@n8n/scan-community-package 0.2.0 → 0.4.0

package/package.json

@@ -1,20 +1,21 @@
 {
   "name": "@n8n/scan-community-package",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Static code analyser for n8n community packages",
   "license": "SEE LICENSE IN LICENSE.md",
   "bin": "scanner/cli.mjs",
   "files": [
     "scanner",
-    "LICENSE.md",
-    "LICENSE_EE.md"
+    "LICENSE_EE.md",
+    "LICENSE.md"
   ],
   "dependencies": {
     "eslint": "9.29.0",
     "fast-glob": "3.2.12",
-    "axios": "1.8.3",
+    "axios": "1.12.0",
     "semver": "^7.5.4",
-    "tmp": "0.2.4"
+    "tmp": "0.2.4",
+    "@n8n/eslint-plugin-community-nodes": "0.2.0"
   },
   "homepage": "https://n8n.io",
   "author": {

package/scanner/cli.mjs

@@ -2,13 +2,11 @@
 
 const args = process.argv.slice(2);
 if (args.length < 1) {
-	console.error(
-		"Usage: npx @n8n/scan-community-package <package-name>[@version]",
-	);
+	console.error('Usage: npx @n8n/scan-community-package <package-name>[@version]');
 	process.exit(1);
 }
 
-import { resolvePackage, analyzePackageByName } from "./scanner.mjs";
+import { resolvePackage, analyzePackageByName } from './scanner.mjs';
 
 const packageSpec = args[0];
 const { packageName, version } = resolvePackage(packageSpec);
@@ -16,21 +14,17 @@ try {
 	const result = await analyzePackageByName(packageName, version);
 
 	if (result.passed) {
-		console.log(
-			`✅ Package ${packageName}@${result.version} has passed all security checks`,
-		);
+		console.log(`✅ Package ${packageName}@${result.version} has passed all security checks`);
 	} else {
-		console.log(
-			`❌ Package ${packageName}@${result.version} has failed security checks`,
-		);
+		console.log(`❌ Package ${packageName}@${result.version} has failed security checks`);
 		console.log(`Reason: ${result.message}`);
 
 		if (result.details) {
-			console.log("\nDetails:");
+			console.log('\nDetails:');
 			console.log(result.details);
 		}
 	}
 } catch (error) {
-	console.error("Analysis failed:", error);
+	console.error('Analysis failed:', error);
 	process.exit(1);
 }

package/scanner/scanner.mjs

@@ -1,29 +1,32 @@
 #!/usr/bin/env node
 
-import fs from "fs";
-import path from "path";
-import { ESLint } from "eslint";
-import { execSync } from "child_process";
-import tmp from "tmp";
-import semver from "semver";
-import axios from "axios";
-import glob from "fast-glob";
-import { fileURLToPath } from "url";
-import { defineConfig } from "eslint/config";
-
-import plugin from "./eslint-plugin.mjs";
+import fs from 'fs';
+import path from 'path';
+import { ESLint } from 'eslint';
+import { spawnSync } from 'child_process';
+import tmp from 'tmp';
+import semver from 'semver';
+import axios from 'axios';
+import glob from 'fast-glob';
+import { fileURLToPath } from 'url';
+import { defineConfig } from 'eslint/config';
 
 const { stdout } = process;
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const TEMP_DIR = tmp.dirSync({ unsafeCleanup: true }).name;
-const registry = "https://registry.npmjs.org/";
+const registry = 'https://registry.npmjs.org/';
 
