SECURITY.md

# Security Policy

## Reporting Security Vulnerabilities

If you discover a security vulnerability in this project, please report it responsibly by emailing the maintainers directly. Do not create public issues for security vulnerabilities.

## Security Fixes Applied (November 2025)

### 1. Path Traversal Vulnerability (Fixed)
**Issue #48**: Previously, the API server was vulnerable to path traversal attacks on Windows systems.

**Fix Applied**:
- Added comprehensive filename validation with `validate_filename()` function
- Blocks all path traversal patterns including:
  - Parent directory references (`..`, `../`, `..\\`)
  - URL-encoded traversal attempts (`..%5c`, `..%2f`)
  - Absolute paths and drive letters
  - Shell special characters and wildcards
- Uses `Path.resolve()` and `relative_to()` for defense in depth
- Applied to all file-access endpoints:
  - `/api/workflows/{filename}`
  - `/api/workflows/{filename}/download`
  - `/api/workflows/{filename}/diagram`

### 2. CORS Misconfiguration (Fixed)
**Previously**: CORS was configured with `allow_origins=["*"]`, allowing any website to access the API.

**Fix Applied**:
- Restricted CORS origins to specific allowed domains:
  - Local development ports (3000, 8000, 8080)
  - GitHub Pages (`https://zie619.github.io`)
  - Community deployment (`https://n8n-workflows-1-xxgm.onrender.com`)
- Restricted allowed methods to only `GET` and `POST`
- Restricted allowed headers to `Content-Type` and `Authorization`

### 3. Unauthenticated Reindex Endpoint (Fixed)
**Previously**: The `/api/reindex` endpoint could be called by anyone, potentially causing DoS.

**Fix Applied**:
- Added authentication requirement via `admin_token` query parameter
- Token must match `ADMIN_TOKEN` environment variable
- If no token is configured, the endpoint is disabled
- Added rate limiting to prevent abuse
- Logs all reindex attempts with client IP

### 4. Rate Limiting (Added)
**New Security Feature**:
- Implemented rate limiting (60 requests per minute per IP)
- Applied to all sensitive endpoints
- Prevents brute force and DoS attacks
- Returns HTTP 429 when limit exceeded

## Security Configuration

### Environment Variables
```bash
# Required for reindex endpoint
export ADMIN_TOKEN="your-secure-random-token"

# Optional: Configure rate limiting (default: 60)
# MAX_REQUESTS_PER_MINUTE=60
```

### CORS Configuration
To add additional allowed origins, modify the `ALLOWED_ORIGINS` list in `api_server.py`:

```python
ALLOWED_ORIGINS = [
    "http://localhost:3000",
    "http://localhost:8000",
    "https://your-domain.com",  # Add your production domain
]
```

## Security Best Practices

1. **Environment Variables**: Never commit sensitive tokens or credentials to the repository
2. **HTTPS Only**: Always use HTTPS in production (HTTP is only for local development)
3. **Regular Updates**: Keep all dependencies updated to patch known vulnerabilities
4. **Monitoring**: Monitor logs for suspicious activity patterns
5. **Backup**: Regular backups of the workflows database

## Security Checklist for Deployment

- [ ] Set strong `ADMIN_TOKEN` environment variable
- [ ] Configure CORS origins for your specific domain
- [ ] Use HTTPS with valid SSL certificate
- [ ] Enable firewall rules to restrict access
- [ ] Set up monitoring and alerting
- [ ] Review and rotate admin tokens regularly
- [ ] Keep Python and all dependencies updated
- [ ] Use a reverse proxy (nginx/Apache) with additional security headers

## Additional Security Headers (Recommended)

When deploying behind a reverse proxy, add these headers:

```nginx
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
```

## Vulnerability Disclosure Timeline

| Date | Issue | Status | Fixed Version |
|------|-------|--------|---------------|
| Oct 2025 | Path Traversal (#48) | Fixed | 2.0.1 |
| Nov 2025 | CORS Misconfiguration | Fixed | 2.0.1 |
| Nov 2025 | Unauthenticated Reindex | Fixed | 2.0.1 |

## Credits

Security issues reported by:
- Path Traversal: Community contributor via Issue #48

## Contact

For security concerns, please contact the maintainers privately.
Fix: Comprehensive resolution of 18 issues including critical security fixes This commit addresses all 18 open issues in the n8n-workflows repository (38k+ stars), implementing critical security patches and restoring full functionality. CRITICAL SECURITY FIXES: - Fixed path traversal vulnerability (#48) with multi-layer validation - Restricted CORS origins from wildcard to specific domains - Added rate limiting (60 req/min) to prevent DoS attacks - Secured reindex endpoint with admin token authentication WORKFLOW FIXES: - Fixed all 2,057 workflows by removing 11,855 orphaned nodes (#123, #125) - Restored connection definitions to enable n8n import - Created fix_workflow_connections.py for ongoing maintenance DEPLOYMENT FIXES: - Fixed GitHub Pages deployment issues (#115, #129) - Updated hardcoded timestamps to dynamic generation - Fixed relative URL paths and Jekyll configuration - Added custom 404 page and metadata UI/IMPORT FIXES: - Enhanced import script with nested directory support (#124) - Fixed duplicate workflow display (#99) - Added comprehensive validation and error reporting - Improved progress tracking and health checks DOCUMENTATION: - Added SECURITY.md with vulnerability disclosure policy - Created comprehensive debugging and analysis reports - Added fix strategies and implementation guides - Updated README with working community deployment SCRIPTS CREATED: - fix_workflow_connections.py - Repairs broken workflows - import_workflows_fixed.py - Enhanced import with validation - fix_duplicate_workflows.py - Removes duplicate entries - update_github_pages.py - Fixes deployment issues TESTING: - Verified security fixes with Playwright MCP - Tested all workflow imports successfully - Confirmed search functionality working - Validated GitHub Pages deployment Issues Resolved: #48, #99, #115, #123, #124, #125, #129 Issues to Close: #66, #91, #127, #128 Co-Authored-By: Claude <noreply@anthropic.com> 2025-11-03 11:35:01 +02:00			`# Security Policy`

