@cyanheads/git-mcp-server 2.1.0 → 2.1.2

package/dist/utils/security/sanitization.js

@@ -1,9 +1,9 @@
-import path from 'path';
-import sanitizeHtml from 'sanitize-html';
-import validator from 'validator';
-import { BaseErrorCode, McpError } from '../../types-global/errors.js';
+import path from "path";
+import sanitizeHtml from "sanitize-html";
+import validator from "validator";
+import { BaseErrorCode, McpError } from "../../types-global/errors.js";
 // Import utils from the main barrel file (logger from ../internal/logger.js)
-import { logger } from '../index.js';
+import { logger } from "../index.js";
 /**
  * Sanitization class for handling various input sanitization tasks.
  * Provides methods to clean and validate strings, HTML, URLs, paths, JSON, and numbers.
@@ -12,22 +12,57 @@ export class Sanitization {
     static instance;
     /** Default list of sensitive fields for sanitizing logs */
     sensitiveFields = [
-        'password', 'token', 'secret', 'key', 'apiKey', 'auth',
-        'credential', 'jwt', 'ssn', 'credit', 'card', 'cvv', 'authorization'
+        "password",
+        "token",
+        "secret",
+        "key",
+        "apiKey",
+        "auth",
+        "credential",
+        "jwt",
+        "ssn",
+        "credit",
+        "card",
+        "cvv",
+        "authorization",
     ];
     /** Default sanitize-html configuration */
     defaultHtmlSanitizeConfig = {
         allowedTags: [
-            'h1', 'h2', 'h3', 'h4', 'h5', 'h6', 'p', 'a', 'ul', 'ol',
-            'li', 'b', 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br',
-            'div', 'table', 'thead', 'tbody', 'tr', 'th', 'td', 'pre'
+            "h1",
+            "h2",
+            "h3",
+            "h4",
+            "h5",
+            "h6",
+            "p",
+            "a",
+            "ul",
+            "ol",
+            "li",
+            "b",
+            "i",
+            "strong",
+            "em",
+            "strike",
+            "code",
+            "hr",
+            "br",
+            "div",
+            "table",
+            "thead",
+            "tbody",
+            "tr",
+            "th",
+            "td",
+            "pre",
         ],
         allowedAttributes: {
-            'a': ['href', 'name', 'target'],
-            'img': ['src', 'alt', 'title', 'width', 'height'],
-            '*': ['class', 'id', 'style']
+            a: ["href", "name", "target"],
+            img: ["src", "alt", "title", "width", "height"],
+            "*": ["class", "id", "style"],
         },
-        preserveComments: false
+        preserveComments: false,
     };
     /**
      * Private constructor to enforce singleton pattern.
@@ -52,7 +87,9 @@ export class Sanitization {
      */
     setSensitiveFields(fields) {
         this.sensitiveFields = [...new Set([...this.sensitiveFields, ...fields])]; // Ensure uniqueness
-        logger.debug('Updated sensitive fields list', { count: this.sensitiveFields.length });
+        logger.debug("Updated sensitive fields list", {
+            count: this.sensitiveFields.length,
+        });
     }
     /**
      * Get the current list of sensitive fields used for log sanitization.
@@ -70,15 +107,15 @@ export class Sanitization {
      */
     sanitizeHtml(input, config) {
         if (!input)
-            return '';
+            return "";
         const effectiveConfig = { ...this.defaultHtmlSanitizeConfig, ...config };
         const options = {
             allowedTags: effectiveConfig.allowedTags,
             allowedAttributes: effectiveConfig.allowedAttributes,
-            transformTags: effectiveConfig.transformTags
+            transformTags: effectiveConfig.transformTags,
         };
         if (effectiveConfig.preserveComments) {
-            options.allowedTags = [...(options.allowedTags || []), '!--'];
+            options.allowedTags = [...(options.allowedTags || []), "!--"];
         }
         return sanitizeHtml(input, options);
     }
@@ -95,27 +132,34 @@ export class Sanitization {
      */
     sanitizeString(input, options = {}) {
         if (!input)
-            return '';
+            return "";
         switch (options.context) {
-            case 'html':
+            case "html":
                 return this.sanitizeHtml(input, {
                     allowedTags: options.allowedTags,
-                    allowedAttributes: options.allowedAttributes ?
