@bryan-thompson/inspector-assessment 1.15.2 → 1.16.0

package/cli/build/assess-full.js

@@ -252,6 +252,10 @@ function buildConfig(options) {
             portability: true,
             externalAPIScanner: !!options.sourceCodePath,
             temporal: !options.skipTemporal, // Enable by default with --full, skip with --skip-temporal
+            // New capability assessors - always enabled in full mode
+            resources: true,
+            prompts: true,
+            crossCapability: true,
         };
     }
     // Temporal/rug pull detection configuration
@@ -304,6 +308,61 @@ async function runFullAssessment(options) {
     if (!options.jsonOnly) {
         console.log(`🔧 Found ${tools.length} tool${tools.length !== 1 ? "s" : ""}`);
     }
+    // Fetch resources for new capability assessments
+    let resources = [];
+    let resourceTemplates = [];
+    try {
+        const resourcesResponse = await client.listResources();
+        resources = (resourcesResponse.resources || []).map((r) => ({
+            uri: r.uri,
+            name: r.name,
+            description: r.description,
+            mimeType: r.mimeType,
+        }));
+        // resourceTemplates may be typed as unknown in some SDK versions
+        const templates = resourcesResponse.resourceTemplates;
+        if (templates) {
+            resourceTemplates = templates.map((rt) => ({
+                uriTemplate: rt.uriTemplate,
+                name: rt.name,
+                description: rt.description,
+                mimeType: rt.mimeType,
+            }));
+        }
+        if (!options.jsonOnly &&
+            (resources.length > 0 || resourceTemplates.length > 0)) {
+            console.log(`📦 Found ${resources.length} resource(s) and ${resourceTemplates.length} resource template(s)`);
+        }
+    }
+    catch {
+        // Server may not support resources - that's okay
+        if (!options.jsonOnly) {
+            console.log("📦 Resources not supported by server");
+        }
+    }
+    // Fetch prompts for new capability assessments
+    let prompts = [];
+    try {
+        const promptsResponse = await client.listPrompts();
+        prompts = (promptsResponse.prompts || []).map((p) => ({
+            name: p.name,
+            description: p.description,
+            arguments: p.arguments?.map((a) => ({
+                name: a.name,
+                description: a.description,
+                required: a.required,
+            })),
+        }));
+        if (!options.jsonOnly && prompts.length > 0) {
+            console.log(`💬 Found ${prompts.length} prompt(s)`);
+        }
+    }
+    catch {
+        // Server may not support prompts - that's okay
+        if (!options.jsonOnly) {
+            console.log("💬 Prompts not supported by server");
+        }
+    }
     // State management for resumable assessments
     const stateManager = new AssessmentStateManager(options.serverName);
     if (stateManager.exists() && !options.noResume) {
@@ -398,6 +457,32 @@ async function runFullAssessment(options) {
             console.log(`📁 Loaded source files from: ${options.sourceCodePath}`);
         }
     }
+    // Create readResource wrapper for ResourceAssessor
+    const readResource = async (uri) => {
+        const response = await client.readResource({ uri });
+        // Extract text content from response
+        if (response.contents && response.contents.length > 0) {
+            const content = response.contents[0];
+            if ("text" in content && content.text) {
+                return content.text;
+            }
+            if ("blob" in content && content.blob) {
+                // Return base64 blob as string
+                return content.blob;
+            }
+        }
+        return "";
+    };
+    // Create getPrompt wrapper for PromptAssessor
+    const getPrompt = async (name, args) => {
+        const response = await client.getPrompt({ name, arguments: args });
+        return {
+            messages: (response.messages || []).map((m) => ({
+                role: m.role,
+                content: typeof m.content === "string" ? m.content : JSON.stringify(m.content),
+            })),
+        };
+    };
     const context = {
         serverName: options.serverName,
         tools,
@@ -405,6 +490,12 @@ async function runFullAssessment(options) {
         config,
         sourceCodePath: options.sourceCodePath,
         ...sourceFiles,
+        // New capability assessment data
+        resources,
+        resourceTemplates,
+        prompts,
+        readResource,
+        getPrompt,
     };
     if (!options.jsonOnly) {
         console.log(`\n🏃 Running assessment with ${Object.keys(config.assessmentCategories || {}).length} modules...`);

