npm - @bryan-thompson/inspector-assessment-server - Versions diffs - 1.17.1 → 1.18.0 - Mend

@bryan-thompson/inspector-assessment-server 1.17.1 → 1.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/build/index.js +27 -0
package/package.json +2 -1

package/build/index.js CHANGED Viewed

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import cors from "cors";
+import rateLimit from "express-rate-limit";
 import { parseArgs } from "node:util";
 import { parse as shellParseArgs } from "shell-quote";
 import nodeFetch, { Headers as NodeHeaders } from "node-fetch";
@@ -134,6 +135,32 @@ const updateHeadersInPlace = (currentHeaders, newHeaders) => {
 };
 const app = express();
 app.use(cors());
+// [SECURITY-ENHANCEMENT] - triepod-ai fork: Rate limiting to prevent DoS attacks
+const limiter = rateLimit({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // Limit each IP to 100 requests per windowMs
+    message: {
+        error: "Too many requests",
+        message: "Please try again later",
+    },
+    standardHeaders: true,
+    legacyHeaders: false,
+});
+// Apply rate limiting to all MCP endpoints
+app.use("/mcp", limiter);
+app.use("/sse", limiter);
+app.use("/stdio", limiter);
+app.use("/message", limiter);
+// [SECURITY-ENHANCEMENT] - triepod-ai fork: Global body size limits to prevent memory exhaustion
+app.use(express.json({ limit: "10mb" }));
+app.use(express.urlencoded({ limit: "10mb", extended: true }));
+// [SECURITY-ENHANCEMENT] - triepod-ai fork: Content Security Policy headers
+app.use((req, res, next) => {
+    res.setHeader("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self' ws: wss:; frame-ancestors 'none'");
+    res.setHeader("X-Content-Type-Options", "nosniff");
+    res.setHeader("X-Frame-Options", "DENY");
+    next();
+});
 app.use((req, res, next) => {
     res.header("Access-Control-Expose-Headers", "mcp-session-id");
     next();

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-server",
-  "version": "1.17.1",
+  "version": "1.18.0",
   "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",
@@ -41,6 +41,7 @@
     "@modelcontextprotocol/sdk": "^1.24.3",
     "cors": "^2.8.5",
     "express": "^5.1.0",
+    "express-rate-limit": "^8.2.1",
     "shell-quote": "^1.8.3",
     "spawn-rx": "^5.1.2",
     "ws": "^8.18.0",