@n8n/eslint-plugin-community-nodes 0.2.0

package/src/rules/credential-password-field.test.ts

@@ -0,0 +1,231 @@
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { CredentialPasswordFieldRule } from './credential-password-field.js';
+
+const ruleTester = new RuleTester();
+
+function createCredentialCode(properties: string[]): string {
+	return `
+import type { ICredentialType, INodeProperties } from 'n8n-workflow';
+
+export class TestCredential implements ICredentialType {
+	name = 'testApi';
+	displayName = 'Test API';
+
+	properties: INodeProperties[] = [
+${properties.map((prop) => `\t\t${prop}`).join(',\n')},
+	];
+}`;
+}
+
+function createProperty(
+	displayName: string,
+	name: string,
+	options: { password?: boolean; emptyTypeOptions?: boolean } = {},
+): string {
+	let typeOptionsStr = '';
+	if (options.emptyTypeOptions) {
+		typeOptionsStr = '\n\t\t\ttypeOptions: {},';
+	} else if (options.password !== undefined) {
+		typeOptionsStr = `\n\t\t\ttypeOptions: { password: ${options.password} },`;
+	}
+
+	return `{
+			displayName: '${displayName}',
+			name: '${name}',
+			type: 'string',
+			default: '',${typeOptionsStr}
+		}`;
+}
+
+function createOAuth2CredentialCode(hasPasswordProtection: boolean = true): string {
+	const passwordOptions = hasPasswordProtection ? '\n\t\t\ttypeOptions: { password: true },' : '';
+
+	return `
+import type { ICredentialType, INodeProperties } from 'n8n-workflow';
+
+export class GithubOAuth2Api implements ICredentialType {
+	name = 'githubOAuth2Api';
+	extends = ['oAuth2Api'];
+	displayName = 'GitHub OAuth2 API';
+
+	properties: INodeProperties[] = [
+		{
+			displayName: 'Access Token URL',
+			name: 'accessTokenUrl',
+			type: 'hidden',
+			default: 'https://github.com/login/oauth/access_token',
+		},
+		{
+			displayName: 'Client Secret',
+			name: 'clientSecret',
+			type: 'string',
+			default: '',${passwordOptions}
+		},
+	];
+}`;
+}
+
+// Helper function to create a regular (non-credential) class
+function createRegularClass(): string {
+	return `
+export class RegularClass {
+	properties = [
+		{
+			name: 'password',
+			type: 'string',
+		},
+	];
+}`;
+}
+
+ruleTester.run('credential-password-field', CredentialPasswordFieldRule, {
+	valid: [
+		{
+			name: 'correct usage with password field having typeOptions.password = true',
+			code: createCredentialCode([createProperty('API Key', 'apiKey', { password: true })]),
+		},
+		{
+			name: 'field name is not sensitive',
+			code: createCredentialCode([createProperty('Base URL', 'baseUrl')]),
+		},
+		{
+			name: 'multiple sensitive fields with correct typeOptions',
+			code: createCredentialCode([
+				createProperty('Password', 'password', { password: true }),
+				createProperty('Secret Token', 'secretToken', { password: true }),
+			]),
+		},
+		{
+			name: 'class does not implement ICredentialType',
+			code: createRegularClass(),
+		},
+		{
+			name: 'OAuth2 credential with URL fields and proper client secret protection',
+			code: createOAuth2CredentialCode(true),
+		},
+		{
+			name: 'public key fields should not be flagged as sensitive',
+			code: createCredentialCode([
+				createProperty('Public Key', 'publicKey'),
+				createProperty('Client ID', 'clientId'),
+			]),
+		},
+		{
+			name: 'certificates should be flagged as sensitive (when properly configured)',
+			code: createCredentialCode([
+				createProperty('Certificate', 'certificate', { password: true }),
+				createProperty('CA Certificate', 'caCert', { password: true }),
+				createProperty('Client Certificate', 'clientCert', { password: true }),
+			]),
+		},
+		{
+			name: 'URL fields containing sensitive keywords should not be flagged',
+			code: createCredentialCode([
+				createProperty('Token URL', 'tokenUrl'),
