github-mirror/n8n
1
0
Fork 0
mirror of https://github.com/n8n-io/n8n.git synced 2026-06-04 10:39:23 +02:00
Code Issues Actions 14 Packages Projects Releases Wiki Activity Graph

test(core): Make CBC wrong-key decryption tests deterministic (#31471)

Browse Source 
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matsu 2026-06-03 11:47:55 +03:00 committed by GitHub
parent d7b759dfb4
commit a3f663d1c2
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 21 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
packages/core/src/encryption/__tests__/cipher.test.ts
View File

@ -10,6 +10,17 @@ describe('Cipher', () => {
mockInstance(InstanceSettings, { encryptionKey: 'test_key' });
const cipher = Container.get(Cipher);
// Decrypts CBC ciphertext with the given key, normalizing a padding-validation
// throw into a sentinel. Used to assert wrong-key decryption never recovers the
// original plaintext without relying on the flaky ~255/256 chance that CBC throws.
const decryptWithCbcKey = (ciphertext: string, key: string): string => {
try {
return cipher.decryptWithKey(ciphertext, key, 'aes-256-cbc');
} catch {
return '\0__decryption-threw__';
}
};
describe('encrypt', () => {
it('should encrypt strings', () => {
const encrypted = cipher.encrypt('random-string');
@ -52,9 +63,12 @@ describe('Cipher', () => {
expect(cipher.decryptWithKey(encrypted, 'test_key', 'aes-256-cbc')).toEqual('random-string');
});
it('should fail to decrypt with a non-instance key', () => {
it('should not recover the plaintext with a non-instance key', () => {
const encrypted = cipher.encryptWithInstanceKey('random-string');
expect(() => cipher.decryptWithKey(encrypted, 'some-other-key', 'aes-256-cbc')).toThrow();
// Unauthenticated CBC cannot reliably detect a wrong key: decryption
// either throws on padding validation or yields garbage, but it must
// never return the original plaintext.
expect(decryptWithCbcKey(encrypted, 'some-other-key')).not.toEqual('random-string');
});
});
@ -85,9 +99,12 @@ describe('Cipher', () => {
expect(first).not.toEqual(second);
});
it('should fail to decrypt with a different key', () => {
it('should not recover the plaintext with a different key', () => {
const encrypted = cipher.encryptWithKey('random-string', 'key-a', 'aes-256-cbc');
expect(() => cipher.decryptWithKey(encrypted, 'key-b', 'aes-256-cbc')).toThrow();
// Unauthenticated CBC cannot reliably detect a wrong key: decryption
// either throws on padding validation or yields garbage, but it must
// never return the original plaintext.
expect(decryptWithCbcKey(encrypted, 'key-b')).not.toEqual('random-string');
});
it('should be interoperable with legacy encrypt when given the same key', () => {