@bitwarden/mcp-server 2025.10.2 → 2025.10.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/README.md +9 -8
  2. package/dist/index.js +1 -1
  3. package/dist/tools/api.d.ts +6 -0
  4. package/dist/tools/api.d.ts.map +1 -1
  5. package/dist/tools/cli.d.ts +6 -0
  6. package/dist/tools/cli.d.ts.map +1 -1
  7. package/dist/utils/api.js +1 -1
  8. package/dist/utils/security.d.ts +14 -1
  9. package/dist/utils/security.d.ts.map +1 -1
  10. package/dist/utils/security.js +115 -20
  11. package/dist/utils/security.js.map +1 -1
  12. package/package.json +14 -14
package/README.md CHANGED
@@ -170,13 +170,14 @@ Any MCP-compatible client can connect to this server via stdio transport. Refer
170
170
 
171
171
  ### Environment Variables
172
172
 
173
- | Variable | Required For | Description | Default |
174
- | ------------------ | -------------- | ------------------------------------ | -------------------------------- |
175
- | `BW_SESSION` | CLI operations | Session token from `bw unlock --raw` | - |
176
- | `BW_CLIENT_ID` | API operations | Organization API client ID | - |
177
- | `BW_CLIENT_SECRET` | API operations | Organization API client secret | - |
178
- | `BW_API_BASE_URL` | API operations | Bitwarden API base URL | `https://api.bitwarden.com` |
179
- | `BW_IDENTITY_URL` | API operations | OAuth2 identity server URL | `https://identity.bitwarden.com` |
173
+ | Variable | Required For | Description | Default |
174
+ | ------------------------ | --------------- | ------------------------------------------------ | ---------------------------------- |
175
+ | `BW_SESSION` | CLI operations | Session token from `bw unlock --raw` | - |
176
+ | `BW_CLIENT_ID` | API operations | Organization API client ID | - |
177
+ | `BW_CLIENT_SECRET` | API operations | Organization API client secret | - |
178
+ | `BW_API_BASE_URL` | API operations | Bitwarden API base URL | `https://api.bitwarden.com` |
179
+ | `BW_IDENTITY_URL` | API operations | OAuth2 identity server URL | `https://identity.bitwarden.com` |
180
+ | `BW_ALLOWED_DIRECTORIES` | File operations | Comma-separated list of allowed file directories | `os.tmpdir() + '/bitwarden-files'` |
180
181
 
181
182
  **Note:** For self-hosted Bitwarden instances, set `BW_API_BASE_URL` and `BW_IDENTITY_URL` to your server URLs.
182
183
 
@@ -297,7 +298,7 @@ export DEBUG=bitwarden:*
297
298
  export NODE_ENV=development
298
299
  ```
299
300
 
300
- ## Security considerations
301
+ ## Security Considerations
301
302
 
302
303
  - **Never commit** sensitive credentials (`BW_SESSION`, `BW_CLIENT_ID`, `BW_CLIENT_SECRET`)
303
304
  - **Use environment variables** for all sensitive configuration
package/dist/index.js CHANGED
@@ -24,7 +24,7 @@ import { handleListOrgCollections, handleGetOrgCollection, handleUpdateOrgCollec
24
24
  async function runServer() {
25
25
  const server = new Server({
26
26
  name: 'Bitwarden MCP Server',
27
- version: '2025.10.2',
27
+ version: '2025.10.3',
28
28
  }, {
29
29
  capabilities: {
30
30
  tools: {},
package/dist/tools/api.d.ts CHANGED
@@ -60,5 +60,11 @@ export declare const organizationApiTools: {
60
60
  _meta?: {
61
61
  [x: string]: unknown;
62
62
  } | undefined;
63
+ icons?: {
64
+ [x: string]: unknown;
65
+ src: string;
66
+ mimeType?: string | undefined;
67
+ sizes?: string[] | undefined;
68
+ }[] | undefined;
63
69
  }[];
64
70
  //# sourceMappingURL=api.d.ts.map
package/dist/tools/api.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../src/tools/api.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAG/D,eAAO,MAAM,sBAAsB,EAAE,IAQpC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,IAalC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IAkDrC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IAarC,CAAC;AAGF,eAAO,MAAM,kBAAkB,EAAE,IAQhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,IAa9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IA8EjC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IA6EjC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IAajC,CAAC;AAGF,eAAO,MAAM,iBAAiB,EAAE,IAQ/B,CAAC;AAEF,eAAO,MAAM,eAAe,EAAE,IAc7B,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IA6ChC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IA+ChC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IAahC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAcpC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAcpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAsBvC,CAAC;AAEF,eAAO,MAAM,qBAAqB,EAAE,IAcnC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAoBvC,CAAC;AAGF,eAAO,MAAM,mBAAmB,EAAE,IAQjC,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,IAgB9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IAwBjC,CAAC;AAGF,eAAO,MAAM,gBAAgB,EAAE,IAyC9B,CAAC;AAGF,eAAO,MAAM,sBAAsB,EAAE,IAQpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAkDvC,CAAC;AAEF,eAAO,MAAM,2BAA2B,EAAE,IA0EzC,CAAC;AAGF,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkChC,CAAC"}
