@n8n/eslint-plugin-community-nodes 0.2.0

package/src/rules/icon-validation.test.ts

@@ -0,0 +1,196 @@
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { IconValidationRule } from './icon-validation.js';
+import { vi } from 'vitest';
+import * as fs from 'node:fs';
+
+const ruleTester = new RuleTester();
+
+vi.mock('node:fs', () => ({
+	existsSync: vi.fn(),
+}));
+
+const mockExistsSync = vi.mocked(fs.existsSync);
+
+function setupMockFileSystem() {
+	mockExistsSync.mockImplementation((path: fs.PathLike) => {
+		const pathStr = path.toString();
+		return (
+			pathStr.includes('TestNode.svg') ||
+			pathStr.includes('ValidIcon.svg') ||
+			pathStr.includes('ValidIcon.dark.svg') ||
+			pathStr.includes('SameIcon.svg') ||
+			pathStr.includes('NotSvg.png')
+		);
+	});
+}
+
+setupMockFileSystem();
+
+const nodeFilePath = '/tmp/TestNode.node.ts';
+const credentialFilePath = '/tmp/TestCredential.credentials.ts';
+
+function createNodeCode(
+	icon?: string | { light: string; dark: string },
+	includeTypeImport: boolean = false,
+): string {
+	const typeImport = includeTypeImport
+		? `import type { INodeType, INodeTypeDescription } from 'n8n-workflow';`
+		: `import type { INodeType } from 'n8n-workflow';`;
+
+	const typeAnnotation = includeTypeImport ? `: INodeTypeDescription` : '';
+
+	let iconProperty = '';
+	if (icon) {
+		if (typeof icon === 'string') {
+			iconProperty = `icon: '${icon}',`;
+		} else {
+			iconProperty = `icon: {
+			light: '${icon.light}',
+			dark: '${icon.dark}'
+		},`;
+		}
+	}
+
+	return `
+${typeImport}
+
+export class TestNode implements INodeType {
+	description${typeAnnotation} = {
+		displayName: 'Test Node',
+		name: 'testNode',
+		${iconProperty}
+		group: ['input'],
+		version: 1,
+		description: 'A test node',
+		defaults: {
+			name: 'Test Node',
+		},
+		inputs: ['main'],
+		outputs: ['main'],
+		properties: [],
+	};
+}`;
+}
+
+function createCredentialCode(icon?: string | { light: string; dark: string }): string {
+	let iconProperty = '';
+	if (icon) {
+		if (typeof icon === 'string') {
+			iconProperty = `icon = '${icon}';`;
+		} else {
+			iconProperty = `icon = {
+		light: '${icon.light}',
+		dark: '${icon.dark}'
+	};`;
+		}
+	}
+
+	return `
+import type { ICredentialType, INodeProperties } from 'n8n-workflow';
+
+export class TestCredential implements ICredentialType {
+	name = 'testApi';
+	displayName = 'Test API';
+	${iconProperty}
+	properties: INodeProperties[] = [];
+}`;
+}
+
+// Helper function to create non-node class
+function createNonNodeClass(icon: string): string {
+	return `
+export class NotANode {
+	icon = '${icon}';
+}`;
+}
+
+ruleTester.run('icon-validation', IconValidationRule, {
+	valid: [
+		{
+			name: 'non-node class ignored',
+			filename: nodeFilePath,
+			code: createNonNodeClass('file:nonexistent.png'),
+		},
+		{
+			name: 'non-node file ignored',
+			filename: '/tmp/regular-file.ts',
+			code: createNodeCode('file:nonexistent.svg'),
+		},
+		{
+			name: 'node with valid string icon in description',
+			filename: nodeFilePath,
+			code: createNodeCode('file:icons/TestNode.svg', true),
+		},
+		{
+			name: 'node with valid light/dark icons in description',
+			filename: nodeFilePath,
+			code: createNodeCode(
+				{
+					light: 'file:icons/ValidIcon.svg',
+					dark: 'file:icons/ValidIcon.dark.svg',
+				},
+				true,
+			),
+		},
+		{
+			name: 'credential with valid string icon',
+			filename: credentialFilePath,
+			code: createCredentialCode('file:icons/TestNode.svg'),
+		},
+		{
+			name: 'credential with valid light/dark icons',
+			filename: credentialFilePath,
+			code: createCredentialCode({
+				light: 'file:icons/ValidIcon.svg',
+				dark: 'file:icons/ValidIcon.dark.svg',
+			}),
+		},
+	],
+	invalid: [
+		{
+			name: 'node missing icon property in description',
+			filename: nodeFilePath,
+			code: createNodeCode(undefined, true),
+			errors: [{ messageId: 'missingIcon' }],
+		},
+		{
+			name: 'icon file does not exist in description',
+			filename: nodeFilePath,
+			code: createNodeCode('file:icons/NonExistent.svg', true),
+			errors: [{ messageId: 'iconFileNotFound', data: { iconPath: 'icons/NonExistent.svg' } }],
+		},
+		{
+			name: 'light and dark icons are the same file in description',
+			filename: nodeFilePath,
+			code: createNodeCode(
+				{
+					light: 'file:icons/SameIcon.svg',
+					dark: 'file:icons/SameIcon.svg',
+				},
+				true,
+			),
+			errors: [{ messageId: 'lightDarkSame', data: { iconPath: 'icons/SameIcon.svg' } }],
+		},
+		{
+			name: 'credential missing icon property',
+			filename: credentialFilePath,
+			code: createCredentialCode(),
+			errors: [{ messageId: 'missingIcon' }],
+		},
+		{
+			name: 'credential icon file does not exist',
+			filename: credentialFilePath,
+			code: createCredentialCode('file:icons/NonExistent.svg'),
+			errors: [{ messageId: 'iconFileNotFound', data: { iconPath: 'icons/NonExistent.svg' } }],
+		},
+		{
+			name: 'credential light and dark icons are the same file',
+			filename: credentialFilePath,
+			code: createCredentialCode({
+				light: 'file:icons/SameIcon.svg',
+				dark: 'file:icons/SameIcon.svg',
+			}),
+			errors: [{ messageId: 'lightDarkSame', data: { iconPath: 'icons/SameIcon.svg' } }],
+		},
+	],
+});

