npm - @aborruso/ckan-mcp-server - Versions diffs - 0.4.106 → 0.4.108 - Mend

@aborruso/ckan-mcp-server 0.4.106 → 0.4.108

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/LOG.md CHANGED Viewed

@@ -1,5 +1,20 @@
 # LOG
+## 2026-06-22
+### v0.4.108
+- Security fix (GHSA-798p-78g2-v556): close DNS-name SSRF bypass — `validateServerUrl` only checked the hostname string, so a name resolving to an internal IP (e.g. `lvh.me` → `127.0.0.1`, `*.nip.io` → cloud IMDS) bypassed the guard. Added DNS resolution + validation of every resolved IP, with connection pinning via a custom `lookup` agent (closes DNS-rebinding and redirect-to-internal) on the Node/axios path; pre-resolution check on the fetch-based `sparql_query` (HTTPS-only). Extracted `isBlockedIp` shared by literal and resolved-IP guards. `maxRedirects: 5` on CKAN requests.
+- Hardening: the network-exposed HTTP transport now refuses to start without `CKAN_ALLOWED_DOMAINS` (default-deny), unless explicitly opted out with `CKAN_HTTP_ALLOW_ALL=true` (logs a warning). stdio stays open. Cloudflare Worker unaffected (CF sandbox already blocks internal addresses).
+- 11 new tests (isBlockedIp, SSRF-safe lookup, allowlist gate, DNS-bypass on sparql). Verified end-to-end against a real HTTP deployment.
+- Reported by: EchoSkorJjj
+## 2026-06-18
+### v0.4.107
+- `ckan_package_show`: surface DCAT-AP fields already returned by package_show but previously hidden in markdown output — Rights Holder (`holder_name` via readDcatExtra), Publisher (`publisher_name`), Update Frequency (`frequency`), Language (`language`), Access Rights (`access_rights`). Each printed only when present; no new tools or API calls. `conforms_to` deliberately excluded (renders as raw JSON). Verified on dati.gov.it (DCAT-AP-IT) and open.canada.ca (no regression).
 ## 2026-05-31
 ### v0.4.106

package/README.md CHANGED Viewed

@@ -13,6 +13,8 @@ This MCP server removes that barrier. Once connected, your AI assistant can sear
 **This is possible because of open standards and open source.** CKAN exposes a public API. Metadata follows [DCAT](https://www.w3.org/TR/vocab-dcat/), an open W3C standard. Both are free to use and maintained by open communities. This server stands on that foundation.
+> **Adopted by AgID** — This project has been [reused by AgID](https://github.com/agID/ckan-mcp-server), Italy's Agency for Digital Italy, as part of its effort to make public open data more accessible, immediate, and easier to consult through AI.
 ---
 ## Quick Start