 export const resolvePackage = (packageSpec) => {
+	// Validate input to prevent command injection
+	if (!/^[a-zA-Z0-9@/_.-]+$/.test(packageSpec)) {
+		throw new Error('Invalid package specification');
+	}
+
 	let packageName, version;
-	if (packageSpec.startsWith("@")) {
-		if (packageSpec.includes("@", 1)) {
+	if (packageSpec.startsWith('@')) {
+		if (packageSpec.includes('@', 1)) {
 			// Handle scoped packages with versions
-			const lastAtIndex = packageSpec.lastIndexOf("@");
+			const lastAtIndex = packageSpec.lastIndexOf('@');
 			return {
 				packageName: packageSpec.substring(0, lastAtIndex),
 				version: packageSpec.substring(lastAtIndex + 1),
@@ -34,27 +37,39 @@ export const resolvePackage = (packageSpec) => {
 		}
 	}
 	// Handle regular packages
-	const parts = packageSpec.split("@");
+	const parts = packageSpec.split('@');
 	return { packageName: parts[0], version: parts[1] || null };
 };
 
 const downloadAndExtractPackage = async (packageName, version) => {
 	try {
-		// Download the tarball
-		execSync(`npm -q pack ${packageName}@${version}`, { cwd: TEMP_DIR });
-		const tarballName = fs
-			.readdirSync(TEMP_DIR)
-			.find((file) => file.endsWith(".tgz"));
+		// Download the tarball using safe arguments
+		const npmResult = spawnSync('npm', ['-q', 'pack', `${packageName}@${version}`], {
+			cwd: TEMP_DIR,
+			stdio: 'pipe',
+		});
+		if (npmResult.status !== 0) {
+			throw new Error(`npm pack failed: ${npmResult.stderr?.toString()}`);
+		}
+		const tarballName = fs.readdirSync(TEMP_DIR).find((file) => file.endsWith('.tgz'));
 		if (!tarballName) {
-			throw new Error("Tarball not found");
+			throw new Error('Tarball not found');
 		}
 
 		// Unpack the tarball
 		const packageDir = path.join(TEMP_DIR, `${packageName}-${version}`);
 		fs.mkdirSync(packageDir, { recursive: true });
-		execSync(`tar -xzf ${tarballName} -C ${packageDir} --strip-components=1`, {
-			cwd: TEMP_DIR,
-		});
+		const tarResult = spawnSync(
+			'tar',
+			['-xzf', tarballName, '-C', packageDir, '--strip-components=1'],
+			{
+				cwd: TEMP_DIR,
+				stdio: 'pipe',
+			},
+		);
+		if (tarResult.status !== 0) {
+			throw new Error(`tar extraction failed: ${tarResult.stderr?.toString()}`);
+		}
 		fs.unlinkSync(path.join(TEMP_DIR, tarballName));
 
 		return packageDir;
@@ -65,50 +80,34 @@ const downloadAndExtractPackage = async (packageName, version) => {
 };
 
 const analyzePackage = async (packageDir) => {
-	const { default: eslintPlugin } = await import("./eslint-plugin.mjs");
+	const { n8nCommunityNodesPlugin } = await import('@n8n/eslint-plugin-community-nodes');
 	const eslint = new ESLint({
 		cwd: packageDir,
 		allowInlineConfig: false,
 		overrideConfigFile: true,
-		overrideConfig: defineConfig([
-			{
-				plugins: {
-					"n8n-community-packages": plugin,
-				},
-				rules: {
-					"n8n-community-packages/no-restricted-globals": "error",
-					"n8n-community-packages/no-restricted-imports": "error",
-				},
-				languageOptions: {
-					parserOptions: {
-						ecmaVersion: 2022,
-						sourceType: "commonjs",
-					},
-				},
-			},
-		]),
+		overrideConfig: defineConfig(n8nCommunityNodesPlugin.configs.recommended),
 	});
 
 	try {
-		const jsFiles = glob.sync("**/*.js", {
+		const jsFiles = glob.sync('**/*.js', {
 			cwd: packageDir,
 			absolute: true,
-			ignore: ["node_modules/**"],
+			ignore: ['node_modules/**'],
 		});
 
 		if (jsFiles.length === 0) {
-			return { passed: true, message: "No JavaScript files found to analyze" };
+			return { passed: true, message: 'No JavaScript files found to analyze' };
 		}
 