package/src/rules/icon-validation.ts

@@ -0,0 +1,158 @@
+import { ESLintUtils, TSESTree } from '@typescript-eslint/utils';
+import { dirname } from 'node:path';
+import {
+	isNodeTypeClass,
+	isCredentialTypeClass,
+	findClassProperty,
+	findObjectProperty,
+	getStringLiteralValue,
+	validateIconPath,
+	isFileType,
+} from '../utils/index.js';
+
+export const IconValidationRule = ESLintUtils.RuleCreator.withoutDocs({
+	meta: {
+		type: 'problem',
+		docs: {
+			description:
+				'Validate node and credential icon files exist, are SVG format, and light/dark icons are different',
+		},
+		messages: {
+			iconFileNotFound: 'Icon file "{{ iconPath }}" does not exist',
+			iconNotSvg: 'Icon file "{{ iconPath }}" must be an SVG file (end with .svg)',
+			lightDarkSame: 'Light and dark icons cannot be the same file. Both point to "{{ iconPath }}"',
+			invalidIconPath: 'Icon path "{{ iconPath }}" must use file: protocol and be a string',
+			missingIcon: 'Node/Credential class must have an icon property defined',
+		},
+		schema: [],
+	},
+	defaultOptions: [],
+	create(context) {
+		if (
+			!isFileType(context.filename, '.node.ts') &&
+			!isFileType(context.filename, '.credentials.ts')
+		) {
+			return {};
+		}
+
+		const validateIcon = (iconPath: string | null, node: TSESTree.Node): boolean => {
+			if (!iconPath) {
+				context.report({
+					node,
+					messageId: 'invalidIconPath',
+					data: { iconPath: iconPath || '' },
+				});
+				return false;
+			}
+
+			const currentDir = dirname(context.filename);
+			const validation = validateIconPath(iconPath, currentDir);
+
+			if (!validation.isFile) {
+				context.report({
+					node,
+					messageId: 'invalidIconPath',
+					data: { iconPath },
+				});
+				return false;
+			}
+
+			if (!validation.isSvg) {
+				const relativePath = iconPath.replace(/^file:/, '');
+				context.report({
+					node,
+					messageId: 'iconNotSvg',
+					data: { iconPath: relativePath },
+				});
+				return false;
+			}
+
+			if (!validation.exists) {
+				const relativePath = iconPath.replace(/^file:/, '');
+				context.report({
+					node,
+					messageId: 'iconFileNotFound',
+					data: { iconPath: relativePath },
+				});
+				return false;
+			}
+
+			return true;
+		};
+
+		const validateIconValue = (iconValue: TSESTree.Node) => {
+			if (iconValue.type === 'Literal') {
+				const iconPath = getStringLiteralValue(iconValue);
+				validateIcon(iconPath, iconValue);
+			} else if (iconValue.type === 'ObjectExpression') {
+				const lightProperty = findObjectProperty(iconValue, 'light');
+				const darkProperty = findObjectProperty(iconValue, 'dark');
+
+				const lightPath = lightProperty ? getStringLiteralValue(lightProperty.value) : null;
+				const darkPath = darkProperty ? getStringLiteralValue(darkProperty.value) : null;
+
+				if (lightProperty) {
+					validateIcon(lightPath, lightProperty.value);
+				}
+				if (darkProperty) {
+					validateIcon(darkPath, darkProperty.value);
+				}
+
+				if (lightPath && darkPath && lightPath === darkPath && lightProperty) {
+					context.report({
+						node: lightProperty.value,
+						messageId: 'lightDarkSame',
+						data: { iconPath: lightPath.replace(/^file:/, '') },
+					});
+				}
+			}
+		};
+
+		return {
+			ClassDeclaration(node) {
+				const isNodeClass = isNodeTypeClass(node);
+				const isCredentialClass = isCredentialTypeClass(node);
+
+				if (!isNodeClass && !isCredentialClass) {
+					return;
+				}
+
+				if (isNodeClass) {
+					const descriptionProperty = findClassProperty(node, 'description');
+					if (
+						!descriptionProperty?.value ||
+						descriptionProperty.value.type !== 'ObjectExpression'
+					) {
+						context.report({
+							node,
+							messageId: 'missingIcon',
+						});
+						return;
+					}
+
+					const iconProperty = findObjectProperty(descriptionProperty.value, 'icon');
+					if (!iconProperty) {
+						context.report({
+							node,
+							messageId: 'missingIcon',
+						});
+						return;
+					}
+
+					validateIconValue(iconProperty.value);
+				} else if (isCredentialClass) {
+					const iconProperty = findClassProperty(node, 'icon');
+					if (!iconProperty?.value) {
+						context.report({
+							node,
+							messageId: 'missingIcon',
+						});
+						return;
+					}
+
+					validateIconValue(iconProperty.value);
+				}
+			},
+		};
+	},
+});

