@n8n/eslint-plugin-community-nodes 0.3.0 → 0.5.0

package/src/utils/file-utils.ts

@@ -1,6 +1,9 @@
-import { readFileSync, existsSync } from 'node:fs';
-import { join, dirname, parse as parsePath } from 'node:path';
-import { parse, simpleTraverse, TSESTree } from '@typescript-eslint/typescript-estree';
+import type { TSESTree } from '@typescript-eslint/typescript-estree';
+import { parse, simpleTraverse, AST_NODE_TYPES } from '@typescript-eslint/typescript-estree';
+import { readFileSync, existsSync, readdirSync } from 'node:fs';
+import * as path from 'node:path';
+import { dirname, parse as parsePath } from 'node:path';
+
 import {
 	isCredentialTypeClass,
 	isNodeTypeClass,
@@ -8,14 +11,49 @@ import {
 	getStringLiteralValue,
 	findArrayLiteralProperty,
 	extractCredentialInfoFromArray,
+	findSimilarStrings,
 } from './ast-utils.js';
 
+/**
+ * Checks if the given childPath is contained within the parentPath. Resolves
+ * the paths before comparing them, so that relative paths are also supported.
+ */
+export function isContainedWithin(parentPath: string, childPath: string): boolean {
+	parentPath = path.resolve(parentPath);
+	childPath = path.resolve(childPath);
+
+	if (parentPath === childPath) {
+		return true;
+	}
+
+	return childPath.startsWith(parentPath + path.sep);
+}
+
+/**
+ * Joins the given paths to the parentPath, ensuring that the resulting path
+ * is still contained within the parentPath. If not, it throws an error to
+ * prevent path traversal vulnerabilities.
+ *
+ * @throws {UnexpectedError} If the resulting path is not contained within the parentPath.
+ */
+export function safeJoinPath(parentPath: string, ...paths: string[]): string {
+	const candidate = path.join(parentPath, ...paths);
+
+	if (!isContainedWithin(parentPath, candidate)) {
+		throw new Error(
+			`Path traversal detected, refusing to join paths: ${parentPath} and ${JSON.stringify(paths)}`,
+		);
+	}
+
+	return candidate;
+}
+
 export function findPackageJson(startPath: string): string | null {
-	let currentDir = startPath;
+	let currentDir = path.dirname(startPath);
 
 	while (parsePath(currentDir).dir !== parsePath(currentDir).root) {
-		const testPath = join(currentDir, 'package.json');
-		if (existsSync(testPath)) {
+		const testPath = safeJoinPath(currentDir, 'package.json');
+		if (fileExistsWithCaseSync(testPath)) {
 			return testPath;
 		}
 
@@ -25,10 +63,24 @@ export function findPackageJson(startPath: string): string | null {
 	return null;
 }
 
-function readPackageJsonN8n(packageJsonPath: string): any {
+interface PackageJsonN8n {
+	credentials?: string[];
+	nodes?: string[];
+	[key: string]: unknown;
+}
+
+function isValidPackageJson(obj: unknown): obj is { n8n?: PackageJsonN8n } {
+	return typeof obj === 'object' && obj !== null;
+}
+
+function readPackageJsonN8n(packageJsonPath: string): PackageJsonN8n {
 	try {
-		const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf8'));
-		return packageJson.n8n || {};
+		const content = readFileSync(packageJsonPath, 'utf8');
+		const parsed: unknown = JSON.parse(content);
+		if (isValidPackageJson(parsed)) {
+			return parsed.n8n ?? {};
+		}
+		return {};
 	} catch {
 		return {};
 	}
@@ -40,7 +92,7 @@ function resolveN8nFilePaths(packageJsonPath: string, filePaths: string[]): stri
 
 	for (const filePath of filePaths) {
 		const sourcePath = filePath.replace(/^dist\//, '').replace(/\.js$/, '.ts');
-		const fullSourcePath = join(packageDir, sourcePath);
+		const fullSourcePath = safeJoinPath(packageDir, sourcePath);
 
 		if (existsSync(fullSourcePath)) {
 			resolvedFiles.push(fullSourcePath);
@@ -52,7 +104,7 @@ function resolveN8nFilePaths(packageJsonPath: string, filePaths: string[]): stri
 
 export function readPackageJsonCredentials(packageJsonPath: string): Set<string> {
 	const n8nConfig = readPackageJsonN8n(packageJsonPath);
-	const credentialPaths = n8nConfig.credentials || [];
+	const credentialPaths = n8nConfig.credentials ?? [];
 	const credentialFiles = resolveN8nFilePaths(packageJsonPath, credentialPaths);
 	const credentialNames: string[] = [];
 
