github · n8n-mcpHEAD

File mounts an HTTP route that handles MCP `tools/list` (Express / Fastify / FastAPI / Flask) but the route — and the router it sits behind — has no auth middleware applied. An anonymous client can enumerate every tool the server exposes, scope the attack surface, and (if `tools/call` shares the route) invoke them. Apply auth at the route or router level: Express `passport.authenticate(...)` / a `requireAuth`-style middleware, FastAPI `Depends(get_current_user)` or `Depends(verify_jwt)`, Flask

/**

 * N8N MCP Engine - Clean interface for service integration

 *

 * This class provides a simple API for integrating the n8n-MCP server

 * into larger services. The wrapping service handles authentication,

 * multi-tenancy, rate limiting, etc.

 */

import { Request, Response } from 'express';

import { SingleSessionHTTPServer } from './http-server-single-session';

import { logger } from './utils/logger';

import { InstanceContext } from './types/instance-context';

import { SessionState } from './

`.env` file contains a credential-like variable name (API_KEY / TOKEN / SECRET / PASSWORD / PRIVATE_KEY / BEARER) assigned to what looks like a real value. `.env` files ship inside `git archive`, `docker build` contexts, and install tarballs — any secret here leaks downstream (MCP Top-10 R9). Replace the value with a placeholder, rename the file to `.env.example`, and load the real value from a secret manager at runtime. If the credential was already committed, revoke it now (it is still in git

# Copy to .env and fill in values

# Required for HTTP mode

AUTH_TOKEN=

# Server configuration

PORT=3000

HTTP_PORT=80

HTTPS_PORT=443

`.env` file contains a credential-like variable name (API_KEY / TOKEN / SECRET / PASSWORD / PRIVATE_KEY / BEARER) assigned to what looks like a real value. `.env` files ship inside `git archive`, `docker build` contexts, and install tarballs — any secret here leaks downstream (MCP Top-10 R9). Replace the value with a placeholder, rename the file to `.env.example`, and load the real value from a secret manager at runtime. If the credential was already committed, revoke it now (it is still in git

# === API Configuration for Mocking ===

# Mock API endpoints

N8N_API_URL=http://localhost:3001/mock-api

N8N_API_KEY=test-api-key-12345

N8N_WEBHOOK_BASE_URL=http://localhost:3001/webhook

N8N_WEBHOOK_TEST_URL=http://localhost:3001/webhook-test

`.env` file contains a credential-like variable name (API_KEY / TOKEN / SECRET / PASSWORD / PRIVATE_KEY / BEARER) assigned to what looks like a real value. `.env` files ship inside `git archive`, `docker build` contexts, and install tarballs — any secret here leaks downstream (MCP Top-10 R9). Replace the value with a placeholder, rename the file to `.env.example`, and load the real value from a secret manager at runtime. If the credential was already committed, revoke it now (it is still in git

CORS_ORIGIN=http://localhost:3000,http://localhost:5678

# === Authentication ===

AUTH_TOKEN=test-auth-token

MCP_AUTH_TOKEN=test-mcp-auth-token

# === Logging Configuration ===

`.env` file contains a credential-like variable name (API_KEY / TOKEN / SECRET / PASSWORD / PRIVATE_KEY / BEARER) assigned to what looks like a real value. `.env` files ship inside `git archive`, `docker build` contexts, and install tarballs — any secret here leaks downstream (MCP Top-10 R9). Replace the value with a placeholder, rename the file to `.env.example`, and load the real value from a secret manager at runtime. If the credential was already committed, revoke it now (it is still in git

# === Authentication ===

AUTH_TOKEN=test-auth-token

MCP_AUTH_TOKEN=test-mcp-auth-token

# === Logging Configuration ===

# Set to 'debug' for verbose test output

Dockerfile never sets a non-root `USER` directive, so the CMD runs as root by default. Any RCE or library-level vulnerability exploited inside this container gets full privileges (MCP Top-10 R3). Add `USER <non-root>` before CMD / ENTRYPOINT in the final stage — e.g. `USER 1000`, `USER nobody`, or `USER nonroot` on distroless.