1
+ {"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../src/tools/api.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAG/D,eAAO,MAAM,sBAAsB,EAAE,IAQpC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,IAalC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IAkDrC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IAarC,CAAC;AAGF,eAAO,MAAM,kBAAkB,EAAE,IAQhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,IAa9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IA8EjC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IA6EjC,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IAajC,CAAC;AAGF,eAAO,MAAM,iBAAiB,EAAE,IAQ/B,CAAC;AAEF,eAAO,MAAM,eAAe,EAAE,IAc7B,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IA6ChC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IA+ChC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IAahC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAcpC,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAcpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAsBvC,CAAC;AAEF,eAAO,MAAM,qBAAqB,EAAE,IAcnC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAoBvC,CAAC;AAGF,eAAO,MAAM,mBAAmB,EAAE,IAQjC,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,IAgB9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,EAAE,IAwBjC,CAAC;AAGF,eAAO,MAAM,gBAAgB,EAAE,IAyC9B,CAAC;AAGF,eAAO,MAAM,sBAAsB,EAAE,IAQpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAkDvC,CAAC;AAEF,eAAO,MAAM,2BAA2B,EAAE,IA0EzC,CAAC;AAGF,eAAO,MAAM,oBAAoB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkChC,CAAC"}
package/dist/tools/cli.d.ts CHANGED
@@ -64,5 +64,11 @@ export declare const cliTools: {
64
64
  _meta?: {
65
65
  [x: string]: unknown;
66
66
  } | undefined;
67
+ icons?: {
68
+ [x: string]: unknown;
69
+ src: string;
70
+ mimeType?: string | undefined;
71
+ sizes?: string[] | undefined;
72
+ }[] | undefined;
67
73
  }[];
68
74
  //# sourceMappingURL=cli.d.ts.map
package/dist/tools/cli.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/tools/cli.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE/D,eAAO,MAAM,QAAQ,EAAE,IAOtB,CAAC;AAEF,eAAO,MAAM,QAAQ,EAAE,IAOtB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,IAOxB,CAAC;AAEF,eAAO,MAAM,QAAQ,EAAE,IAkDtB,CAAC;AAEF,eAAO,MAAM,OAAO,EAAE,IA8CrB,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IA8C1B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,IA2L5B,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,IAa9B,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IAuL1B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,IAiB5B,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,IAsBxB,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,IAkBzB,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IA2CrC,CAAC;AAEF,eAAO,MAAM,qBAAqB,EAAE,IA+CnC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IAwBrC,CAAC;AAEF,eAAO,MAAM,QAAQ,EAAE,IA0BtB,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAapC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAiBvC,CAAC;AAEF,eAAO,MAAM,4BAA4B,EAAE,IAa1C,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAiBpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAavC,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,IAkBzB,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IAyChC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IAqChC,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IAO1B,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,IAazB,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IAyC1B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,IAa5B,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAapC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,IAiBlC,CAAC;AAGF,eAAO,MAAM,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BpB,CAAC"}
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/tools/cli.