fix(core): Prevent bots from scanning the application (no-changelog) (#7066)

N8N-6878
2023-09-01 13:54:35 +02:00
parent a693b29134
commit 2432dcc661
4 changed files with 22 additions and 6 deletions
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -142,6 +142,7 @@
    "infisical-node": "^1.3.0",
    "inquirer": "^7.0.1",
    "ioredis": "^5.2.4",
+    "isbot": "^3.6.13",
    "json-diff": "^1.0.6",
    "jsonschema": "^1.4.1",
    "jsonwebtoken": "^9.0.0",
--- a/packages/cli/src/AbstractServer.ts
+++ b/packages/cli/src/AbstractServer.ts
@@ -3,6 +3,9 @@ import { readFile } from 'fs/promises';
 import type { Server } from 'http';
 import express from 'express';
 import compression from 'compression';
+import isbot from 'isbot';
+import { jsonParse, LoggerProxy as Logger } from 'n8n-workflow';
+
 import config from '@/config';
 import { N8N_VERSION, inDevelopment, inTest } from '@/constants';
 import { ActiveWorkflowRunner } from '@/ActiveWorkflowRunner';
@@ -16,7 +19,6 @@ import { TestWebhooks } from '@/TestWebhooks';
 import { WaitingWebhooks } from '@/WaitingWebhooks';
 import { webhookRequestHandler } from '@/WebhookHelpers';
 import { RedisService } from '@/services/redis.service';
-import { jsonParse } from 'n8n-workflow';
 import { eventBus } from './eventbus';
 import type { AbstractEventMessageOptions } from './eventbus/EventMessageClasses/AbstractEventMessageOptions';
 import { getEventMessageObjectByType } from './eventbus/EventMessageClasses/Helpers';
@@ -270,6 +272,16 @@ export abstract class AbstractServer {
 			);
 		}

+		// Block bots from scanning the application
+		const checkIfBot = isbot.spawn(['bot']);
+		this.app.use((req, res, next) => {
+			const userAgent = req.headers['user-agent'];
+			if (!userAgent || checkIfBot(userAgent)) {
+				Logger.info(`Blocked ${req.method} ${req.url} for "${userAgent}"`);
+				res.status(204).end();
+			} else next();
+		});
+
 		if (inDevelopment) {
 			this.setupDevMiddlewares();
 		}