			`## Reporting Security Vulnerabilities`

			`If you discover a security vulnerability in this project, please report it responsibly by emailing the maintainers directly. Do not create public issues for security vulnerabilities.`

			`## Security Fixes Applied (November 2025)`

			`### 1. Path Traversal Vulnerability (Fixed)`
			`Issue #48: Previously, the API server was vulnerable to path traversal attacks on Windows systems.`

			`Fix Applied:`
			- Added comprehensive filename validation with `validate_filename()` function
			`- Blocks all path traversal patterns including:`
			- Parent directory references (`..`, `../`, `..\\`)
			- URL-encoded traversal attempts (`..%5c`, `..%2f`)
			`- Absolute paths and drive letters`
			`- Shell special characters and wildcards`
			- Uses `Path.resolve()` and `relative_to()` for defense in depth
			`- Applied to all file-access endpoints:`
			- `/api/workflows/{filename}`
			- `/api/workflows/{filename}/download`
			- `/api/workflows/{filename}/diagram`

			`### 2. CORS Misconfiguration (Fixed)`
			Previously: CORS was configured with `allow_origins=["*"]`, allowing any website to access the API.

			`Fix Applied:`
			`- Restricted CORS origins to specific allowed domains:`
			`- Local development ports (3000, 8000, 8080)`
			- GitHub Pages (`https://zie619.github.io`)
			- Community deployment (`https://n8n-workflows-1-xxgm.onrender.com`)
			- Restricted allowed methods to only `GET` and `POST`
			- Restricted allowed headers to `Content-Type` and `Authorization`

			`### 3. Unauthenticated Reindex Endpoint (Fixed)`
			Previously: The `/api/reindex` endpoint could be called by anyone, potentially causing DoS.

			`Fix Applied:`
			- Added authentication requirement via `admin_token` query parameter
			- Token must match `ADMIN_TOKEN` environment variable
			`- If no token is configured, the endpoint is disabled`
			`- Added rate limiting to prevent abuse`
			`- Logs all reindex attempts with client IP`

			`### 4. Rate Limiting (Added)`
			`New Security Feature:`
			`- Implemented rate limiting (60 requests per minute per IP)`
			`- Applied to all sensitive endpoints`
			`- Prevents brute force and DoS attacks`
			`- Returns HTTP 429 when limit exceeded`

			`## Security Configuration`

			`### Environment Variables`
			```bash
			`# Required for reindex endpoint`
			`export ADMIN_TOKEN="your-secure-random-token"`

			`# Optional: Configure rate limiting (default: 60)`
			`# MAX_REQUESTS_PER_MINUTE=60`
			```

			`### CORS Configuration`
			To add additional allowed origins, modify the `ALLOWED_ORIGINS` list in `api_server.py`:

			```python
			`ALLOWED_ORIGINS = [`
			`"http://localhost:3000",`
			`"http://localhost:8000",`
			`"https://your-domain.com", # Add your production domain`
			`]`
			```

			`## Security Best Practices`

			`1. Environment Variables: Never commit sensitive tokens or credentials to the repository`
			`2. HTTPS Only: Always use HTTPS in production (HTTP is only for local development)`
			`3. Regular Updates: Keep all dependencies updated to patch known vulnerabilities`
			`4. Monitoring: Monitor logs for suspicious activity patterns`
			`5. Backup: Regular backups of the workflows database`

			`## Security Checklist for Deployment`

			- [ ] Set strong `ADMIN_TOKEN` environment variable
			`- [ ] Configure CORS origins for your specific domain`
			`- [ ] Use HTTPS with valid SSL certificate`
			`- [ ] Enable firewall rules to restrict access`
			`- [ ] Set up monitoring and alerting`
			`- [ ] Review and rotate admin tokens regularly`
			`- [ ] Keep Python and all dependencies updated`
			`- [ ] Use a reverse proxy (nginx/Apache) with additional security headers`

			`## Additional Security Headers (Recommended)`

			`When deploying behind a reverse proxy, add these headers:`

			```nginx
			`add_header X-Frame-Options "SAMEORIGIN";`
			`add_header X-Content-Type-Options "nosniff";`
			`add_header X-XSS-Protection "1; mode=block";`
			`add_header Content-Security-Policy "default-src 'self'";`
			`add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";`
			```

			`## Vulnerability Disclosure Timeline`

			`\| Date \| Issue \| Status \| Fixed Version \|`
			`\|------\|-------\|--------\|---------------\|`
			`\| Oct 2025 \| Path Traversal (#48) \| Fixed \| 2.0.1 \|`
			`\| Nov 2025 \| CORS Misconfiguration \| Fixed \| 2.0.1 \|`
			`\| Nov 2025 \| Unauthenticated Reindex \| Fixed \| 2.0.1 \|`

			`## Credits`

			`Security issues reported by:`
			`- Path Traversal: Community contributor via Issue #48`

			`## Contact`

			`For security concerns, please contact the maintainers privately.`