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,oCAAoC,CAAC;AAE/D,eAAO,MAAM,QAAQ,EAAE,IAOtB,CAAC;AAEF,eAAO,MAAM,QAAQ,EAAE,IAOtB,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,IAOxB,CAAC;AAEF,eAAO,MAAM,QAAQ,EAAE,IAkDtB,CAAC;AAEF,eAAO,MAAM,OAAO,EAAE,IA8CrB,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IA8C1B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,IA2L5B,CAAC;AAEF,eAAO,MAAM,gBAAgB,EAAE,IAa9B,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IAuL1B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,IAiB5B,CAAC;AAEF,eAAO,MAAM,UAAU,EAAE,IAsBxB,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,IAkBzB,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IA2CrC,CAAC;AAEF,eAAO,MAAM,qBAAqB,EAAE,IA+CnC,CAAC;AAEF,eAAO,MAAM,uBAAuB,EAAE,IAwBrC,CAAC;AAEF,eAAO,MAAM,QAAQ,EAAE,IA0BtB,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAapC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAiBvC,CAAC;AAEF,eAAO,MAAM,4BAA4B,EAAE,IAa1C,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAiBpC,CAAC;AAEF,eAAO,MAAM,yBAAyB,EAAE,IAavC,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,IAkBzB,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IAyChC,CAAC;AAEF,eAAO,MAAM,kBAAkB,EAAE,IAqChC,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IAO1B,CAAC;AAEF,eAAO,MAAM,WAAW,EAAE,IAazB,CAAC;AAEF,eAAO,MAAM,YAAY,EAAE,IAyC1B,CAAC;AAEF,eAAO,MAAM,cAAc,EAAE,IAa5B,CAAC;AAEF,eAAO,MAAM,sBAAsB,EAAE,IAapC,CAAC;AAEF,eAAO,MAAM,oBAAoB,EAAE,IAiBlC,CAAC;AAGF,eAAO,MAAM,QAAQ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BpB,CAAC"}
package/dist/utils/api.js CHANGED
@@ -62,7 +62,7 @@ export async function buildSafeApiRequest(endpoint, method, data) {
62
62
  headers: {
63
63
  Authorization: `Bearer ${token}`,
64
64
  'Content-Type': 'application/json',
65
- 'User-Agent': 'Bitwarden-MCP-Server/2025.10.2',
65
+ 'User-Agent': 'Bitwarden-MCP-Server/2025.10.3',
66
66
  },
67
67
  };
68
68
  if (sanitizedData && (upperMethod === 'POST' || upperMethod === 'PUT')) {
package/dist/utils/security.d.ts CHANGED
@@ -29,7 +29,20 @@ export declare function validateApiEndpoint(endpoint: string): boolean;
29
29
  export declare function sanitizeApiParameters(params: unknown): unknown;
30
30
  /**
31
31
  * Validates file paths to prevent path traversal attacks
32
- * Checks for common path traversal patterns and suspicious characters
32
+ * Uses allowlist-based validation with comprehensive security checks
33
+ *
34
+ * Security measures:
35
+ * - URL decoding (iterative to handle double encoding)
36
+ * - Unicode normalization (NFC form)
37
+ * - Path resolution to canonical form
38
+ * - Allowlist-based directory validation
39
+ * - Protection against all known bypass techniques
40
+ *
41
+ * Configuration:
42
+ * Set BW_ALLOWED_DIRECTORIES environment variable to a comma-separated list
43
+ * of allowed directories. If not set, defaults to system temp directory.
44
+ *
45
+ * Example: BW_ALLOWED_DIRECTORIES=/tmp/bitwarden,/home/user/downloads
33
46
  */
34
47
  export declare function validateFilePath(filePath: string): boolean;
35
48
  //# sourceMappingURL=security.d.ts.map
package/dist/utils/security.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAsBnD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAgBxD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,UAAU,GAAE,SAAS,MAAM,EAAO,GACjC,SAAS,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAWhC;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAkChE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAqC7D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,OAAO,GAAG,OAAO,CAyB9D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CA+B1D"}
1
+ {"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAKH;;GAEG;AACH,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAsBnD;AAED;;;GAGG;AACH,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAgBxD;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAC9B,WAAW,EAAE,MAAM,EACnB,UAAU,GAAE,SAAS,MAAM,EAAO,GACjC,SAAS,CAAC,MAAM,EAAE,GAAG,MAAM,EAAE,CAAC,CAWhC;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAkChE;AAED;;GAEG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAqC7D;AAED;;GAEG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,OAAO,GAAG,OAAO,CAyB9D;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CA0H1D"}
package/dist/utils/security.js CHANGED
@@ -1,6 +1,8 @@
1
1
  /**
2
2
  * Security utilities for input sanitization and validation
3
3
  */
4
+ import path from 'path';
5
+ import os from 'os';
4
6
  /**
5
7
  * Sanitizes a string to prevent command injection by removing dangerous characters
6
8
  */
@@ -150,33 +152,126 @@ export function sanitizeApiParameters(params) {
150
152
  }
151
153
  /**
152
154
  * Validates file paths to prevent path traversal attacks
153
- * Checks for common path traversal patterns and suspicious characters
155
+ * Uses allowlist-based validation with comprehensive security checks
156
+ *
157
+ * Security measures:
158
+ * - URL decoding (iterative to handle double encoding)
159
+ * - Unicode normalization (NFC form)
160
+ * - Path resolution to canonical form
161
+ * - Allowlist-based directory validation
162
+ * - Protection against all known bypass techniques
163
+ *
164
+ * Configuration:
165
+ * Set BW_ALLOWED_DIRECTORIES environment variable to a comma-separated list
166
+ * of allowed directories. If not set, defaults to system temp directory.
