npm - @boringstudio_org/gitea-mcp - Versions diffs - 1.4.1 → 1.7.1 - Mend

@boringstudio_org/gitea-mcp 1.4.1 → 1.7.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/.gitea/workflows/release.yaml +7 -1
package/.versionrc +3 -0
package/CHANGELOG.md +18 -0
package/README.md +5 -0
package/index.js +55 -3
package/package.json +1 -1
package/.gitea/workflows/publish.yaml +0 -27

package/.gitea/workflows/release.yaml CHANGED Viewed

@@ -1,4 +1,4 @@
-name: Release
+name: Release and Publish
 on:
   push:
@@ -25,6 +25,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
       - name: Configure Git
         run: |
@@ -41,3 +42,8 @@ jobs:
         run: git push --follow-tags origin main
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+      - name: Publish to NPM
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

package/.versionrc ADDED Viewed

@@ -0,0 +1,3 @@
+{
+  "releaseCommitMessageFormat": "chore(release): {{currentTag}} [skip ci]"
+}

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,24 @@
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+### [1.7.1](https://git.boringstudio.by/BoringStudio/mcp-gitea/compare/v1.7.0...v1.7.1) (2026-01-15)
+## [1.7.0](https://git.boringstudio.by/BoringStudio/mcp-gitea/compare/v1.6.1...v1.7.0) (2026-01-15)
+### Features
+* update readme with security details ([#7](https://git.boringstudio.by/BoringStudio/mcp-gitea/issues/7)) ([9c719bb](https://git.boringstudio.by/BoringStudio/mcp-gitea/commit/9c719bbf6f4e46bcba98f3656f899c9e11fd1e5e))
+### [1.6.1](https://git.boringstudio.by/BoringStudio/mcp-gitea/compare/v1.6.0...v1.6.1) (2026-01-15)
+## [1.6.0](https://git.boringstudio.by/BoringStudio/mcp-gitea/compare/v1.4.1...v1.6.0) (2026-01-15)
+### Features
+* enhance security and optimization ([#5](https://git.boringstudio.by/BoringStudio/mcp-gitea/issues/5)) ([f9f7055](https://git.boringstudio.by/BoringStudio/mcp-gitea/commit/f9f70556240482149ac245357f23f1160e873e5c))
 ### 1.4.1 (2026-01-14)
 ### [1.3.6](https://git.boringstudio.by/BoringStudio/mcp-gitea-proxy/compare/v1.3.5...v1.3.6) (2026-01-14)