-                        this.convertAttributesFormat(options.allowedAttributes) :
-                        undefined
+                    allowedAttributes: options.allowedAttributes
+                        ? this.convertAttributesFormat(options.allowedAttributes)
+                        : undefined,
                 });
-            case 'attribute':
+            case "attribute":
                 return sanitizeHtml(input, { allowedTags: [], allowedAttributes: {} });
-            case 'url':
-                if (!validator.isURL(input, { protocols: ['http', 'https'], require_protocol: true })) {
-                    logger.warning('Invalid URL detected during string sanitization', { input });
-                    return '';
+            case "url":
+                if (!validator.isURL(input, {
+                    protocols: ["http", "https"],
+                    require_protocol: true,
+                })) {
+                    logger.warning("Invalid URL detected during string sanitization", {
+                        input,
+                    });
+                    return "";
                 }
                 return validator.trim(input);
-            case 'javascript':
-                logger.error('Attempted JavaScript sanitization via sanitizeString', { input: input.substring(0, 50) });
-                throw new McpError(BaseErrorCode.VALIDATION_ERROR, 'JavaScript sanitization not supported through string sanitizer');
-            case 'text':
+            case "javascript":
+                logger.error("Attempted JavaScript sanitization via sanitizeString", {
+                    input: input.substring(0, 50),
+                });
+                throw new McpError(BaseErrorCode.VALIDATION_ERROR, "JavaScript sanitization not supported through string sanitizer");
+            case "text":
             default:
                 return sanitizeHtml(input, { allowedTags: [], allowedAttributes: {} });
         }
@@ -128,19 +172,23 @@ export class Sanitization {
      * @returns {string} Sanitized URL.
      * @throws {McpError} If URL is invalid or uses a disallowed protocol.
      */
-    sanitizeUrl(input, allowedProtocols = ['http', 'https']) {
+    sanitizeUrl(input, allowedProtocols = ["http", "https"]) {
         try {
-            if (!validator.isURL(input, { protocols: allowedProtocols, require_protocol: true })) {
-                throw new Error('Invalid URL format or protocol');
+            if (!validator.isURL(input, {
+                protocols: allowedProtocols,
+                require_protocol: true,
+            })) {
+                throw new Error("Invalid URL format or protocol");
             }
             const lowerInput = input.toLowerCase().trim();
-            if (lowerInput.startsWith('javascript:')) { // Double-check against javascript:
-                throw new Error('JavaScript protocol not allowed');
+            if (lowerInput.startsWith("javascript:")) {
+                // Double-check against javascript:
+                throw new Error("JavaScript protocol not allowed");
             }
             return validator.trim(input);
         }
         catch (error) {
-            throw new McpError(BaseErrorCode.VALIDATION_ERROR, error instanceof Error ? error.message : 'Invalid URL format', { input });
+            throw new McpError(BaseErrorCode.VALIDATION_ERROR, error instanceof Error ? error.message : "Invalid URL format", { input });
         }
     }
     /**
@@ -156,28 +204,29 @@ export class Sanitization {
     sanitizePath(input, options = {}) {
         const originalInput = input;
         const effectiveOptions = {
+            // Ensure all options have defaults
             toPosix: options.toPosix ?? false,
             allowAbsolute: options.allowAbsolute ?? false,
-            rootDir: options.rootDir
+            rootDir: options.rootDir,
         };
         let wasAbsoluteInitially = false;
         let convertedToRelative = false;
         try {
-            if (!input || typeof input !== 'string') {
-                throw new Error('Invalid path input: must be a non-empty string');
+            if (!input || typeof input !== "string") {
+                throw new Error("Invalid path input: must be a non-empty string");
             }
             let normalized = path.normalize(input);
             wasAbsoluteInitially = path.isAbsolute(normalized);
-            if (normalized.includes('\0')) {
-                throw new Error('Path contains null byte');
+            if (normalized.includes("\0")) {
+                throw new Error("Path contains null byte");
             }
             if (effectiveOptions.toPosix) {
-                normalized = normalized.replace(/\\/g, '/');
+                normalized = normalized.replace(/\\/g, "/");
             }
             if (!effectiveOptions.allowAbsolute && path.isAbsolute(normalized)) {
                 // Original path was absolute, but absolute paths are not allowed.
                 // Convert to relative by stripping leading slash or drive letter.
-                normalized = normalized.replace(/^(?:[A-Za-z]:)?[/\\]+/, '');
+                normalized = normalized.replace(/^(?:[A-Za-z]:)?[/\\]+/, "");
                 convertedToRelative = true;
             }
             let finalSanitizedPath;
@@ -186,15 +235,18 @@ export class Sanitization {
                 // If 'normalized' is absolute (and allowed), path.resolve uses it as the base.
                 // If 'normalized' is relative, it's resolved against 'rootDirResolved'.
                 const fullPath = path.resolve(rootDirResolved, normalized);
-                if (!fullPath.startsWith(rootDirResolved + path.sep) && fullPath !== rootDirResolved) {
-                    throw new Error('Path traversal detected (escapes rootDir)');
+                if (!fullPath.startsWith(rootDirResolved + path.sep) &&
+                    fullPath !== rootDirResolved) {
+                    throw new Error("Path traversal detected (escapes rootDir)");
                 }
                 // Path is within rootDir, return it relative to rootDir.
                 finalSanitizedPath = path.relative(rootDirResolved, fullPath);
                 // Ensure empty string result from path.relative (if fullPath equals rootDirResolved) becomes '.'
-                finalSanitizedPath = finalSanitizedPath === '' ? '.' : finalSanitizedPath;
+                finalSanitizedPath =
+                    finalSanitizedPath === "" ? "." : finalSanitizedPath;
             }
-            else { // No rootDir specified
+            else {
+                // No rootDir specified
                 if (path.isAbsolute(normalized)) {
                     if (effectiveOptions.allowAbsolute) {
                         // Absolute path is allowed and no rootDir to constrain it.