167
+ *
168
+ * Example: BW_ALLOWED_DIRECTORIES=/tmp/bitwarden,/home/user/downloads
154
169
  */
155
170
  export function validateFilePath(filePath) {
156
171
  if (typeof filePath !== 'string' || filePath.length === 0) {
157
172
  return false;
158
173
  }
159
- // Reject paths with null bytes
160
- if (filePath.includes('\0')) {
161
- return false;
162
- }
163
- // Reject paths with path traversal sequences
164
- const dangerousPatterns = [
165
- /\.\.\//, // ../
166
- /\.\.\\/, // ..\
167
- /\.\.$/, // .. at end
168
- /^\.\.$/, // exactly ..
169
- /\/\.\./, // /..
170
- /\\\.\./, // \..
171
- ];
172
- if (dangerousPatterns.some((pattern) => pattern.test(filePath))) {
173
- return false;
174
+ try {
175
+ // Step 1: Reject null bytes immediately
176
+ if (filePath.includes('\0')) {
177
+ return false;
178
+ }
179
+ // Step 2: Reject URL protocols (file://, http://, etc.)
180
+ // But allow Windows drive letters (C:, D:, etc.) which are single letters
181
+ if (/^[a-zA-Z][a-zA-Z0-9+.-]+:/.test(filePath) &&
182
+ !/^[a-zA-Z]:[\\/]/.test(filePath)) {
183
+ return false;
184
+ }
185
+ // Step 3: Reject UNC paths (both \\ and single \ at start on Windows)
186
+ if (filePath.startsWith('\\\\') || /^\\[^\\]/.test(filePath)) {
187
+ return false;
188
+ }
189
+ // Step 4: Iterative URL decoding to handle double/triple encoding
190
+ let decodedPath = filePath;
191
+ let previousPath = '';
192
+ let iterations = 0;
193
+ const maxIterations = 5; // Prevent infinite loops
194
+ while (decodedPath !== previousPath && iterations < maxIterations) {
195
+ previousPath = decodedPath;
196
+ try {
197
+ decodedPath = decodeURIComponent(decodedPath);
198
+ }
199
+ catch {
200
+ // Invalid encoding, reject
201
+ return false;
202
+ }
203
+ iterations++;
204
+ }
205
+ // Step 5: Unicode normalization to canonical form (NFC)
206
+ // This converts fullwidth characters and other Unicode variants to standard form
207
+ const normalizedPath = decodedPath.normalize('NFC');
208
+ // Step 6: Check for dangerous patterns after decoding/normalization
209
+ // This catches encoded traversal sequences like %2e%2e%2f
210
+ const dangerousPatterns = [
211
+ /\.\.\//, // ../
212
+ /\.\.\\/, // ..\
213
+ /\.\.$/, // .. at end
214
+ /^\.\.$/, // exactly ..
215
+ /\/\.\./, // /..
216
+ /\\\.\./, // \..
217
+ /\.\s+\./, // . . (spaces between dots)
218
+ ];
219
+ if (dangerousPatterns.some((pattern) => pattern.test(normalizedPath))) {
220
+ return false;
221
+ }
222
+ // Step 7: Check for Unicode lookalikes and alternative slashes
223
+ // Reject fullwidth characters and alternative slash characters
224
+ const unicodeLookalikes = [
225
+ '\uFF0E', // FULLWIDTH FULL STOP (.)