+				createProperty('Authorization URL', 'authorizationUrl'),
+				createProperty('Access Token URL', 'accessTokenUrl'),
+			]),
+		},
+		{
+			name: 'ID fields containing sensitive keywords should not be flagged',
+			code: createCredentialCode([
+				createProperty('Access Key ID', 'accessKeyId'),
+				createProperty('Key ID', 'keyId'),
+				createProperty('User ID', 'userId'),
+			]),
+		},
+		{
+			name: 'file path and name fields should not be flagged',
+			code: createCredentialCode([
+				createProperty('Key File Path', 'keyPath'),
+				createProperty('Key File Name', 'keyFile'),
+				createProperty('Certificate Path', 'keyName'),
+			]),
+		},
+		{
+			name: 'should flag actual sensitive fields while ignoring false positives',
+			code: createCredentialCode([
+				createProperty('Private Key', 'privateKey', { password: true }),
+				createProperty('Public Key', 'publicKey'), // Should not be flagged
+				createProperty('Secret Token', 'secretToken', { password: true }),
+				createProperty('Client ID', 'clientId'), // Should not be flagged
+			]),
+		},
+	],
+	invalid: [
+		{
+			name: 'password field missing typeOptions.password = true',
+			code: createCredentialCode([createProperty('Password', 'password')]),
+			errors: [{ messageId: 'missingPasswordOption', data: { fieldName: 'password' } }],
+			output: createCredentialCode([createProperty('Password', 'password', { password: true })]),
+		},
+		{
+			name: 'API key field missing typeOptions.password = true',
+			code: createCredentialCode([createProperty('API Key', 'apiKey')]),
+			errors: [{ messageId: 'missingPasswordOption', data: { fieldName: 'apiKey' } }],
+			output: createCredentialCode([createProperty('API Key', 'apiKey', { password: true })]),
+		},
+		{
+			name: 'secret field missing typeOptions.password = true',
+			code: createCredentialCode([createProperty('Client Secret', 'clientSecret')]),
+			errors: [{ messageId: 'missingPasswordOption', data: { fieldName: 'clientSecret' } }],
+			output: createCredentialCode([
+				createProperty('Client Secret', 'clientSecret', { password: true }),
+			]),
+		},
+		{
+			name: 'multiple invalid fields',
+			code: createCredentialCode([
+				createProperty('Password', 'password'),
+				createProperty('Username', 'username'),
+				createProperty('Access Token', 'accessToken'),
+			]),
+			errors: [
+				{ messageId: 'missingPasswordOption', data: { fieldName: 'password' } },
+				{ messageId: 'missingPasswordOption', data: { fieldName: 'accessToken' } },
+			],
+			output: createCredentialCode([
+				createProperty('Password', 'password', { password: true }),
+				createProperty('Username', 'username'),
+				createProperty('Access Token', 'accessToken', { password: true }),
+			]),
+		},
+		{
+			name: 'field has typeOptions but password is false',
+			code: createCredentialCode([createProperty('API Key', 'apiKey', { password: false })]),
+			errors: [{ messageId: 'missingPasswordOption', data: { fieldName: 'apiKey' } }],
+			output: createCredentialCode([createProperty('API Key', 'apiKey', { password: true })]),
+		},
+		{
+			name: 'OAuth2 credential with missing password protection for clientSecret',
+			code: createOAuth2CredentialCode(false),
+			errors: [{ messageId: 'missingPasswordOption', data: { fieldName: 'clientSecret' } }],
+			output: createOAuth2CredentialCode(true),
+		},
+		{
+			name: 'field has empty typeOptions object',
+			code: createCredentialCode([
+				createProperty('Access Token', 'accessToken', { emptyTypeOptions: true }),
+			]),
+			errors: [{ messageId: 'missingPasswordOption', data: { fieldName: 'accessToken' } }],
+			output: createCredentialCode([
+				createProperty('Access Token', 'accessToken', { password: true }),