package/dist/index.js CHANGED Viewed

@@ -645,6 +645,28 @@ async function decodePossiblyCompressed(data, headers) {
     return text;
   }
 }
+function isBlockedIp(ip) {
+  const v = ip.toLowerCase().trim();
+  if (v.includes(":")) {
+    if (v === "::1" || v === "::") return true;
+    if (v.startsWith("fc") || v.startsWith("fd")) return true;
+    if (v.startsWith("fe80")) return true;
+    if (v.startsWith("::ffff:")) return true;
+    return false;
+  }
+  const m = v.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
+  if (!m) return false;
+  const o1 = Number(m[1]);
+  const o2 = Number(m[2]);
+  return o1 === 0 || // 0.0.0.0/8
+  o1 === 10 || // 10.0.0.0/8 private
+  o1 === 127 || // 127.0.0.0/8 loopback
+  o1 === 100 && o2 >= 64 && o2 <= 127 || // 100.64.0.0/10 shared
+  o1 === 169 && o2 === 254 || // 169.254.0.0/16 link-local / cloud metadata
+  o1 === 172 && o2 >= 16 && o2 <= 31 || // 172.16.0.0/12 private
+  o1 === 192 && o2 === 168 || // 192.168.0.0/16 private
+  o1 === 255;
+}
 function validateServerUrl(serverUrl) {
   let parsed;
   try {
@@ -664,33 +686,11 @@ function validateServerUrl(serverUrl) {
   if (BLOCKED_HOSTNAMES.has(hostname)) {
     throw new Error(`Access to "${hostname}" is not allowed.`);
   }
-  const ipv4 = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
-  if (ipv4) {
-    const [o1, o2] = ipv4.slice(1).map(Number);
-    const blocked = o1 === 0 || // 0.0.0.0/8
-    o1 === 10 || // 10.0.0.0/8 private
-    o1 === 127 || // 127.0.0.0/8 loopback
-    o1 === 100 && o2 >= 64 && o2 <= 127 || // 100.64.0.0/10 shared
-    o1 === 169 && o2 === 254 || // 169.254.0.0/16 link-local / AWS metadata
-    o1 === 172 && o2 >= 16 && o2 <= 31 || // 172.16.0.0/12 private
-    o1 === 192 && o2 === 168 || // 192.168.0.0/16 private
-    o1 === 255;
-    if (blocked) {
-      throw new Error(`Access to private/internal IP addresses is not allowed.`);
-    }
-  }
-  if (hostname.startsWith("[")) {
-    const ipv6 = hostname.slice(1, -1);
-    const lower = ipv6.toLowerCase();
-    const blockedIpv6 = lower === "::1" || // loopback
-    lower === "::" || // unspecified
-    lower.startsWith("fc") || // fc00::/7 unique local
-    lower.startsWith("fd") || // fd00::/8 unique local
-    lower.startsWith("fe80") || // fe80::/10 link-local
-    lower.startsWith("::ffff:");
-    if (blockedIpv6) {
-      throw new Error(`Access to private/internal IPv6 addresses is not allowed.`);
-    }
+  if (/^\d+\.\d+\.\d+\.\d+$/.test(hostname) && isBlockedIp(hostname)) {
+    throw new Error(`Access to private/internal IP addresses is not allowed.`);
+  }
+  if (hostname.startsWith("[") && isBlockedIp(hostname.slice(1, -1))) {
+    throw new Error(`Access to private/internal IPv6 addresses is not allowed.`);
   }
   const rawAllowed = typeof process !== "undefined" ? process.env.CKAN_ALLOWED_DOMAINS ?? "" : "";
   const allowedDomains = rawAllowed.split(",").map((s) => s.trim()).filter(Boolean);
@@ -698,6 +698,90 @@ function validateServerUrl(serverUrl) {
     throw new Error(`Domain "${hostname}" is not in the allowed list (CKAN_ALLOWED_DOMAINS).`);
   }
 }
+function assertHttpAllowlistConfigured() {
+  const raw = typeof process !== "undefined" ? process.env.CKAN_ALLOWED_DOMAINS ?? "" : "";
+  const domains = raw.split(",").map((s) => s.trim()).filter(Boolean);
+  if (domains.length > 0) return;
+  if (typeof process !== "undefined" && process.env.CKAN_HTTP_ALLOW_ALL === "true") {
+    console.error(
+      "[SECURITY WARNING] HTTP transport is running WITHOUT a domain allowlist (CKAN_HTTP_ALLOW_ALL=true). Any client can drive requests to arbitrary hosts. Set CKAN_ALLOWED_DOMAINS to restrict which CKAN hosts can be queried."
+    );
+    return;
+  }
+  throw new Error(
+    'Refusing to start HTTP transport without a domain allowlist.\nSet CKAN_ALLOWED_DOMAINS="portal1.org,portal2.gov" to restrict which hosts can be queried,\nor set CKAN_HTTP_ALLOW_ALL=true to explicitly run without restriction (NOT recommended when network-exposed).'
+  );
+}
+function createSsrfSafeLookup(dnsModule) {
+  return function ssrfSafeLookup(hostname, options, callback) {
+    if (typeof options === "function") {
+      callback = options;
+      options = {};
+    }
+    const family = options && typeof options === "object" ? options.family : void 0;
+    dnsModule.lookup(hostname, { all: true, family: family || 0 }, (err, addresses) => {
+      if (err) {
+        callback(err);
+        return;