package/cli/build/assess-security.js

@@ -12,6 +12,74 @@
 import * as fs from "fs";
 import * as path from "path";
 import * as os from "os";
+import { execSync } from "child_process";
+/**
+ * Validate that a command is safe to execute
+ * - Must be an absolute path or resolvable via PATH
+ * - Must not contain shell metacharacters
+ */
+function validateCommand(command) {
+    // Check for shell metacharacters that could indicate injection
+    const dangerousChars = /[;&|`$(){}[\]<>!\\]/;
+    if (dangerousChars.test(command)) {
+        throw new Error(`Invalid command: contains shell metacharacters: ${command}`);
+    }
+    // Verify the command exists and is executable
+    try {
+        // Use 'which' on Unix-like systems, 'where' on Windows
+        const whichCmd = process.platform === "win32" ? "where" : "which";
+        execSync(`${whichCmd} "${command}"`, { stdio: "pipe" });
+    }
+    catch {
+        // Check if it's an absolute path that exists
+        if (path.isAbsolute(command) && fs.existsSync(command)) {
+            try {
+                fs.accessSync(command, fs.constants.X_OK);
+                return; // Command exists and is executable
+            }
+            catch {
+                throw new Error(`Command not executable: ${command}`);
+            }
+        }
+        throw new Error(`Command not found: ${command}`);
+    }
+}
+/**
+ * Validate environment variables from config
+ * - Keys must be valid env var names (alphanumeric + underscore)
+ * - Values should not contain null bytes
+ */
+function validateEnvVars(env) {
+    if (!env)
+        return {};
+    const validatedEnv = {};
+    const validKeyPattern = /^[a-zA-Z_][a-zA-Z0-9_]*$/;
+    for (const [key, value] of Object.entries(env)) {
+        // Validate key format
+        if (!validKeyPattern.test(key)) {
+            console.warn(`Skipping invalid environment variable name: ${key} (must match [a-zA-Z_][a-zA-Z0-9_]*)`);
+            continue;
+        }
+        // Check for null bytes in value (could truncate strings)
+        if (typeof value === "string" && value.includes("\0")) {
+            console.warn(`Skipping environment variable with null byte: ${key}`);
+            continue;
+        }
+        validatedEnv[key] = String(value);
+    }
+    return validatedEnv;
+}
+/**
+ * Safely parse JSON with error handling
+ */
+function safeJsonParse(content, filePath) {
+    try {
+        return JSON.parse(content);
+    }
+    catch (error) {
+        throw new Error(`Failed to parse JSON from ${filePath}: ${error instanceof Error ? error.message : String(error)}`);
+    }
+}
 import { Client } from "@modelcontextprotocol/sdk/client/index.js";
 import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js";
 import { SSEClientTransport } from "@modelcontextprotocol/sdk/client/sse.js";
@@ -31,34 +99,46 @@ function loadServerConfig(serverName, configPath) {
     for (const tryPath of possiblePaths) {
         if (!fs.existsSync(tryPath))
             continue;
-        const config = JSON.parse(fs.readFileSync(tryPath, "utf-8"));
-        if (config.mcpServers && config.mcpServers[serverName]) {
-            const serverConfig = config.mcpServers[serverName];
-            return {
-                transport: "stdio",
-                command: serverConfig.command,
-                args: serverConfig.args || [],
-                env: serverConfig.env || {},
-            };
-        }
-        if (config.url ||
-            config.transport === "http" ||
-            config.transport === "sse") {
-            if (!config.url) {
-                throw new Error(`Invalid server config: transport is '${config.transport}' but 'url' is missing`);
+        const rawConfig = safeJsonParse(fs.readFileSync(tryPath, "utf-8"), tryPath);
+        // Type guard: check if it's a Claude Desktop config with mcpServers
+        if (rawConfig &&
+            typeof rawConfig === "object" &&
+            "mcpServers" in rawConfig) {
+            const desktopConfig = rawConfig;
+            const serverConfig = desktopConfig.mcpServers?.[serverName];
+            if (serverConfig) {
+                return {
+                    transport: "stdio",
+                    command: serverConfig.command,
+                    args: serverConfig.args || [],
+                    env: serverConfig.env || {},
+                };
             }
-            return {
-                transport: config.transport || "http",
-                url: config.url,
-            };
         }
-        if (config.command) {
-            return {
-                transport: "stdio",
-                command: config.command,
-                args: config.args || [],
-                env: config.env || {},
-            };
+        // Type guard: check if it's a direct config file
+        if (rawConfig && typeof rawConfig === "object") {
+            const directConfig = rawConfig;
+            // Check for HTTP/SSE transport
+            if (directConfig.url ||
+                directConfig.transport === "http" ||
+                directConfig.transport === "sse") {
+                if (!directConfig.url) {
+                    throw new Error(`Invalid server config: transport is '${directConfig.transport}' but 'url' is missing`);
+                }
+                return {
+                    transport: directConfig.transport || "http",
+                    url: directConfig.url,
+                };
+            }
+            // Check for stdio transport
+            if (directConfig.command) {
+                return {
+                    transport: "stdio",
+                    command: directConfig.command,
+                    args: directConfig.args || [],
+                    env: directConfig.env || {},
+                };
+            }
         }
     }
     throw new Error(`Server config not found for: ${serverName}\nTried: ${possiblePaths.join(", ")}`);
@@ -83,12 +163,16 @@ async function connectToServer(config) {
         default:
             if (!config.command)
                 throw new Error("Command required for stdio transport");
+            // Validate command before execution to prevent injection attacks
+            validateCommand(config.command);
+            // Validate and sanitize environment variables from config
+            const validatedEnv = validateEnvVars(config.env);
             transport = new StdioClientTransport({
                 command: config.command,
                 args: config.args,
                 env: {
                     ...Object.fromEntries(Object.entries(process.env).filter(([, v]) => v !== undefined)),
-                    ...config.env,
+                    ...validatedEnv,
                 },
                 stderr: "pipe",
             });

