@aborruso/ckan-mcp-server 0.4.84 → 0.4.85

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/LOG.md CHANGED
@@ -1,5 +1,9 @@
1
1
  # LOG
2
2
 
3
+ ## 2026-03-16
4
+
5
+ - security(`tools/sparql.ts`): apply `validateServerUrl()` to `sparql_query` — blocks SSRF via private IPs (gap from GHSA-3xm7-qw7j-qc8v); 1 new test
6
+
3
7
  ## 2026-03-15
4
8
 
5
9
  - security(`utils/http.ts`): add `validateServerUrl()` — blocks SSRF via private/loopback IPs, link-local, and non-HTTP/S protocols; 15 new tests
package/dist/index.js CHANGED
@@ -4217,6 +4217,7 @@ function injectLimit(query, limit) {
4217
4217
  LIMIT ${limit}`;
4218
4218
  }
4219
4219
  async function querySparqlEndpoint(endpointUrl, query) {
4220
+ validateServerUrl(endpointUrl);
4220
4221
  const url = new URL(endpointUrl);
4221
4222
  if (url.protocol !== "https:") {
4222
4223
  throw new Error("Only HTTPS endpoints are allowed");
@@ -5121,7 +5122,7 @@ var registerAllPrompts = (server2) => {
5121
5122
  function createServer() {
5122
5123
  return new McpServer({
5123
5124
  name: "ckan-mcp-server",
5124
- version: "0.4.84"
5125
+ version: "0.4.85"
5125
5126
  });
5126
5127
  }
5127
5128
  function registerAll(server2) {