@aiwerk/mcp-bridge 2.5.0 → 2.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +8 -5
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -268,7 +268,7 @@ Per-server control over how results are passed to the agent:
|
|
|
268
268
|
|-------|----------|
|
|
269
269
|
| `trusted` (default) | Results pass through as-is |
|
|
270
270
|
| `untrusted` | Results tagged with `_trust: "untrusted"` metadata |
|
|
271
|
-
| `sanitize` | HTML tags stripped, prompt injection patterns removed |
|
|
271
|
+
| `sanitize` | HTML tags stripped, known prompt injection patterns removed (**best-effort** — see note below) |
|
|
272
272
|
|
|
273
273
|
#### Tool Filter
|
|
274
274
|
|
|
@@ -531,16 +531,19 @@ const result = await router.dispatch("todoist", "call", "find-tasks", { query: "
|
|
|
531
531
|
|
|
532
532
|
## Security Limitations
|
|
533
533
|
|
|
534
|
-
The built-in security layer (trust levels, tool filters, result sanitization) provides **baseline protection** for common threats:
|
|
534
|
+
The built-in security layer (trust levels, tool filters, result sanitization) provides **best-effort baseline protection** for common threats:
|
|
535
535
|
|
|
536
|
-
- Prompt injection patterns (known strings)
|
|
537
|
-
- Oversized responses
|
|
538
|
-
- Unauthorized tool access
|
|
536
|
+
- Prompt injection patterns (known strings — regex-based)
|
|
537
|
+
- Oversized responses (JSON-aware truncation)
|
|
538
|
+
- Unauthorized tool access (tool deny/allow lists)
|
|
539
|
+
|
|
540
|
+
> ⚠️ **`trust: "sanitize"` is NOT a security boundary.** It catches common/known injection patterns but is trivially bypassable via Unicode homoglyphs, zero-width characters, base64 encoding, or multi-step injection chains. Treat it as defense-in-depth, not a sole protection layer.
|
|
539
541
|
|
|
540
542
|
**What it does NOT cover:**
|
|
541
543
|
- Unicode obfuscation / homoglyph attacks
|
|
542
544
|
- Sophisticated multi-step injection chains
|
|
543
545
|
- Content-level PII detection
|
|
546
|
+
- Base64 or otherwise encoded payloads
|
|
544
547
|
|
|
545
548
|
For production deployments with high security requirements, consider adding an external content filtering layer (e.g., guardrails, PII redaction service) between the bridge and your application.
|
|
546
549
|
|