package/cli/build/cli.js

@@ -5,7 +5,103 @@ import path from "node:path";
 import { dirname, resolve } from "path";
 import { spawnPromise } from "spawn-rx";
 import { fileURLToPath } from "url";
+import { execSync } from "node:child_process";
 const __dirname = dirname(fileURLToPath(import.meta.url));
+/**
+ * Validate environment variable names
+ * - Must start with letter or underscore
+ * - Can contain letters, numbers, underscores
+ */
+function isValidEnvVarName(name) {
+    return /^[a-zA-Z_][a-zA-Z0-9_]*$/.test(name);
+}
+/**
+ * Validate environment variable values
+ * - No null bytes (could truncate strings)
+ */
+function isValidEnvVarValue(value) {
+    return !value.includes("\0");
+}
+/**
+ * Validate and sanitize environment variables
+ * Returns filtered environment variables with invalid entries removed
+ */
+function validateEnvVars(env) {
+    const validated = {};
+    for (const [key, value] of Object.entries(env)) {
+        if (!isValidEnvVarName(key)) {
+            console.warn(`Warning: Skipping invalid environment variable name: ${key}`);
+            continue;
+        }
+        if (!isValidEnvVarValue(value)) {
+            console.warn(`Warning: Skipping environment variable with invalid value: ${key}`);
+            continue;
+        }
+        validated[key] = value;
+    }
+    return validated;
+}
+/**
+ * Validate that a URL is safe for connection
+ * - Must be http or https
+ * - Blocks private/internal IPs to prevent SSRF
+ */
+function validateServerUrl(url) {
+    try {
+        const parsed = new URL(url);
+        // Must be http or https
+        if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+            throw new Error(`Invalid URL protocol: ${parsed.protocol}. Must be http or https.`);
+        }
+        // Block private IPs to prevent SSRF attacks
+        const hostname = parsed.hostname.toLowerCase();
+        const privatePatterns = [
+            /^localhost$/,
+            /^127\./,
+            /^10\./,
+            /^172\.(1[6-9]|2[0-9]|3[01])\./,
+            /^192\.168\./,
+            /^169\.254\./, // Link-local
+            /^\[::1\]$/, // IPv6 localhost
+            /^\[fe80:/i, // IPv6 link-local
+        ];
+        // Only warn for private IPs (don't block - may be intentional for local testing)
+        if (privatePatterns.some((pattern) => pattern.test(hostname))) {
+            console.warn(`Warning: Connecting to private/internal address: ${hostname}`);
+        }
+    }
+    catch (error) {
+        if (error instanceof Error && error.message.startsWith("Invalid URL")) {
+            throw new Error(`Invalid server URL: ${url}`);
+        }
+        throw error;
+    }
+}
+/**
+ * Validate a command exists and is safe to execute
+ */
+function validateCommand(command) {
+    // Check for shell metacharacters
+    const dangerousChars = /[;&|`$(){}[\]<>!]/;
+    if (dangerousChars.test(command)) {
+        throw new Error(`Invalid command: contains shell metacharacters: ${command}`);
+    }
+    // For absolute paths, verify the file exists
+    if (path.isAbsolute(command)) {
+        if (!fs.existsSync(command)) {
+            throw new Error(`Command not found: ${command}`);
+        }
+        return;
+    }
+    // For relative commands, verify they exist in PATH
+    try {
+        const whichCmd = process.platform === "win32" ? "where" : "which";