+      }
+      const list = Array.isArray(addresses) ? addresses : [addresses];
+      for (const a of list) {
+        if (isBlockedIp(a.address)) {
+          callback(new Error(
+            `Access to private/internal IP addresses is not allowed ("${hostname}" resolves to ${a.address}).`
+          ));
+          return;
+        }
+      }
+      if (options && options.all) {
+        callback(null, list);
+        return;
+      }
+      callback(null, list[0].address, list[0].family);
+    });
+  };
+}
+var _safeAgents = null;
+function getSafeAgents() {
+  if (!_safeAgents) {
+    _safeAgents = (async () => {
+      try {
+        const dnsMod = await import("node:dns");
+        const httpMod = await import("node:http");
+        const httpsMod = await import("node:https");
+        const lookup = createSsrfSafeLookup(dnsMod);
+        return {
+          httpAgent: new httpMod.Agent({ lookup }),
+          httpsAgent: new httpsMod.Agent({ lookup })
+        };
+      } catch {
+        return null;
+      }
+    })();
+  }
+  return _safeAgents;
+}
+var _dnsResolver = null;
+async function assertHostnameResolvesSafe(hostname) {
+  let addresses;
+  try {
+    if (_dnsResolver) {
+      addresses = await _dnsResolver(hostname);
+    } else {
+      const dnsMod = await import("node:dns");
+      addresses = await dnsMod.promises.lookup(hostname, { all: true });
+    }
+  } catch {
+    return;
+  }
+  for (const a of addresses) {
+    if (isBlockedIp(a.address)) {
+      throw new Error(
+        `Access to private/internal IP addresses is not allowed ("${hostname}" resolves to ${a.address}).`
+      );
+    }
+  }
+}
 function auditLog(serverUrl, action, params, cacheHit) {
   if (typeof process === "undefined" || !process.versions?.node) return;
   const entry = {
@@ -755,10 +839,13 @@ async function makeCkanRequest(serverUrl, action, params = {}, opts = {}) {
   try {
     let decodedData;
     if (isNode) {
+      const safeAgents = await getSafeAgents();
       const response = await axios.get(url, {
         params,
         timeout: 3e4,
         responseType: "arraybuffer",
+        maxRedirects: 5,
+        ...safeAgents ? { httpAgent: safeAgents.httpAgent, httpsAgent: safeAgents.httpsAgent } : {},
         headers: {
           Accept: "application/json, text/plain, */*",
           "Accept-Language": "en-US,en;q=0.9,it;q=0.8",
@@ -1230,7 +1317,24 @@ var formatPackageShowMarkdown = (result, serverUrl) => {
   if (result.modified) markdown += `- **Modified (Content)**: ${formatDate(result.modified)}
 `;
   markdown += `- **Metadata Modified (Record)**: ${formatDate(result.metadata_modified)}
+`;
+  const holderName = readDcatExtra(result, "holder_name");
+  if (holderName) markdown += `- **Rights Holder (dct:rightsHolder)**: ${holderName}
+`;
+  const publisherName = readDcatExtra(result, "publisher_name");
+  if (publisherName) markdown += `- **Publisher (dct:publisher)**: ${publisherName}
+`;
+  const dcatField = (key) => typeof result[key] === "string" ? result[key] : "";
+  const frequency = dcatField("frequency");
+  if (frequency) markdown += `- **Update Frequency (dct:accrualPeriodicity)**: ${frequency}
+`;
+  const language = dcatField("language");
+  if (language) markdown += `- **Language (dct:language)**: ${language}
+`;
+  const accessRights = dcatField("access_rights");
+  if (accessRights) markdown += `- **Access Rights (dct:accessRights)**: ${accessRights}
+`;
+  markdown += `
 `;
   if (result.organization) {
     markdown += `## Organization
@@ -4622,6 +4726,7 @@ async function querySparqlEndpoint(endpointUrl, query) {
   if (url.protocol !== "https:") {
     throw new Error("Only HTTPS endpoints are allowed");
   }
+  await assertHostnameResolvesSafe(url.hostname);
   const sparqlConfig = getSparqlConfig(endpointUrl);
   const method = sparqlConfig?.method ?? "POST";
   const commonHeaders = {
@@ -5519,7 +5624,7 @@ var registerAllPrompts = (server) => {
 function createServer() {
   return new McpServer({
     name: "ckan-mcp-server",
-    version: "0.4.106"
+    version: "0.4.108"
   });
 }
 function registerAll(server) {
@@ -5550,6 +5655,7 @@ async function runStdio(server) {
 import express from "express";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 async function runHTTP() {
+  assertHttpAllowlistConfigured();
   const app = express();
   app.use(express.json());
   app.get("/.well-known/oauth-authorization-server", (_req, res) => {