+			]),
+		},
+		{
+			name: 'certificate fields should require password protection',
+			code: createCredentialCode([
+				createProperty('Certificate', 'certificate'),
+				createProperty('Client Certificate', 'clientCert'),
+			]),
+			errors: [
+				{ messageId: 'missingPasswordOption', data: { fieldName: 'certificate' } },
+				{ messageId: 'missingPasswordOption', data: { fieldName: 'clientCert' } },
+			],
+			output: createCredentialCode([
+				createProperty('Certificate', 'certificate', { password: true }),
+				createProperty('Client Certificate', 'clientCert', { password: true }),
+			]),
+		},
+	],
+});

package/src/rules/credential-password-field.ts

@@ -0,0 +1,123 @@
+import { ESLintUtils } from '@typescript-eslint/utils';
+import {
+	isCredentialTypeClass,
+	findClassProperty,
+	findObjectProperty,
+	getStringLiteralValue,
+	getBooleanLiteralValue,
+} from '../utils/index.js';
+
+const SENSITIVE_PATTERNS = [
+	'password',
+	'secret',
+	'token',
+	'cert',
+	'passphrase',
+	'apikey',
+	'secretkey',
+	'privatekey',
+	'authkey',
+];
+
+const NON_SENSITIVE_PATTERNS = ['url', 'pub', 'id'];
+
+function isSensitiveFieldName(name: string): boolean {
+	const lowerName = name.toLowerCase();
+
+	if (NON_SENSITIVE_PATTERNS.some((pattern) => lowerName.includes(pattern))) {
+		return false;
+	}
+
+	return SENSITIVE_PATTERNS.some((pattern) => lowerName.includes(pattern));
+}
+
+function hasPasswordTypeOption(element: any): boolean {
+	const typeOptionsProperty = findObjectProperty(element, 'typeOptions');
+
+	if (typeOptionsProperty?.value?.type !== 'ObjectExpression') {
+		return false;
+	}
+
+	const passwordProperty = findObjectProperty(typeOptionsProperty.value, 'password');
+	const passwordValue = passwordProperty ? getBooleanLiteralValue(passwordProperty.value) : null;
+
+	return passwordValue === true;
+}
+
+function createPasswordFix(element: any, typeOptionsProperty: any) {
+	return function (fixer: any) {
+		if (typeOptionsProperty?.value?.type === 'ObjectExpression') {
+			const passwordProperty = findObjectProperty(typeOptionsProperty.value, 'password');
+
+			if (passwordProperty) {
+				return fixer.replaceText(passwordProperty.value, 'true');
+			}
+
+			if (typeOptionsProperty.value.properties.length > 0) {
+				const lastProperty =
+					typeOptionsProperty.value.properties[typeOptionsProperty.value.properties.length - 1];
+				return lastProperty ? fixer.insertTextAfter(lastProperty, ', password: true') : null;
+			} else {
+				const openBrace = typeOptionsProperty.value.range![0] + 1;
+				return fixer.insertTextAfterRange([openBrace, openBrace], ' password: true ');
+			}
+		}
+
+		const lastProperty = element.properties[element.properties.length - 1];
+		return fixer.insertTextAfter(lastProperty, ',\n\t\t\ttypeOptions: { password: true }');
+	};
+}
+
+export const CredentialPasswordFieldRule = ESLintUtils.RuleCreator.withoutDocs({
+	meta: {
+		type: 'problem',
+		docs: {
+			description: 'Ensure credential fields with sensitive names have typeOptions.password = true',
+		},
+		messages: {
+			missingPasswordOption:
+				"Field '{{ fieldName }}' appears to be a sensitive field but is missing 'typeOptions: { password: true }'",
+		},
+		fixable: 'code',
+		schema: [],
+	},
+	defaultOptions: [],
+	create(context) {
+		return {
+			ClassDeclaration(node) {
+				if (!isCredentialTypeClass(node)) {
+					return;
+				}
+
+				const propertiesProperty = findClassProperty(node, 'properties');
+				if (!propertiesProperty?.value || propertiesProperty.value.type !== 'ArrayExpression') {
+					return;
+				}
+
+				for (const element of propertiesProperty.value.elements) {
+					if (element?.type !== 'ObjectExpression') {
+						continue;
+					}
+
