@aborruso/ckan-mcp-server 0.4.105 → 0.4.106
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LOG.md +7 -0
- package/dist/index.js +7 -2
- package/package.json +1 -1
package/LOG.md
CHANGED
|
@@ -1,5 +1,12 @@
|
|
|
1
1
|
# LOG
|
|
2
2
|
|
|
3
|
+
## 2026-05-31
|
|
4
|
+
|
|
5
|
+
### v0.4.106
|
|
6
|
+
|
|
7
|
+
- Security fix (GHSA-g84h-j7jj-x32p): block `ip6-localhost` and `ip6-loopback` SSRF bypass — hostname aliases present in `/etc/hosts` on Linux that resolve to `::1` but bypassed the existing SSRF filter (GHSA-3xm7-qw7j-qc8v); replaced single `localhost` check with a blocked-hostname `Set`; 2 new unit tests added
|
|
8
|
+
- Reported by: hibrian827
|
|
9
|
+
|
|
3
10
|
## 2026-05-25
|
|
4
11
|
|
|
5
12
|
### v0.4.105
|
package/dist/index.js
CHANGED
|
@@ -656,7 +656,12 @@ function validateServerUrl(serverUrl) {
|
|
|
656
656
|
throw new Error(`Disallowed protocol "${parsed.protocol}". Only http and https are allowed.`);
|
|
657
657
|
}
|
|
658
658
|
const hostname = parsed.hostname.toLowerCase();
|
|
659
|
-
|
|
659
|
+
const BLOCKED_HOSTNAMES = /* @__PURE__ */ new Set([
|
|
660
|
+
"localhost",
|
|
661
|
+
"ip6-localhost",
|
|
662
|
+
"ip6-loopback"
|
|
663
|
+
]);
|
|
664
|
+
if (BLOCKED_HOSTNAMES.has(hostname)) {
|
|
660
665
|
throw new Error(`Access to "${hostname}" is not allowed.`);
|
|
661
666
|
}
|
|
662
667
|
const ipv4 = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
|
|
@@ -5514,7 +5519,7 @@ var registerAllPrompts = (server) => {
|
|
|
5514
5519
|
function createServer() {
|
|
5515
5520
|
return new McpServer({
|
|
5516
5521
|
name: "ckan-mcp-server",
|
|
5517
|
-
version: "0.4.
|
|
5522
|
+
version: "0.4.106"
|
|
5518
5523
|
});
|
|
5519
5524
|
}
|
|
5520
5525
|
function registerAll(server) {
|
package/package.json
CHANGED