226
+ '\u2215', // DIVISION SLASH (∕)
227
+ '\u2216', // SET MINUS (∖)
228
+ '\u2044', // FRACTION SLASH (⁄)
229
+ '\u29F8', // BIG SOLIDUS (⧸)
230
+ '\uFF0F', // FULLWIDTH SOLIDUS (/)
231
+ '\uFF3C', // FULLWIDTH REVERSE SOLIDUS (\)
232
+ ];
233
+ if (unicodeLookalikes.some((char) => normalizedPath.includes(char))) {
234
+ return false;
235
+ }
236
+ // Step 8: Resolve to absolute canonical path
237
+ const resolvedPath = path.resolve(normalizedPath);
238
+ // Step 9: Get allowed directories from environment variable
239
+ const allowedDirsEnv = process.env['BW_ALLOWED_DIRECTORIES'];
240
+ let allowedDirectories;
241
+ if (allowedDirsEnv && allowedDirsEnv.trim()) {
242
+ // Parse comma-separated list and resolve each to absolute path
243
+ allowedDirectories = allowedDirsEnv
244
+ .split(',')
245
+ .map((dir) => dir.trim())
246
+ .filter((dir) => dir.length > 0)
247
+ .map((dir) => path.resolve(dir));
248
+ }
249
+ else {
250
+ // Default to system temp directory if no whitelist configured
251
+ const defaultDir = path.join(os.tmpdir(), 'bitwarden-files');
252
+ allowedDirectories = [defaultDir];
253
+ }
254
+ // Step 10: Verify resolved path starts with one of the allowed directories
255
+ const isAllowed = allowedDirectories.some((allowedDir) => {
256
+ // Ensure both paths end with separator for accurate comparison
257
+ const normalizedAllowedDir = allowedDir.endsWith(path.sep)
258
+ ? allowedDir
259
+ : allowedDir + path.sep;
260
+ const normalizedResolvedPath = resolvedPath + path.sep;
261
+ // On Windows, paths are case-insensitive
262
+ const isWindows = process.platform === 'win32';
263
+ if (isWindows) {
264
+ return normalizedResolvedPath
265
+ .toLowerCase()
266
+ .startsWith(normalizedAllowedDir.toLowerCase());
267
+ }
268
+ return normalizedResolvedPath.startsWith(normalizedAllowedDir);
269
+ });
270
+ return isAllowed;
174
271
  }
175
- // Reject UNC paths (network shares like \\server\share)
176
- // Allow both Unix absolute paths (/path/to/file) and Windows absolute paths (C:\path\to\file)
177
- if (filePath.startsWith('\\\\')) {
272
+ catch {
273
+ // Any error in validation should result in rejection
178
274
  return false;
179
275
  }
180
- return true;
181
276
  }
182
277
  //# sourceMappingURL=security.js.map
package/dist/utils/security.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,SAAS,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,CACL,KAAK;QACH,oBAAoB;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QACnB,0CAA0C;SACzC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC;QACnC,iDAAiD;SAChD,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QACpB,uCAAuC;SACtC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;QACvB,wBAAwB;SACvB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;QACpB,2BAA2B;SAC1B,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;QACrB,kBAAkB;SACjB,IAAI,EAAE,CACV,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oCAAoC;IACpC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mDAAmD;IACnD,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,WAAmB,EACnB,aAAgC,EAAE;IAElC,MAAM,aAAa,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IAEjD,0BAA0B;IAC1B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,KAAK,