+					const nameProperty = findObjectProperty(element, 'name');
+					const fieldName = nameProperty ? getStringLiteralValue(nameProperty.value) : null;
+
+					if (!fieldName || !isSensitiveFieldName(fieldName)) {
+						continue;
+					}
+
+					if (!hasPasswordTypeOption(element)) {
+						const typeOptionsProperty = findObjectProperty(element, 'typeOptions');
+
+						context.report({
+							node: element,
+							messageId: 'missingPasswordOption',
+							data: { fieldName },
+							fix: createPasswordFix(element, typeOptionsProperty),
+						});
+					}
+				}
+			},
+		};
+	},
+});

package/src/rules/credential-test-required.test.ts

@@ -0,0 +1,147 @@
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { CredentialTestRequiredRule } from './credential-test-required.js';
+
+const ruleTester = new RuleTester();
+
+// Helper function to create credential class code
+function createCredentialCode(options: {
+	name?: string;
+	displayName?: string;
+	hasTest?: boolean;
+	extends?: string[];
+	extraProperties?: string;
+}): string {
+	const {
+		name = 'myApi',
+		displayName = 'My API',
+		hasTest = false,
+		extends: extendsArray,
+		extraProperties = '',
+	} = options;
+
+	const imports = hasTest
+		? `import type { ICredentialTestRequest, ICredentialType, INodeProperties } from 'n8n-workflow';`
+		: `import type { ICredentialType, INodeProperties } from 'n8n-workflow';`;
+
+	const extendsStr = extendsArray ? `\n\textends = ${JSON.stringify(extendsArray)};` : '';
+
+	const testProperty = hasTest
+		? `\n\n\ttest: ICredentialTestRequest = {\n\t\trequest: {\n\t\t\tbaseURL: 'https://api.example.com',\n\t\t\turl: '/test',\n\t\t},\n\t};`
+		: '';
+
+	return `
+${imports}
+
+export class ${name.charAt(0).toUpperCase() + name.slice(1)} implements ICredentialType {
+	name = '${name}';${extendsStr}
+	displayName = '${displayName}';
+	properties: INodeProperties[] = [];${testProperty}${extraProperties}
+}`;
+}
+
+function createNonCredentialClass(className: string = 'SomeOtherClass'): string {
+	return `
+export class ${className} {
+	name = 'notACredential';
+}`;
+}
+
+function createNodeCode(options: {
+	name?: string;
+	displayName?: string;
+	credentials?: Array<string | { name: string; testedBy?: string }>;
+	extendsClass?: string;
+}): string {
+	const { name = 'myNode', displayName = 'My Node', credentials = [], extendsClass } = options;
+
+	const credentialsArray = credentials
+		.map((cred) => {
+			if (typeof cred === 'string') {
+				return `'${cred}'`;
+			}
+			const testedByStr = cred.testedBy ? `, testedBy: '${cred.testedBy}'` : '';
+			return `{ name: '${cred.name}'${testedByStr} }`;
+		})
+		.join(', ');
+
+	const classDeclaration = extendsClass
+		? `export class ${name.charAt(0).toUpperCase() + name.slice(1)} extends ${extendsClass}`
+		: `export class ${name.charAt(0).toUpperCase() + name.slice(1)} implements INodeType`;
+
+	const descriptionProperty = extendsClass
+		? `description = {` // Extending classes might not need full INodeTypeDescription
+		: `description: INodeTypeDescription = {`;
+
+	return `
+import type { INodeType, INodeTypeDescription } from 'n8n-workflow';
+
+${classDeclaration} {
+	${descriptionProperty}
+		displayName: '${displayName}',
+		name: '${name}',
+		group: ['transform'],
+		version: 1,
+		description: 'A test node',
+		defaults: {
+			name: '${displayName}',
+		},
+		inputs: ['main'],
+		outputs: ['main'],
+		credentials: [${credentialsArray}],
+		properties: [],
+	};
+
+	execute() {
+		return Promise.resolve([]);
+	}
+}`;
+}
+
+ruleTester.run('credential-test-required', CredentialTestRequiredRule, {
+	valid: [
+		{
+			name: 'credential class with test property',
+			filename: 'MyApi.credentials.ts',
+			code: createCredentialCode({ hasTest: true }),