# Quick test Dockerfile using pre-built files

FROM node:22-alpine

WORKDIR /app

# Copy only the essentials

COPY package*.json ./

COPY dist ./dist

COPY data ./data

COPY docker/docker-entrypoint.sh /usr/local/bin/

COPY .env.example ./

# Install only runtime dependencies

RUN npm install --production @modelcontextprotocol/sdk better-sqlite3 express dotenv

# Make entrypoint executable

RUN chmod +x /usr/local/bin/docker-entrypoint.sh

# Set environment

ENV IS_DOCKER=true

ENV MCP_MODE=stdio

ENTRYPO

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

}

  // Test http call query

  console.log('\n2. Testing "http call" query (was not finding HTTP Request easily):');

  const httpCallResult = await server.executeTool('search_nodes', { query: 'http call', limit: 10 });

  const httpCallFirst = httpCallResult.results[0];

  if (httpCallFirst.nodeType === 'nodes-base.httpRequest') {

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

console.log('Input Data Result:');

console.log('- Has input data:', !!inputDataResult.nodes?.['HTTP Request']?.data?.input);

console.log('- Has output data:', !!inputDataResult.nodes?.['HTTP Request']?.data?.output);

console.log('\n✅ Can include input data for debugging\n');

/**

 * Test 9: itemsLimit Validation

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

console.log('=====================================\n');

  // Test webhook query that was problematic

  console.log('1. Testing "webhook" query (was returning service-specific webhooks first):');

  const webhookResult = await server.executeTool('search_nodes', { query: 'webhook', limit: 10 });

  const webhookFirst = webhookResult.results[0];

  if (webhookFirst.nodeType === 'nodes-base.webhook') {

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

}

  };

  console.log('Sending event:', testEvent);

  const { data, error } = await supabase

    .from('telemetry_events')

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

console.log('\n✅ Successfully seeded', totalInserted, 'canonical AI tool examples');

    console.log('\nExamples are now available via:');

    console.log('  • search_nodes({query: "HTTP Request Tool", includeExamples: true})');

    console.log('  • get_node_essentials({nodeType: "nodes-langchain.toolCode", includeExamples: true})');

  } catch (error) {

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

queue.forEach((event, i) => {

    console.log(`\n   Event ${i + 1}:`);

    console.log(`   - Type: ${event.event}`);

    console.log(`   - Properties:`, JSON.stringify(event.properties, null, 6));

  });

  // Flush to database

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

for (const test of tests) {

    console.log(`\n${test.description}`);

    console.log(`Query: "${test.query}" (Mode: ${test.mode || 'OR'})`);

    console.log('-'.repeat(40));

    try {

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

console.log(JSON.stringify(response));

        } else {

          // Wrap non-JSON-RPC responses

          console.log(JSON.stringify({

            jsonrpc: '2.0',

            id: request.id || null,

            error: {

              code: -32603,

              message: 'Internal error',

              data: response

            }

          }));

        }

      } catch (err) {

        console.log(JSON.stringify({

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

await telemetry.flush();

  console.log('\n7. Done! Check Supabase for error events with "error" field.');

  console.log('   Query: SELECT * FROM telemetry_events WHERE event = \'error_occurred\' ORDER BY created_at DESC LIMIT 5;');

}

testErrorTracking().catch(console.error);

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

});

console.log('Input Data Result:');

console.log('- Has input data:', !!inputDataResult.nodes?.['HTTP Request']?.data?.input);

console.log('- Has output data:', !!inputDataResult.nodes?.['HTTP Request']?.data?.output);

console.log('\n✅ Can include input data for debugging\n');

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

### Fixed

- **`n8n_create_workflow` / `n8n_update_full_workflow` failures from JSON-stringified array parameters (Issue #611, reported by @Mte90).** VS Code + GitHub Copilot and some other MCP clients serialize array/object tool arguments as JSON strings rather than native JSON types. This reliably affected workflows with 3+ nodes or complex nested parameters (e.g. `__rl` resource-locator objects, filter conditions), producing the error `"nodes must be an array, got string"` while 1-2 node payl

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

packagePath = testPath;

              break;

            }

          } catch {}

        }

        if (packagePath) break;

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

// Cleanup on error

      try {

        fs.unlinkSync(inputFile);

      } catch {}

      throw error;

    }

  }

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

await fs.access(fullPath);

                    packagePath = fullPath;

                    break;

                  } catch {}

                }

              }

            } else {

Silent error swallowing detected. An except clause that does pass or ... discards the exception with no log, no metric, and no trace. This blinds incident response and hides real failures.

// Cleanup on error

      try {

        fs.unlinkSync(inputFile);

      } catch {}

      throw error;

    }

  }