+        execSync(`${whichCmd} "${command}"`, { stdio: "pipe" });
+    }
+    catch {
+        throw new Error(`Command not found in PATH: ${command}`);
+    }
+}
 function handleError(error) {
     let message;
     if (error instanceof Error) {
@@ -24,6 +120,14 @@ function delay(ms) {
     return new Promise((resolve) => setTimeout(resolve, ms, true));
 }
 async function runWebClient(args) {
+    // Validate inputs before proceeding
+    const validatedEnvArgs = validateEnvVars(args.envArgs);
+    if (args.serverUrl) {
+        validateServerUrl(args.serverUrl);
+    }
+    if (args.command) {
+        validateCommand(args.command);
+    }
     // Path to the client entry point
     const inspectorClientPath = resolve(__dirname, "../../", "client", "bin", "start.js");
     const abort = new AbortController();
@@ -34,8 +138,8 @@ async function runWebClient(args) {
     });
     // Build arguments to pass to start.js
     const startArgs = [];
-    // Pass environment variables
-    for (const [key, value] of Object.entries(args.envArgs)) {
+    // Pass validated environment variables
+    for (const [key, value] of Object.entries(validatedEnvArgs)) {
         startArgs.push("-e", `${key}=${value}`);
     }
     // Pass transport type if specified
@@ -70,6 +174,18 @@ async function runWebClient(args) {
     }
 }
 async function runCli(args) {
+    // Validate inputs before proceeding
+    const validatedEnvArgs = validateEnvVars(args.envArgs);
+    if (args.command) {
+        // For CLI mode, command might be a URL - validate appropriately
+        if (args.command.startsWith("http://") ||
+            args.command.startsWith("https://")) {
+            validateServerUrl(args.command);
+        }
+        else {
+            validateCommand(args.command);
+        }
+    }
     const projectRoot = resolve(__dirname, "..");
     const cliPath = resolve(projectRoot, "build", "index.js");
     const abort = new AbortController();
@@ -96,7 +212,7 @@ async function runCli(args) {
             }
         }
         await spawnPromise("node", cliArgs, {
-            env: { ...process.env, ...args.envArgs },
+            env: { ...process.env, ...validatedEnvArgs },
             signal: abort.signal,
             echoOutput: true,
             // pipe the stdout through here, prevents issues with buffering and

package/client/dist/assets/{OAuthCallback-B2W3bBou.js → OAuthCallback-KwMiy-L3.js}

@@ -1,4 +1,4 @@
-import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-Css2Fvxh.js";
+import { u as useToast, r as reactExports, j as jsxRuntimeExports, p as parseOAuthCallbackParams, g as generateOAuthErrorDescription, S as SESSION_KEYS, I as InspectorOAuthClientProvider, a as auth } from "./index-C89umkGV.js";
 const OAuthCallback = ({ onConnect }) => {
   const { toast } = useToast();
   const hasProcessedRef = reactExports.useRef(false);

package/client/dist/assets/{OAuthDebugCallback-BL3_Hknj.js → OAuthDebugCallback-hckdJlo3.js}

@@ -1,4 +1,4 @@
-import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-Css2Fvxh.js";
+import { r as reactExports, S as SESSION_KEYS, p as parseOAuthCallbackParams, j as jsxRuntimeExports, g as generateOAuthErrorDescription } from "./index-C89umkGV.js";
 const OAuthDebugCallback = ({ onConnect }) => {
   reactExports.useEffect(() => {
     let isProcessed = false;