npm - @bryan-thompson/inspector-assessment-server - Versions diffs - 1.32.2 → 1.32.4 - Mend

@bryan-thompson/inspector-assessment-server 1.32.2 → 1.32.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/build/__tests__/routes.test.js +25 -0
package/build/index.js +26 -3
package/package.json +1 -1

package/build/__tests__/routes.test.js CHANGED Viewed

@@ -103,6 +103,31 @@ describe("POST /assessment/save", () => {
         expect(response.status).toBe(200);
         expect(response.body.path).toContain("unknown");
     });
+    it("should return 400 when assessment is not an object", async () => {
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .send({ serverName: "test", assessment: "not-an-object" });
+        expect(response.status).toBe(400);
+        expect(response.body.success).toBe(false);
+    });
+    it("should return 400 when assessment is an array", async () => {
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .send({ serverName: "test", assessment: [1, 2, 3] });
+        expect(response.status).toBe(400);
+        expect(response.body.success).toBe(false);
+    });
+    it("should return 400 when serverName exceeds max length", async () => {
+        const longName = "a".repeat(300);
+        const response = await request(app)
+            .post("/assessment/save")
+            .set("x-mcp-proxy-auth", `Bearer ${sessionToken}`)
+            .send({ serverName: longName, assessment: {} });
+        expect(response.status).toBe(400);
+        expect(response.body.success).toBe(false);
+    });
     it("should require authentication", async () => {
         const response = await request(app)
             .post("/assessment/save")

package/build/index.js CHANGED Viewed

@@ -18,7 +18,13 @@ import { findActualExecutable } from "spawn-rx";
 import mcpProxy from "./mcpProxy.js";
 import { is401Error, getHttpHeaders, updateHeadersInPlace } from "./helpers.js";
 import { randomUUID, randomBytes, timingSafeEqual } from "node:crypto";
+import { z } from "zod";
 const DEFAULT_MCP_PROXY_LISTEN_PORT = "6277";
+// Schema for /assessment/save endpoint validation (Issue #87)
+const AssessmentSaveSchema = z.object({
+    serverName: z.string().min(1).max(255).optional().default("unknown"),
+    assessment: z.object({}).passthrough(), // Must be object, allow any properties
+});
 const defaultEnvironment = {
     ...getDefaultEnvironment(),
     ...(process.env.MCP_ENV_VARS ? JSON.parse(process.env.MCP_ENV_VARS) : {}),
@@ -542,15 +548,32 @@ app.get("/health", (req, res) => {
 app.post("/assessment/save", originValidationMiddleware, authMiddleware, express.json({ limit: "10mb" }), // Allow large JSON payloads
 async (req, res) => {
     try {
-        const { serverName, assessment } = req.body;
-        const sanitizedName = (serverName || "unknown").replace(/[^a-zA-Z0-9-_]/g, "_");
+        // Validate request body (Issue #87)
+        const parseResult = AssessmentSaveSchema.safeParse(req.body);
+        if (!parseResult.success) {
+            return res.status(400).json({
+                success: false,
+                error: "Invalid request structure",
+                details: parseResult.error.format(),
+            });
+        }
+        const { serverName, assessment } = parseResult.data;
+        // Check assessment size (10MB limit)
+        const jsonStr = JSON.stringify(assessment, null, 2);
+        if (jsonStr.length > 10 * 1024 * 1024) {
+            return res.status(413).json({
+                success: false,
+                error: "Assessment too large (max 10MB)",
+            });
+        }
+        const sanitizedName = serverName.replace(/[^a-zA-Z0-9-_]/g, "_");
         const filename = `/tmp/inspector-assessment-${sanitizedName}.json`;
         // Delete old file if exists (cleanup)
         if (fs.existsSync(filename)) {
             fs.unlinkSync(filename);
         }
         // Save new assessment
-        fs.writeFileSync(filename, JSON.stringify(assessment, null, 2));
+        fs.writeFileSync(filename, jsonStr);
         res.json({
             success: true,
             path: filename,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@bryan-thompson/inspector-assessment-server",
-  "version": "1.32.2",
+  "version": "1.32.4",
   "description": "Server-side application for the Enhanced MCP Inspector with assessment capabilities",
   "license": "MIT",
   "author": "Bryan Thompson <bryan@triepod.ai>",