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,OAAO,CAAC,aAAa,EAAE,GAAG,UAAU,CAAU,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,MAAM,eAAe,GAAG;QACtB,MAAM;QACN,MAAM;QACN,QAAQ;QACR,MAAM;QACN,KAAK;QACL,UAAU;QACV,QAAQ;QACR,MAAM;QACN,QAAQ;QACR,SAAS;QACT,MAAM;QACN,iBAAiB;QACjB,MAAM;QACN,SAAS;QACT,QAAQ;QACR,QAAQ;QACR,OAAO;QACP,QAAQ;QACR,OAAO;QACP,QAAQ;KACA,CAAC;IAEX,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAE1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,OAAO,eAAe,CAAC,QAAQ,CAC7B,WAA+C,CAChD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,yDAAyD;IACzD,MAAM,eAAe,GAAG;QACtB,kBAAkB;QAClB,yBAAyB,EAAE,mCAAmC;QAC9D,wCAAwC,EAAE,mBAAmB;QAE7D,cAAc;QACd,qBAAqB,EAAE,4BAA4B;QACnD,oCAAoC,EAAE,mBAAmB;QACzD,+CAA+C,EAAE,2BAA2B;QAC5E,8CAA8C,EAAE,yBAAyB;QAEzE,aAAa;QACb,oBAAoB,EAAE,4BAA4B;QAClD,mCAAmC,EAAE,mBAAmB;QACxD,+CAA+C,EAAE,2BAA2B;QAE5E,eAAe;QACf,sBAAsB,EAAE,aAAa;QACrC,2BAA2B,EAAE,yCAAyC;QAEtE,aAAa;QACb,oBAAoB,EAAE,oBAAoB;QAC1C,wBAAwB,EAAE,4BAA4B;QAEtD,2BAA2B;QAC3B,wCAAwC,EAAE,uCAAuC;QACjF,0BAA0B;QAC1B,kCAAkC,EAAE,mCAAmC;KAC/D,CAAC;IAEX,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAe;IACnD,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,uDAAuD;QACvD,OAAO,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,SAAS,GAA4B,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,gCAAgC;YAChC,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YACjD,SAAS,CAAC,YAAY,CAAC,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,+BAA+B;IAC/B,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QAC5B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,6CAA6C;IAC7C,MAAM,iBAAiB,GAAG;QACxB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;QAChB,OAAO,EAAE,YAAY;QACrB,QAAQ,EAAE,aAAa;QACvB,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,MAAM;KACjB,CAAC;IAEF,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,EAAE,CAAC;QAChE,OAAO,KAAK,CAAC;IACf,CAAC;IAED,wDAAwD;IACxD,8FAA8F;IAC9F,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC"}
1
+ {"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/utils/security.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,IAAI,MAAM,MAAM,CAAC;AACxB,OAAO,EAAE,MAAM,IAAI,CAAC;AAEpB;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,KAAa;IACzC,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,MAAM,IAAI,SAAS,CAAC,wBAAwB,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,CACL,KAAK;QACH,oBAAoB;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC;QACnB,0CAA0C;SACzC,OAAO,CAAC,qBAAqB,EAAE,EAAE,CAAC;QACnC,iDAAiD;SAChD,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC;QACpB,uCAAuC;SACtC,OAAO,CAAC,SAAS,EAAE,EAAE,CAAC;QACvB,wBAAwB;SACvB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;QACpB,2BAA2B;SAC1B,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;QACrB,kBAAkB;SACjB,IAAI,EAAE,CACV,CAAC;AACJ,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,KAAK,CAAC;IACf,CAAC;IAED,oCAAoC;IACpC,IAAI,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,mDAAmD;IACnD,IAAI,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAC9B,WAAmB,EACnB,aAAgC,EAAE;IAElC,MAAM,aAAa,GAAG,aAAa,CAAC,WAAW,CAAC,CAAC;IAEjD,0BAA0B;IAC1B,KAAK,MAAM,KAAK,IAAI,UAAU,EAAE,CAAC;QAC/B,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9B,MAAM,IAAI,KAAK,CAAC,+BAA+B,KAAK,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC;IAED,OAAO,CAAC,aAAa,EAAE,GAAG,UAAU,CAAU,CAAC;AACjD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,MAAM,eAAe,GAAG;QACtB,MAAM;QACN,MAAM;QACN,QAAQ;QACR,MAAM;QACN,KAAK;QACL,UAAU;QACV,QAAQ;QACR,MAAM;QACN,QAAQ;QACR,SAAS;QACT,MAAM;QACN,iBAAiB;QACjB,MAAM;QACN,SAAS;QACT,QAAQ;QACR,QAAQ;QACR,OAAO;QACP,QAAQ;QACR,OAAO;QACP,QAAQ;KACA,CAAC;IAEX,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;IAE1C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,WAAW,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;IAC7B,OAAO,eAAe,CAAC,QAAQ,CAC7B,WAA+C,CAChD,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,QAAgB;IAClD,IAAI,OAAO,QAAQ,KAAK,QAAQ,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,yDAAyD;IACzD,MAAM,eAAe,GAAG;QACtB,kBAAkB;QAClB,yBAAyB,EAAE,mCAAmC;QAC9D,wCAAwC,EAAE,mBAAmB;QAE7D,cAAc;QACd,qBAAqB,EAAE,4BAA4B;QACnD,oCAAoC,EAAE,mBAAmB;QACzD,+CAA+C,EAAE,2BAA2B;QAC5E,8CAA8C,EAAE,yBAAyB;QAEzE,aAAa;QACb,oBAAoB,EAAE,4BAA4B;QAClD,mCAAmC,EAAE,mBAAmB;QACxD,+CAA+C,EAAE,2BAA2B;QAE5E,eAAe;QACf,sBAAsB,EAAE,aAAa;QACrC,2BAA2B,EAAE,yCAAyC;QAEtE,aAAa;QACb,oBAAoB,EAAE,oBAAoB;QAC1C,wBAAwB,EAAE,4BAA4B;QAEtD,2BAA2B;QAC3B,wCAAwC,EAAE,uCAAuC;QACjF,0BAA0B;QAC1B,kCAAkC,EAAE,mCAAmC;KAC/D,CAAC;IAEX,OAAO,eAAe,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AACnE,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,qBAAqB,CAAC,MAAe;IACnD,IAAI,MAAM,KAAK,IAAI,IAAI,MAAM,KAAK,SAAS,EAAE,CAAC;QAC5C,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,uDAAuD;QACvD,OAAO,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACxC,CAAC;IAED,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC,GAAG,CAAC,qBAAqB,CAAC,CAAC;IAC3C,CAAC;IAED,IAAI,OAAO,MAAM,KAAK,QAAQ,EAAE,CAAC;QAC/B,MAAM,SAAS,GAA4B,EAAE,CAAC;QAC9C,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAClD,gCAAgC;YAChC,MAAM,YAAY,GAAG,GAAG,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YACjD,SAAS,CAAC,YAAY,CAAC,GAAG,qBAAqB,CAAC,KAAK,CAAC,CAAC;QACzD,CAAC;QACD,OAAO,SAAS,CAAC;IACnB,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,gBAAgB,CAAC,QAAgB;IAC/C,IAAI,OAAO,QAAQ,KAAK,QAAQ,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1D,OAAO,KAAK,CAAC;IACf,CAAC;IAED,IAAI,CAAC;QACH,wCAAwC;QACxC,IAAI,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,OAAO,KAAK,CAAC;QACf,CAAC;QAED,wDAAwD;QACxD,0EAA0E;QAC1E,IACE,2BAA2B,CAAC,IAAI,CAAC,QAAQ,CAAC;YAC1C,CAAC,iBAAiB,CAAC,IAAI,CAAC,QAAQ,CAAC,EACjC,CAAC;YACD,OAAO,KAAK,CAAC;QACf,CAAC;QAED,sEAAsE;QACtE,IAAI,QAAQ,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC7D,OAAO,KAAK,CAAC;QACf,CAAC;QAED,kEAAkE;QAClE,IAAI,WAAW,GAAG,QAAQ,CAAC;QAC3B,IAAI,YAAY,GAAG,EAAE,CAAC;QACtB,IAAI,UAAU,GAAG,CAAC,CAAC;QACnB,MAAM,aAAa,GAAG,CAAC,CAAC,CAAC,yBAAyB;QAElD,OAAO,WAAW,KAAK,YAAY,IAAI,UAAU,GAAG,aAAa,EAAE,CAAC;YAClE,YAAY,GAAG,WAAW,CAAC;YAC3B,IAAI,CAAC;gBACH,WAAW,GAAG,kBAAkB,CAAC,WAAW,CAAC,CAAC;YAChD,CAAC;YAAC,MAAM,CAAC;gBACP,2BAA2B;gBAC3B,OAAO,KAAK,CAAC;YACf,CAAC;YACD,UAAU,EAAE,CAAC;QACf,CAAC;QAED,wDAAwD;QACxD,iFAAiF;QACjF,MAAM,cAAc,GAAG,WAAW,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;QAEpD,oEAAoE;QACpE,0DAA0D;QAC1D,MAAM,iBAAiB,GAAG;YACxB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,MAAM;YAChB,OAAO,EAAE,YAAY;YACrB,QAAQ,EAAE,aAAa