 		const results = await eslint.lintFiles(jsFiles);
 		const violations = results.filter((result) => result.errorCount > 0);
 
 		if (violations.length > 0) {
-			const formatter = await eslint.loadFormatter("stylish");
+			const formatter = await eslint.loadFormatter('stylish');
 			const formattedResults = await formatter.format(results);
 			return {
 				passed: false,
-				message: "ESLint violations found",
+				message: 'ESLint violations found',
 				details: formattedResults,
 			};
 		}
@@ -142,21 +141,18 @@ export const analyzePackageByName = async (packageName, version) => {
 		// If no version specified, get the latest
 		if (!exactVersion) {
 			const { data } = await axios.get(`${registry}/${packageName}`);
-			exactVersion = data["dist-tags"].latest;
+			exactVersion = data['dist-tags'].latest;
 		}
 
 		const label = `${packageName}@${exactVersion}`;
 
 		stdout.write(`Downloading ${label}...`);
-		const packageDir = await downloadAndExtractPackage(
-			packageName,
-			exactVersion,
-		);
-		if (stdout.TTY){
+		const packageDir = await downloadAndExtractPackage(packageName, exactVersion);
+		if (stdout.TTY) {
 			stdout.clearLine(0);
 			stdout.cursorTo(0);
 		}
-			stdout.write(`✅ Downloaded ${label} \n`);
+		stdout.write(`✅ Downloaded ${label} \n`);
 
 		stdout.write(`Analyzing ${label}...`);
 		const analysisResult = await analyzePackage(packageDir);

package/scanner/eslint-plugin.mjs

@@ -1,89 +0,0 @@
-const restrictedGlobals = [
-	"clearInterval",
-	"clearTimeout",
-	"global",
-	"process",
-	"setInterval",
-	"setTimeout",
-];
-
-const allowedModules = [
-	"n8n-workflow",
-	"lodash",
-	"moment",
-	"p-limit",
-	"luxon",
-	"zod",
-	"crypto",
-	"node:crypto"
-];
-
-const isModuleAllowed = (modulePath) => {
-	// Allow relative paths
-	if (modulePath.startsWith("./") || modulePath.startsWith("../")) return true;
-
-	// Extract module name from imports that might contain additional path
-	const moduleName = modulePath.startsWith("@")
-		? modulePath.split("/").slice(0, 2).join("/")
-		: modulePath.split("/")[0];
-	return allowedModules.includes(moduleName);
-};
-
-/** @type {import('@types/eslint').ESLint.Plugin} */
-const plugin = {
-	rules: {
-		"no-restricted-globals": {
-			create(context) {
-				return {
-					Identifier(node) {
-						if (
-							restrictedGlobals.includes(node.name) &&
-							(!node.parent ||
-								node.parent.type !== "MemberExpression" ||
-								node.parent.object === node)
-						) {
-							context.report({
-								node,
-								message: `Use of restricted global '${node.name}' is not allowed`,
-							});
-						}
-					},
-				};
-			},
-		},
-
-		"no-restricted-imports": {
-			create(context) {
-				return {
-					ImportDeclaration(node) {
-						const modulePath = node.source.value;
-						if (!isModuleAllowed(modulePath)) {
-							context.report({
-								node,
-								message: `Import of '${modulePath}' is not allowed.`,
-							});
-						}
-					},
-
-					CallExpression(node) {
-						if (
-							node.callee.name === "require" &&
-							node.arguments.length > 0 &&
-							node.arguments[0].type === "Literal"
-						) {
-							const modulePath = node.arguments[0].value;
-							if (!isModuleAllowed(modulePath)) {
-								context.report({
-									node,
-									message: `Require of '${modulePath}' is not allowed.`,
-								});
-							}
-						}
-					},
-				};
-			},
-		},
-	},
-};
-
-export default plugin;