Open
Conversation
tomi
changed the title
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
This comment has been minimized.
This comment has been minimized.
tomi
force-pushed
the
cat-2383-implement-ssrfprotectionconfig-with-environment-variable
branch
from
58aaabf to
97736fb
Compare
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
cubic analysis
No issues found across 4 files
Linked issue analysis
Linked issue: CAT-2383: Implement SsrfProtectionConfig with environment variable parsing
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Config class parses all environment variables with correct defaults | Config fields declared with @env and sensible defaults |
| ✅ | 'default' keyword expands to the full set of blocked ranges | sanitize() sets resolvedBlockedIpRanges to default list |
| Comma-separated values are correctly parsed into arrays | Blocked list parsing implemented; allowed fields rely on decorator/runtime | |
| Invalid values are handled gracefully (log warning, use defaults) | Tests expect warn + fallback, but class has no explicit warn/parsing code | |
| Configuration is loaded once at startup | Added to GlobalConfig @nested but no explicit 'load once at startup' code shown | |
| ✅ | All configuration paths have positive and negative test cases | Unit tests cover defaults, positive overrides and invalid cases |
| ✅ | N8N_SSRF_PROTECTION_ENABLED env var (boolean) with default false | enabled property declared with @env and default false |
| ✅ | N8N_SSRF_BLOCKED_IP_RANGES env var (string) with default 'default' | blockedIpRanges default set to 'default' in config |
| N8N_SSRF_ALLOWED_IP_RANGES env var parsed (default empty -> array) | Type and tests present but no explicit parse code shown in class | |
| N8N_SSRF_ALLOWED_HOSTNAMES env var parsed (default empty -> array) | Typed and tested, parsing appears delegated to framework | |
| N8N_SSRF_DNS_CACHE_MAX_TTL_SECONDS numeric env with default 300 and invalid fallback | Field present and tests for override/fallback; parsing/warn not explicit | |
| N8N_SSRF_DNS_CACHE_MAX_SIZE numeric env with default 1024*1024 and invalid fallback | Field present and tests for override/fallback; parsing/warn not explicit | |
| ✅ | Default blocked ranges include RFC1918, loopback, link-local, IPv6 unique local, reserved ranges | SSRF_DEFAULT_BLOCKED_IP_RANGES constant lists all required CIDRs |
| ✅ | Export SsrfProtectionConfig and SSRF_DEFAULT_BLOCKED_IP_RANGES from package index | Index file exports both symbols |
| ✅ | Wire SsrfProtectionConfig into GlobalConfig as ssrfProtection | GlobalConfig includes @nested ssrfProtection property |
| ✅ | Unit tests for environment parsing, defaults, comma-separated parsing and invalid values | Test file covers defaults, parsing, trimming, numeric overrides and invalids |
| ✅ | GlobalConfig tests updated to include ssrfProtection defaults | GlobalConfig test default config now contains ssrfProtection section |
Architecture diagram
sequenceDiagram
participant OS as Process Environment
participant DI as DI Container
participant SSRF as SsrfProtectionConfig
participant Node as HTTP Request Node
participant DNS as DNS Cache / Resolver
Note over OS, SSRF: Initialization Phase
DI->>SSRF: NEW: Instantiate via @Config
SSRF->>OS: Read N8N_SSRF_* variables
OS-->>SSRF: Enabled status, CIDR ranges, DNS settings
SSRF->>SSRF: NEW: sanitize()
alt N8N_SSRF_BLOCKED_IP_RANGES is 'default'
SSRF->>SSRF: Load SSRF_DEFAULT_BLOCKED_IP_RANGES
else custom CIDR string
SSRF->>SSRF: Split and trim CSV into resolvedBlockedIpRanges
end
Note over SSRF, DNS: Runtime Request Flow (Implied Consumer)
Node->>SSRF: Check if enabled
SSRF-->>Node: return true/false
opt SSRF Protection Enabled
Node->>SSRF: NEW: Get allowedHostnames & allowedIpRanges
Node->>SSRF: NEW: Get resolvedBlockedIpRanges
Node->>DNS: NEW: Resolve hostname with SSRF constraints
DNS->>DNS: Apply dnsCacheMaxTtlSeconds & dnsCacheMaxSize
alt IP in resolvedBlockedIpRanges AND NOT in allowedIpRanges
Node->>Node: Block request (SSRF Violation)
else IP is allowed or not blocked
Node->>Node: Proceed with HTTP request
end
end
Note over SSRF: Defaults to false, blocks RFC1918/Local by default
Bundle ReportBundle size has no change ✅ Affected Assets, Files, and Routes:view changes for bundle: editor-ui-esmAssets Changed:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SsrfProtectionConfigto@n8n/configand wire it intoGlobalConfigasssrfProtection.SsrfProtectionConfigandSSRF_DEFAULT_BLOCKED_IP_RANGESfrom the config package index.Related Linear tickets, Github issues, and Community forum posts
Review / Merge checklist
release/backport(if the PR is an urgent fix that needs to be backported)