;YACvB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,4BAA4B;SACxC,CAAC;QAEF,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,EAAE,CAAC;YACtE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,+DAA+D;QAC/D,+DAA+D;QAC/D,MAAM,iBAAiB,GAAG;YACxB,QAAQ,EAAE,0BAA0B;YACpC,QAAQ,EAAE,qBAAqB;YAC/B,QAAQ,EAAE,gBAAgB;YAC1B,QAAQ,EAAE,qBAAqB;YAC/B,QAAQ,EAAE,kBAAkB;YAC5B,QAAQ,EAAE,wBAAwB;YAClC,QAAQ,EAAE,gCAAgC;SAC3C,CAAC;QAEF,IAAI,iBAAiB,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YACpE,OAAO,KAAK,CAAC;QACf,CAAC;QAED,6CAA6C;QAC7C,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;QAElD,4DAA4D;QAC5D,MAAM,cAAc,GAAG,OAAO,CAAC,GAAG,CAAC,wBAAwB,CAAC,CAAC;QAE7D,IAAI,kBAA4B,CAAC;QACjC,IAAI,cAAc,IAAI,cAAc,CAAC,IAAI,EAAE,EAAE,CAAC;YAC5C,+DAA+D;YAC/D,kBAAkB,GAAG,cAAc;iBAChC,KAAK,CAAC,GAAG,CAAC;iBACV,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;iBACxB,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC;iBAC/B,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;QACrC,CAAC;aAAM,CAAC;YACN,8DAA8D;YAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,iBAAiB,CAAC,CAAC;YAC7D,kBAAkB,GAAG,CAAC,UAAU,CAAC,CAAC;QACpC,CAAC;QAED,2EAA2E;QAC3E,MAAM,SAAS,GAAG,kBAAkB,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,EAAE;YACvD,+DAA+D;YAC/D,MAAM,oBAAoB,GAAG,UAAU,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC;gBACxD,CAAC,CAAC,UAAU;gBACZ,CAAC,CAAC,UAAU,GAAG,IAAI,CAAC,GAAG,CAAC;YAC1B,MAAM,sBAAsB,GAAG,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC;YAEvD,yCAAyC;YACzC,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,KAAK,OAAO,CAAC;YAC/C,IAAI,SAAS,EAAE,CAAC;gBACd,OAAO,sBAAsB;qBAC1B,WAAW,EAAE;qBACb,UAAU,CAAC,oBAAoB,CAAC,WAAW,EAAE,CAAC,CAAC;YACpD,CAAC;YAED,OAAO,sBAAsB,CAAC,UAAU,CAAC,oBAAoB,CAAC,CAAC;QACjE,CAAC,CAAC,CAAC;QAEH,OAAO,SAAS,CAAC;IACnB,CAAC;IAAC,MAAM,CAAC;QACP,qDAAqD;QACrD,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "type": "module",
3
3
  "name": "@bitwarden/mcp-server",
4
- "version": "2025.10.2",
4
+ "version": "2025.10.3",
5
5
  "description": "Bitwarden MCP Server",
6
6
  "repository": {
7
7
  "type": "git",
@@ -14,26 +14,26 @@
14
14
  },
15
15
  "homepage": "https://bitwarden.com",
16
16
  "dependencies": {
17
- "@modelcontextprotocol/sdk": "1.17.2",
17
+ "@modelcontextprotocol/sdk": "1.19.1",
18
18
  "shx": "0.4.0",
19
- "zod": "4.0.15"
19
+ "zod": "4.1.11"
20
20
  },
21
21
  "devDependencies": {
22
- "@eslint/js": "9.32.0",
23
- "@jest/globals": "30.0.5",
24
- "@modelcontextprotocol/inspector": "0.16.6",
22
+ "@eslint/js": "9.37.0",
23
+ "@jest/globals": "30.2.0",
24
+ "@modelcontextprotocol/inspector": "0.17.0",
25
25
  "@types/jest": "30.0.0",
26
- "@types/node": "22.17.0",
27
- "eslint": "9.32.0",
28
- "globals": "16.3.0",
26
+ "@types/node": "22.18.8",
27
+ "eslint": "9.37.0",
28
+ "globals": "16.4.0",
29
29
  "husky": "9.1.7",
30
- "jest": "30.0.5",
30
+ "jest": "30.2.0",
31
31
  "jest-junit": "16.0.0",
32
- "lint-staged": "16.1.5",
32
+ "lint-staged": "16.2.3",
33
33
  "prettier": "3.6.2",
34
- "ts-jest": "29.4.1",
35
- "typescript": "5.9.2",
36
- "typescript-eslint": "8.39.0"
34
+ "ts-jest": "29.4.4",
35
+ "typescript": "5.9.3",
36
+ "typescript-eslint": "8.45.0"
37
37
  },
38
38
  "bin": {
39
39
  "mcp-server-bitwarden": "dist/index.js"