package/src/rules/index.ts

@@ -0,0 +1,24 @@
+import type { AnyRuleModule } from '@typescript-eslint/utils/ts-eslint';
+import { NoRestrictedGlobalsRule } from './no-restricted-globals.js';
+import { NoRestrictedImportsRule } from './no-restricted-imports.js';
+import { CredentialPasswordFieldRule } from './credential-password-field.js';
+import { NoDeprecatedWorkflowFunctionsRule } from './no-deprecated-workflow-functions.js';
+import { NodeUsableAsToolRule } from './node-usable-as-tool.js';
+import { PackageNameConventionRule } from './package-name-convention.js';
+import { CredentialTestRequiredRule } from './credential-test-required.js';
+import { NoCredentialReuseRule } from './no-credential-reuse.js';
+import { IconValidationRule } from './icon-validation.js';
+import { ResourceOperationPatternRule } from './resource-operation-pattern.js';
+
+export const rules = {
+	'no-restricted-globals': NoRestrictedGlobalsRule,
+	'no-restricted-imports': NoRestrictedImportsRule,
+	'credential-password-field': CredentialPasswordFieldRule,
+	'no-deprecated-workflow-functions': NoDeprecatedWorkflowFunctionsRule,
+	'node-usable-as-tool': NodeUsableAsToolRule,
+	'package-name-convention': PackageNameConventionRule,
+	'credential-test-required': CredentialTestRequiredRule,
+	'no-credential-reuse': NoCredentialReuseRule,
+	'icon-validation': IconValidationRule,
+	'resource-operation-pattern': ResourceOperationPatternRule,
+} satisfies Record<string, AnyRuleModule>;

