expression,
pattern: pattern.name,
severity: pattern.severity,
recommendation: `Remove ${pattern.name} from expression. Use safer alternatives.`
});
}
}
}
return {
workflowId,
expressionsScanned: expressions.length,
findings,
secure: findings.length === 0,
criticalIssues: findings.filter(f => f.severity === 'CRITICAL').length,
highIssues: findings.filter(f => f.severity === 'HIGH').length
};
}Data Leakage Testing
数据泄露测试
Scan Execution Logs
扫描执行日志
typescript
// Scan execution logs for credential leakage
async function scanExecutionLogs(workflowId: string, executionCount: number = 10): Promise<LogScanResult> {
const executions = await getRecentExecutions(workflowId, executionCount);
const findings: LogFinding[] = [];
const sensitivePatterns = [
{ name: 'Password', pattern: /password["\s:=]+["']?[^"'\s]+["']?/gi },
{ name: 'API Key', pattern: /api[_-]?key["\s:=]+["']?[^"'\s]{20,}["']?/gi },
{ name: 'Token', pattern: /token["\s:=]+["']?[a-zA-Z0-9_-]{20,}["']?/gi },
{ name: 'Secret', pattern: /secret["\s:=]+["']?[^"'\s]+["']?/gi },
{ name: 'Authorization Header', pattern: /authorization["\s:]+["']?(bearer|basic)\s+[^"'\s]+["']?/gi }
];
for (const execution of executions) {
const logString = JSON.stringify(execution.data, null, 2);
for (const pattern of sensitivePatterns) {
const matches = logString.match(pattern.pattern);
if (matches) {
findings.push({
executionId: execution.id,
type: pattern.name,
matchCount: matches.length,
severity: 'HIGH',
recommendation: `Mask ${pattern.name} in logs`
});
}
}
}
return {
workflowId,
executionsScanned: executions.length,
findings,
secure: findings.length === 0,
recommendation: findings.length > 0
? 'Enable credential masking in n8n settings'
: null
};
}typescript
// Scan execution logs for credential leakage
async function scanExecutionLogs(workflowId: string, executionCount: number = 10): Promise<LogScanResult> {
const executions = await getRecentExecutions(workflowId, executionCount);
const findings: LogFinding[] = [];
const sensitivePatterns = [
{ name: 'Password', pattern: /password["\s:=]+["']?[^"'\s]+["']?/gi },
{ name: 'API Key', pattern: /api[_-]?key["\s:=]+["']?[^"'\s]{20,}["']?/gi },
{ name: 'Token', pattern: /token["\s:=]+["']?[a-zA-Z0-9_-]{20,}["']?/gi },
{ name: 'Secret', pattern: /secret["\s:=]+["']?[^"'\s]+["']?/gi },
{ name: 'Authorization Header', pattern: /authorization["\s:]+["']?(bearer|basic)\s+[^"'\s]+["']?/gi }
];
for (const execution of executions) {
const logString = JSON.stringify(execution.data, null, 2);
for (const pattern of sensitivePatterns) {
const matches = logString.match(pattern.pattern);
if (matches) {
findings.push({
executionId: execution.id,
type: pattern.name,
matchCount: matches.length,
severity: 'HIGH',
recommendation: `Mask ${pattern.name} in logs`
});
}
}
}
return {
workflowId,
executionsScanned: executions.length,
findings,
secure: findings.length === 0,
recommendation: findings.length > 0
? 'Enable credential masking in n8n settings'
: null
};
}Check Error Message Exposure
检查错误信息暴露
typescript
// Check if error messages expose sensitive information
async function checkErrorMessageSecurity(workflowId: string): Promise<ErrorMessageResult> {
// Trigger intentional errors
const errorScenarios = [
{ name: 'Invalid credentials', inject: { credentials: null } },
{ name: 'Invalid endpoint', inject: { url: 'https://invalid' } },
{ name: 'Database error', inject: { query: 'INVALID SQL' } }
];
const findings: ErrorFinding[] = [];
for (const scenario of errorScenarios) {
try {
await executeWithError(workflowId, scenario.inject);
} catch (error) {
const errorMessage = error.message;
// Check for sensitive data in error
const sensitiveData = [
{ name: 'Connection string', pattern: /mongodb:\/\/[^@]+@/i },
{ name: 'Password in URL', pattern: /:\/\/[^:]+:[^@]+@/i },
{ name: 'Full file path', pattern: /\/(?:home|Users|var)\/[^\s]+/i },
{ name: 'Stack trace', pattern: /at\s+\w+\s+\([^)]+\)/i },