+		},
+		{
+			name: 'credential class extending oAuth2Api (exempt)',
+			filename: 'MyOAuth2Api.credentials.ts',
+			code: createCredentialCode({
+				name: 'myOAuth2Api',
+				displayName: 'My OAuth2 API',
+				extends: ['oAuth2Api'],
+			}),
+		},
+		{
+			name: 'non-credential class ignored',
+			filename: 'MyApi.credentials.ts',
+			code: createNonCredentialClass(),
+		},
+		{
+			name: 'non-credential file ignored',
+			filename: 'regular-file.ts',
+			code: createCredentialCode({}),
+		},
+	],
+	invalid: [
+		{
+			name: 'credential class missing test property and no testedBy in package',
+			filename: 'MyApi.credentials.ts',
+			code: createCredentialCode({}),
+			errors: [{ messageId: 'missingCredentialTest', data: { className: 'MyApi' } }],
+		},
+		{
+			name: 'credential class with extends but not oAuth2Api and no testedBy in package',
+			filename: 'MyApi.credentials.ts',
+			code: createCredentialCode({ extends: ['someOtherApi'] }),
+			errors: [{ messageId: 'missingCredentialTest', data: { className: 'MyApi' } }],
+		},
+		{
+			name: 'credential class with empty extends array and no testedBy in package',
+			filename: 'MyApi.credentials.ts',
+			code: createCredentialCode({ extends: [] }),
+			errors: [{ messageId: 'missingCredentialTest', data: { className: 'MyApi' } }],
+		},
+	],
+});

package/src/rules/credential-test-required.ts

@@ -0,0 +1,99 @@
+import { ESLintUtils } from '@typescript-eslint/utils';
+import {
+	isCredentialTypeClass,
+	findClassProperty,
+	hasArrayLiteralValue,
+	isFileType,
+	getStringLiteralValue,
+	findPackageJson,
+	areAllCredentialUsagesTestedByNodes,
+} from '../utils/index.js';
+import { dirname } from 'node:path';
+
+export const CredentialTestRequiredRule = ESLintUtils.RuleCreator.withoutDocs({
+	meta: {
+		type: 'problem',
+		docs: {
+			description: 'Ensure credentials have a credential test',
+		},
+		messages: {
+			missingCredentialTest:
+				'Credential class "{{ className }}" must have a test property or be tested by a node via testedBy',
+		},
+		schema: [],
+	},
+	defaultOptions: [],
+	create(context) {
+		if (!isFileType(context.filename, '.credentials.ts')) {
+			return {};
+		}
+
+		let packageDir: string | null = null;
+
+		const getPackageDir = (): string | null => {
+			if (packageDir !== null) {
+				return packageDir;
+			}
+
+			const packageJsonPath = findPackageJson(context.filename);
+			if (!packageJsonPath) {
+				packageDir = '';
+				return packageDir;
+			}
+
+			packageDir = dirname(packageJsonPath);
+			return packageDir;
+		};
+
+		return {
+			ClassDeclaration(node) {
+				if (!isCredentialTypeClass(node)) {
+					return;
+				}
+
+				const extendsProperty = findClassProperty(node, 'extends');
+				if (extendsProperty && hasArrayLiteralValue(extendsProperty, 'oAuth2Api')) {
+					return;
+				}
+
+				const testProperty = findClassProperty(node, 'test');
+				if (testProperty) {
+					return;
+				}
+
+				const nameProperty = findClassProperty(node, 'name');
+				if (!nameProperty) {
+					return;
+				}
+
+				const credentialName = getStringLiteralValue(nameProperty.value);
+				if (!credentialName) {
+					return;
+				}
+
+				const pkgDir = getPackageDir();
+				if (!pkgDir) {
+					context.report({
+						node,
+						messageId: 'missingCredentialTest',
+						data: {
+							className: node.id?.name || 'Unknown',
+						},
+					});
+					return;
+				}
+
+				const allUsagesTestedByNodes = areAllCredentialUsagesTestedByNodes(credentialName, pkgDir);
+				if (!allUsagesTestedByNodes) {
+					context.report({
+						node,
+						messageId: 'missingCredentialTest',
+						data: {
+							className: node.id?.name || 'Unknown',
+						},
+					});
+				}
+			},
+		};
+	},
+});