package/src/rules/no-credential-reuse.test.ts

@@ -0,0 +1,226 @@
+import { RuleTester } from '@typescript-eslint/rule-tester';
+import { NoCredentialReuseRule } from './no-credential-reuse.js';
+import { vi } from 'vitest';
+import * as fs from 'node:fs';
+
+const ruleTester = new RuleTester();
+
+// Mock fs functions
+vi.mock('node:fs', () => ({
+	readFileSync: vi.fn(),
+	existsSync: vi.fn(),
+}));
+
+const mockReadFileSync = vi.mocked(fs.readFileSync);
+const mockExistsSync = vi.mocked(fs.existsSync);
+
+const nodeFilePath = '/tmp/TestNode.node.ts';
+
+function createCredentialClass(name: string, displayName: string): string {
+	return `
+		import type { ICredentialType, INodeProperties } from 'n8n-workflow';
+
+		export class ${name.charAt(0).toUpperCase() + name.slice(1)} implements ICredentialType {
+			name = '${name}';
+			displayName = '${displayName}';
+			properties: INodeProperties[] = [];
+		}
+	`;
+}
+
+function createNodeCode(
+	credentials: (string | { name: string; required?: boolean })[] = [],
+): string {
+	const credentialsArray =
+		credentials.length > 0
+			? credentials
+					.map((cred) => {
+						if (typeof cred === 'string') {
+							return `'${cred}'`;
+						} else {
+							const required =
+								cred.required !== undefined ? `,\n\t\t\t\trequired: ${cred.required}` : '';
+							return `{\n\t\t\t\tname: '${cred.name}'${required},\n\t\t\t}`;
+						}
+					})
+					.join(',\n\t\t\t')
+			: '';
+
+	const credentialsProperty =
+		credentials.length > 0 ? `credentials: [\n\t\t\t${credentialsArray}\n\t\t],` : '';
+
+	return `
+import type { INodeType, INodeTypeDescription } from 'n8n-workflow';
+
+export class TestNode implements INodeType {
+	description: INodeTypeDescription = {
+		displayName: 'Test Node',
+		name: 'testNode',
+		group: ['output'],
+		version: 1,
+		inputs: ['main'],
+		outputs: ['main'],
+		${credentialsProperty}
+		properties: [],
+	};
+}`;
+}
+
+// Helper function to create non-node class
+function createNonNodeClass(): string {
+	return `
+export class RegularClass {
+	credentials = [
+		{ name: 'ExternalApi', required: true }
+	];
+}`;
+}
+
+// Helper function to create non-INodeType class
+function createNonINodeTypeClass(): string {
+	return `
+export class NotANode {
+	description = {
+		displayName: 'Not A Node',
+		credentials: [
+			{ name: 'ExternalApi', required: true }
+		]
+	};
+}`;
+}
+
+function setupMockFileSystem() {
+	const packageJson = {
+		name: 'test-package',
+		n8n: {
+			credentials: [
+				'dist/credentials/MyApi.credentials.js',
+				'dist/credentials/AnotherApi.credentials.js',
+			],
+		},
+	};
+
+	const myApiCredential = createCredentialClass('myApiCredential', 'My API');
+	const anotherApiCredential = createCredentialClass('anotherApiCredential', 'Another API');
+
+	mockExistsSync.mockImplementation((path: fs.PathLike) => {
+		const pathStr = path.toString();
+		return (
+			pathStr.includes('package.json') ||
+			pathStr.includes('MyApi.credentials.ts') ||
+			pathStr.includes('AnotherApi.credentials.ts')
+		);
+	});
+
+	mockReadFileSync.mockImplementation((path: any): string => {
+		const pathStr = path.toString();
+		if (pathStr.includes('package.json')) {
+			return JSON.stringify(packageJson, null, 2);
+		}
+		if (pathStr.includes('MyApi.credentials.ts')) {
+			return myApiCredential;
+		}
+		if (pathStr.includes('AnotherApi.credentials.ts')) {
+			return anotherApiCredential;
+		}
+		throw new Error(`File not found: ${pathStr}`);
+	});
+}
+
+setupMockFileSystem();
+
+ruleTester.run('no-credential-reuse', NoCredentialReuseRule, {
+	valid: [
+		{
+			name: 'node using allowed credential (object form) from same package',
+			filename: nodeFilePath,
+			code: createNodeCode([{ name: 'myApiCredential', required: true }]),
+		},
+		{
+			name: 'node using allowed credential (string form) from same package',
+			filename: nodeFilePath,
+			code: createNodeCode(['myApiCredential']),
+		},
+		{
+			name: 'node using multiple allowed credentials (mixed forms)',
+			filename: nodeFilePath,
+			code: createNodeCode(['myApiCredential', { name: 'anotherApiCredential', required: false }]),
+		},
+		{
+			name: 'node without credentials array',
+			filename: nodeFilePath,
+			code: createNodeCode(),
+		},
+		{
+			name: 'non-node file ignored',
+			filename: '/tmp/regular-file.ts',
+			code: createNonNodeClass(),
+		},
+		{
+			name: 'non-INodeType class ignored',
+			filename: nodeFilePath,
+			code: createNonINodeTypeClass(),
+		},
+	],
+	invalid: [
+		{
+			name: 'SECURITY: node using credential not in package (object form)',
+			filename: nodeFilePath,
+			code: createNodeCode([{ name: 'ExternalApi', required: true }]),
+			errors: [
+				{
+					messageId: 'credentialNotInPackage',
+					data: { credentialName: 'ExternalApi' },
+				},
+			],
+		},
+		{
+			name: 'SECURITY: node using credential not in package (string form)',
+			filename: nodeFilePath,
+			code: createNodeCode(['ExternalApi']),
+			errors: [
+				{
+					messageId: 'credentialNotInPackage',
+					data: { credentialName: 'ExternalApi' },
+				},
+			],
+		},
+		{
+			name: 'SECURITY: node using mix of allowed and disallowed credentials (mixed forms)',
+			filename: nodeFilePath,
+			code: createNodeCode([
+				'myApiCredential',
+				{ name: 'ExternalApi', required: true },
+				'AnotherExternalApi',
+			]),
+			errors: [
+				{
+					messageId: 'credentialNotInPackage',
+					data: { credentialName: 'ExternalApi' },
+				},
+				{
+					messageId: 'credentialNotInPackage',
+					data: { credentialName: 'AnotherExternalApi' },
+				},
+			],
+		},
+		{
+			name: 'node using multiple disallowed credentials',
+			filename: nodeFilePath,
+			code: createNodeCode([
+				{ name: 'ExternalApi1', required: true },
+				{ name: 'ExternalApi2', required: false },
+			]),
+			errors: [
+				{
+					messageId: 'credentialNotInPackage',
+					data: { credentialName: 'ExternalApi1' },
+				},
+				{
+					messageId: 'credentialNotInPackage',
+					data: { credentialName: 'ExternalApi2' },
+				},
+			],
+		},
+	],
+});