package/README.md CHANGED Viewed

@@ -12,6 +12,11 @@ This package is designed to be used as a standalone server or imported by a gate
 *   **Analysis:** Analyze issues with AI prompts.
 *   **Shell:** Execute safe git commands in WSL (`run_safe_shell`).
+## 🔒 Security
+*   **Allowed Paths:** Restricted via `MCP_ALLOWED_PATHS` environment variable.
+*   **Git Safety:** Only whitelisted git subcommands are allowed. Global flags are blocked.
 ## 📦 Installation
 ```bash

package/index.js CHANGED Viewed

@@ -14,7 +14,7 @@ dotenv.config({ path: path.join(process.cwd(), ".env"), quiet: true });
 export async function runGiteaServer() {
     const server = new McpServer({
         name: "gitea-proxy-agent",
-        version: "1.6.0",
+        version: "1.5.0",
     });
     const GITEA_TOKEN = process.env.GITEA_TOKEN;
@@ -57,6 +57,24 @@ export async function runGiteaServer() {
         }
     }
+    // Cache for labels: key="owner/repo", value={ timestamp, data }
+    const labelCache = new Map();
+    const CACHE_TTL = 5 * 60 * 1000; // 5 minutes
+    async function getRepoLabels(owner, repo) {
+        const key = `${owner}/${repo}`;
+        const now = Date.now();
+        const cached = labelCache.get(key);
+        if (cached && (now - cached.timestamp < CACHE_TTL)) {
+            return cached.data;
+        }
+        const labels = await giteaApi("GET", `/repos/${owner}/${repo}/labels`);
+        labelCache.set(key, { timestamp: now, data: labels });
+        return labels;
+    }
     // --- RESOURCES ---
     server.resource(
         "issues-list",
@@ -116,6 +134,23 @@ export async function runGiteaServer() {
     );
     // --- TOOLS ---
+    // Security: Allowed paths for run_safe_shell
+    const ALLOWED_PATHS = (process.env.MCP_ALLOWED_PATHS || process.cwd()).split(',').map(p => path.resolve(p.trim()));
+    function isPathAllowed(targetPath) {
+        const resolved = path.resolve(targetPath);
+        return ALLOWED_PATHS.some(allowed => resolved.startsWith(allowed));
+    }
+    // Security: Allowed git subcommands
+    const ALLOWED_GIT_COMMANDS = [
+        'status', 'add', 'commit', 'push', 'pull', 'diff', 'log', 'show',
+        'checkout', 'branch', 'merge', 'remote', 'fetch', 'clone', 'init',
+        'ls-files', 'ls-tree', 'rev-parse', 'clean', 'restore', 'rm', 'mv',
+        'reset', 'stash', 'grep'
+    ];
     server.tool(
         "run_safe_shell",
         "Execute a safe shell command (git only) in a specific directory",
@@ -129,6 +164,23 @@ export async function runGiteaServer() {
                 return { content: [{ type: "text", text: "Error: Only 'git' commands are allowed." }], isError: true };
             }
+            if (!isPathAllowed(cwd)) {
+                return { content: [{ type: "text", text: `Error: Access denied. Path '${cwd}' is not within allowed directories.` }], isError: true };
+            }
+            if (!args || args.length === 0) {
+                return { content: [{ type: "text", text: "Error: No git subcommand provided." }], isError: true };
+            }
+            const subcommand = args[0];
+            if (subcommand.startsWith('-')) {
+                return { content: [{ type: "text", text: "Error: Global git flags are not allowed. Start with a subcommand." }], isError: true };
+            }
+            if (!ALLOWED_GIT_COMMANDS.includes(subcommand)) {
+                return { content: [{ type: "text", text: `Error: Git subcommand '${subcommand}' is not allowed.` }], isError: true };
+            }
             return new Promise((resolve) => {
                 const child = spawn(command, args, {
                     cwd: cwd,
@@ -267,7 +319,7 @@ export async function runGiteaServer() {
           repo: z.string()
         },
         async ({ owner, repo }) => {
-            const labels = await giteaApi("GET", `/repos/${owner}/${repo}/labels`);
+            const labels = await getRepoLabels(owner, repo);
             const formatted = labels.map(l => `${l.name} (ID: ${l.id})`).join("\n");
             return { content: [{ type: "text", text: formatted || "No labels found." }] };
         }
@@ -323,7 +375,7 @@ body: z.string().optional()
             if (body) payload.body = body;
             if (labels) {
-                const repoLabels = await giteaApi("GET", `/repos/${owner}/${repo}/labels`);
+                const repoLabels = await getRepoLabels(owner, repo);
                 const labelIds = labels.map(name => {
                     const found = repoLabels.find(l => l.name === name);
                     if (!found) throw new Error(`Label '${name}' not found in repository.`);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@boringstudio_org/gitea-mcp",
-  "version": "1.4.1",
+  "version": "1.7.1",
   "description": "A Gitea MCP Server for interacting with repositories, issues, and more.",
   "type": "module",
   "main": "index.js",

package/.gitea/workflows/publish.yaml DELETED Viewed

@@ -1,27 +0,0 @@
-name: Publish to NPM
-on:
-  push:
-    tags:
-      - 'v*'
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: '24'
-          registry-url: 'https://registry.npmjs.org'
-      - name: Install dependencies
-        run: npm ci
-      - name: Publish
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}