@@ -82,7 +134,7 @@ export function extractCredentialNameFromFile(credentialFilePath: string): strin
 
 		simpleTraverse(ast, {
 			enter(node: TSESTree.Node) {
-				if (node.type === 'ClassDeclaration' && isCredentialTypeClass(node)) {
+				if (node.type === AST_NODE_TYPES.ClassDeclaration && isCredentialTypeClass(node)) {
 					const nameProperty = findClassProperty(node, 'name');
 					if (nameProperty) {
 						const nameValue = getStringLiteralValue(nameProperty.value);
@@ -112,8 +164,9 @@ export function validateIconPath(
 	const isFile = iconPath.startsWith('file:');
 	const relativePath = iconPath.replace(/^file:/, '');
 	const isSvg = relativePath.endsWith('.svg');
-	const fullPath = join(baseDir, relativePath);
-	const exists = existsSync(fullPath);
+	// Should not use safeJoinPath here because iconPath can be outside of the node class folder
+	const fullPath = path.join(baseDir, relativePath);
+	const exists = fileExistsWithCaseSync(fullPath);
 
 	return {
 		isValid: isFile && isSvg && exists,
@@ -125,7 +178,7 @@ export function validateIconPath(
 
 export function readPackageJsonNodes(packageJsonPath: string): string[] {
 	const n8nConfig = readPackageJsonN8n(packageJsonPath);
-	const nodePaths = n8nConfig.nodes || [];
+	const nodePaths = n8nConfig.nodes ?? [];
 	return resolveN8nFilePaths(packageJsonPath, nodePaths);
 }
 
@@ -133,7 +186,7 @@ export function areAllCredentialUsagesTestedByNodes(
 	credentialName: string,
 	packageDir: string,
 ): boolean {
-	const packageJsonPath = join(packageDir, 'package.json');
+	const packageJsonPath = safeJoinPath(packageDir, 'package.json');
 	if (!existsSync(packageJsonPath)) {
 		return false;
 	}
@@ -167,11 +220,11 @@ function checkCredentialUsageInFile(
 
 		simpleTraverse(ast, {
 			enter(node: TSESTree.Node) {
-				if (node.type === 'ClassDeclaration' && isNodeTypeClass(node)) {
+				if (node.type === AST_NODE_TYPES.ClassDeclaration && isNodeTypeClass(node)) {
 					const descriptionProperty = findClassProperty(node, 'description');
 					if (
 						!descriptionProperty?.value ||
-						descriptionProperty.value.type !== 'ObjectExpression'
+						descriptionProperty.value.type !== AST_NODE_TYPES.ObjectExpression
 					) {
 						return;
 					}
@@ -202,3 +255,40 @@ function checkCredentialUsageInFile(
 		return { hasUsage: false, allTestedBy: true };
 	}
 }
+
+function fileExistsWithCaseSync(filePath: string): boolean {
+	try {
+		const dir = path.dirname(filePath);
+		const file = path.basename(filePath);
+		const files = new Set(readdirSync(dir));
+
+		return files.has(file);
+	} catch {
+		return false;
+	}
+}
+
+export function findSimilarSvgFiles(targetPath: string, baseDir: string): string[] {
+	try {
+		const targetFileName = path.basename(targetPath, path.extname(targetPath));
+		const targetDir = path.dirname(targetPath);
+		// Should not use safeJoinPath here because iconPath can be outside of the node class folder
+		const searchDir = path.join(baseDir, targetDir);
+
+		if (!existsSync(searchDir)) {
+			return [];
+		}
+
+		const files = readdirSync(searchDir);
+		const svgFileNames = files
+			.filter((file) => file.endsWith('.svg'))
+			.map((file) => path.basename(file, '.svg'));
+
+		const candidateNames = new Set(svgFileNames);
+		const similarNames = findSimilarStrings(targetFileName, candidateNames);
+
+		return similarNames.map((name) => path.join(targetDir, `${name}.svg`));
+	} catch {
+		return [];
+	}
+}

package/src/utils/index.ts

@@ -1,2 +1,3 @@
 export * from './ast-utils.js';
 export * from './file-utils.js';
+export * from './rule-creator.js';

package/src/utils/rule-creator.ts

@@ -0,0 +1,6 @@
+import { ESLintUtils } from '@typescript-eslint/utils';
+
+const REPO_URL = 'https://github.com/n8n-io/n8n';
+const DOCS_PATH = 'blob/master/packages/@n8n/eslint-plugin-community-nodes/docs/rules';
+
+export const createRule = ESLintUtils.RuleCreator((name) => `${REPO_URL}/${DOCS_PATH}/${name}.md`);

package/tsconfig.build.json

@@ -0,0 +1,4 @@
+{
+	"extends": "./tsconfig.json",
+	"exclude": ["**/*.test.ts", "**/*.spec.ts"]
+}

package/tsconfig.eslint.json

@@ -0,0 +1,5 @@
+{
+	"extends": "./tsconfig.json",
+	"include": ["src/**/*.ts"],
+	"exclude": []
+}

package/tsconfig.json

@@ -6,6 +6,5 @@
 		"outDir": "dist",
 		"types": ["vitest/globals"]
 	},
-	"include": ["src/**/*.ts"],
-	"exclude": ["**/*.test.ts"]
+	"include": ["src/**/*.ts"]
 }