package/src/rules/no-credential-reuse.ts

@@ -0,0 +1,81 @@
+import { ESLintUtils } from '@typescript-eslint/utils';
+import {
+	isNodeTypeClass,
+	findClassProperty,
+	findArrayLiteralProperty,
+	extractCredentialNameFromArray,
+	findPackageJson,
+	readPackageJsonCredentials,
+	isFileType,
+} from '../utils/index.js';
+
+export const NoCredentialReuseRule = ESLintUtils.RuleCreator.withoutDocs({
+	meta: {
+		type: 'problem',
+		docs: {
+			description:
+				'Prevent credential re-use security issues by ensuring nodes only reference credentials from the same package',
+		},
+		messages: {
+			credentialNotInPackage:
+				'SECURITY: Node references credential "{{ credentialName }}" which is not defined in this package. This creates a security risk as it attempts to reuse credentials from other packages. Nodes can only use credentials from the same package as listed in package.json n8n.credentials field.',
+		},
+		schema: [],
+	},
+	defaultOptions: [],
+	create(context) {
+		if (!isFileType(context.filename, '.node.ts')) {
+			return {};
+		}
+
+		let packageCredentials: Set<string> | null = null;
+
+		const loadPackageCredentials = (): Set<string> => {
+			if (packageCredentials !== null) {
+				return packageCredentials;
+			}
+
+			const packageJsonPath = findPackageJson(context.filename);
+			if (!packageJsonPath) {
+				packageCredentials = new Set();
+				return packageCredentials;
+			}
+
+			packageCredentials = readPackageJsonCredentials(packageJsonPath);
+			return packageCredentials;
+		};
+
+		return {
+			ClassDeclaration(node) {
+				if (!isNodeTypeClass(node)) {
+					return;
+				}
+
+				const descriptionProperty = findClassProperty(node, 'description');
+				if (!descriptionProperty?.value || descriptionProperty.value.type !== 'ObjectExpression') {
+					return;
+				}
+
+				const credentialsArray = findArrayLiteralProperty(descriptionProperty.value, 'credentials');
+				if (!credentialsArray) {
+					return;
+				}
+
+				const allowedCredentials = loadPackageCredentials();
+
+				credentialsArray.elements.forEach((element) => {
+					const credentialInfo = extractCredentialNameFromArray(element);
+					if (credentialInfo && !allowedCredentials.has(credentialInfo.name)) {
+						context.report({
+							node: credentialInfo.node,
+							messageId: 'credentialNotInPackage',
+							data: {
+								credentialName: credentialInfo.name,
+							},
+						});
+					}
+				});
+			},
+		};
+	},
+});