{ name: 'Internal IP', pattern: /\b(?:10|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.\d+\.\d+\b/i }
];
for (const check of sensitiveData) {
if (check.pattern.test(errorMessage)) {
findings.push({
scenario: scenario.name,
exposedData: check.name,
severity: 'MEDIUM',
recommendation: `Sanitize ${check.name} from error messages`
});
}
}
}
}
return {
workflowId,
scenariosTested: errorScenarios.length,
findings,
secure: findings.length === 0
};
}typescript
// Check if error messages expose sensitive information
async function checkErrorMessageSecurity(workflowId: string): Promise<ErrorMessageResult> {
// Trigger intentional errors
const errorScenarios = [
{ name: 'Invalid credentials', inject: { credentials: null } },
{ name: 'Invalid endpoint', inject: { url: 'https://invalid' } },
{ name: 'Database error', inject: { query: 'INVALID SQL' } }
];
const findings: ErrorFinding[] = [];
for (const scenario of errorScenarios) {
try {
await executeWithError(workflowId, scenario.inject);
} catch (error) {
const errorMessage = error.message;
// Check for sensitive data in error
const sensitiveData = [
{ name: 'Connection string', pattern: /mongodb:\/\/[^@]+@/i },
{ name: 'Password in URL', pattern: /:\/\/[^:]+:[^@]+@/i },
{ name: 'Full file path', pattern: /\/(?:home|Users|var)\/[^\s]+/i },
{ name: 'Stack trace', pattern: /at\s+\w+\s+\([^)]+\)/i },
{ name: 'Internal IP', pattern: /\b(?:10|172\.(?:1[6-9]|2[0-9]|3[01])|192\.168)\.\d+\.\d+\b/i }
];
for (const check of sensitiveData) {
if (check.pattern.test(errorMessage)) {
findings.push({
scenario: scenario.name,
exposedData: check.name,
severity: 'MEDIUM',
recommendation: `Sanitize ${check.name} from error messages`
});
}
}
}
}
return {
workflowId,
scenariosTested: errorScenarios.length,
findings,
secure: findings.length === 0
};
}Security Report Template
安全报告模板
markdown
undefinedmarkdown
undefinedn8n Security Audit Report
n8n 安全审计报告
Summary
摘要
| Category | Status | Findings |
|---|---|---|
| Credential Security | PASS/FAIL | X issues |
| Webhook Security | PASS/FAIL | X issues |
| Expression Security | PASS/FAIL | X issues |
| Data Leakage | PASS/FAIL | X issues |
| 类别 | 状态 | 发现问题数 |
|---|---|---|
| 凭证安全 | 通过/未通过 | X个问题 |
| Webhook安全 | 通过/未通过 | X个问题 |
| 表达式安全 | 通过/未通过 | X个问题 |
| 数据泄露 | 通过/未通过 | X个问题 |
Critical Findings
严重问题
CRIT-001: API Key Exposed in Workflow
CRIT-001: 工作流中暴露API密钥
- Location: HTTP Request node, URL parameter
- Impact: Credential theft, unauthorized access
- Fix: Move to n8n credentials store
- 位置: HTTP请求节点,URL参数
- 影响: 凭证被盗、未授权访问
- 修复方案: 迁移至n8n凭证存储
CRIT-002: eval() in Expression
CRIT-002: 表达式中使用eval()
- Location: Set node, custom field
- Impact: Remote code execution
- Fix: Remove eval, use explicit logic
- 位置: 设置节点,自定义字段
- 影响: 远程代码执行
- 修复方案: 移除eval,使用显式逻辑
Recommendations
建议
- Enable webhook authentication - All public webhooks
- Rotate exposed credentials - Immediately
- Enable log masking - For all credentials
- Regular security scans - Weekly automated scans
- 启用Webhook身份验证 - 所有公共Webhook
- 轮换暴露的凭证 - 立即执行
- 启用日志掩码 - 针对所有凭证
- 定期安全扫描 - 每周自动扫描
Compliance Status
合规状态
- OWASP Top 10: X/10 addressed
- SOC 2: Partially compliant
- GDPR: Review data handling
---- OWASP Top 10:已覆盖X/10项
- SOC 2:部分合规
- GDPR:需审核数据处理流程
---Related Skills
相关技能
- n8n-workflow-testing-fundamentals
- n8n-integration-testing-patterns
- compliance-testing
- n8n-workflow-testing-fundamentals
- n8n-integration-testing-patterns
- compliance-testing
Remember
注意事项
n8n handles sensitive credentials for 400+ integrations. Security testing requires:
- Credential exposure scanning
- Encryption verification
- Webhook authentication testing
- Expression security analysis
- Data leakage detection
Critical practices: Never expose credentials in workflow JSON. Enable webhook authentication. Mask sensitive data in logs. Rotate credentials regularly. Scan expressions for dangerous functions.
n8n为400+集成处理敏感凭证。安全测试需包含:
- 凭证暴露扫描
- 加密验证
- Webhook身份验证测试
- 表达式安全分析
- 数据泄露检测
关键实践: 切勿在工作流JSON中暴露凭证。启用Webhook身份验证。在日志中掩码敏感数据。定期轮换凭证。扫描表达式中的危险函数。