@@ -203,15 +255,16 @@ export class Sanitization {
                     else {
                         // Should not happen if logic above is correct (already made relative or was originally relative)
                         // but as a safeguard:
-                        throw new Error('Absolute path encountered when not allowed and not rooted');
+                        throw new Error("Absolute path encountered when not allowed and not rooted");
                     }
                 }
-                else { // Path is relative and no rootDir
-                    if (normalized.includes('..')) {
+                else {
+                    // Path is relative and no rootDir
+                    if (normalized.includes("..")) {
                         const resolvedPath = path.resolve(normalized); // Resolves relative to CWD
-                        const currentWorkingDir = path.resolve('.');
+                        const currentWorkingDir = path.resolve(".");
                         if (!resolvedPath.startsWith(currentWorkingDir)) {
-                            throw new Error('Relative path traversal detected (escapes CWD)');
+                            throw new Error("Relative path traversal detected (escapes CWD)");
                         }
                     }
                     finalSanitizedPath = normalized;
@@ -222,17 +275,16 @@ export class Sanitization {
                 originalInput,
                 wasAbsolute: wasAbsoluteInitially,
                 convertedToRelative,
-                optionsUsed: effectiveOptions
+                optionsUsed: effectiveOptions,
             };
         }
         catch (error) {
-            logger.warning('Path sanitization error', {
+            logger.warning("Path sanitization error", {
                 input: originalInput,
                 options: effectiveOptions,
-                error: error instanceof Error ? error.message : String(error)
+                error: error instanceof Error ? error.message : String(error),
             });
-            throw new McpError(BaseErrorCode.VALIDATION_ERROR, error instanceof Error ? error.message : 'Invalid or unsafe path', { input: originalInput } // Provide original input in error details
-            );
+            throw new McpError(BaseErrorCode.VALIDATION_ERROR, error instanceof Error ? error.message : "Invalid or unsafe path", { input: originalInput });
         }
     }
     /**
@@ -245,21 +297,21 @@ export class Sanitization {
      */
     sanitizeJson(input, maxSize) {
         try {
-            if (typeof input !== 'string') {
-                throw new Error('Invalid input: expected a JSON string');
+            if (typeof input !== "string") {
+                throw new Error("Invalid input: expected a JSON string");
             }
-            if (maxSize !== undefined && Buffer.byteLength(input, 'utf8') > maxSize) {
-                throw new McpError(BaseErrorCode.VALIDATION_ERROR, `JSON exceeds maximum allowed size of ${maxSize} bytes`, { size: Buffer.byteLength(input, 'utf8'), maxSize });
+            if (maxSize !== undefined && Buffer.byteLength(input, "utf8") > maxSize) {
+                throw new McpError(BaseErrorCode.VALIDATION_ERROR, `JSON exceeds maximum allowed size of ${maxSize} bytes`, { size: Buffer.byteLength(input, "utf8"), maxSize });
             }
             const parsed = JSON.parse(input);
             // Optional: Add recursive sanitization of parsed object values if needed
-            // this.sanitizeObjectRecursively(parsed); 
+            // this.sanitizeObjectRecursively(parsed);
             return parsed;
         }
         catch (error) {
             if (error instanceof McpError)
                 throw error;
-            throw new McpError(BaseErrorCode.VALIDATION_ERROR, error instanceof Error ? error.message : 'Invalid JSON format', { input: input.length > 100 ? `${input.substring(0, 100)}...` : input });
+            throw new McpError(BaseErrorCode.VALIDATION_ERROR, error instanceof Error ? error.message : "Invalid JSON format", { input: input.length > 100 ? `${input.substring(0, 100)}...` : input });
         }
     }
     /**
@@ -273,20 +325,20 @@ export class Sanitization {
      */
     sanitizeNumber(input, min, max) {
         let value;
-        if (typeof input === 'string') {
+        if (typeof input === "string") {
             if (!validator.isNumeric(input.trim())) {
-                throw new McpError(BaseErrorCode.VALIDATION_ERROR, 'Invalid number format', { input });
+                throw new McpError(BaseErrorCode.VALIDATION_ERROR, "Invalid number format", { input });
             }
             value = parseFloat(input.trim());
         }
-        else if (typeof input === 'number') {
+        else if (typeof input === "number") {
             value = input;
         }
         else {
-            throw new McpError(BaseErrorCode.VALIDATION_ERROR, 'Invalid input type: expected number or string', { input: String(input) });
+            throw new McpError(BaseErrorCode.VALIDATION_ERROR, "Invalid input type: expected number or string", { input: String(input) });
         }
         if (isNaN(value) || !isFinite(value)) {
-            throw new McpError(BaseErrorCode.VALIDATION_ERROR, 'Invalid number value (NaN or Infinity)', { input });
+            throw new McpError(BaseErrorCode.VALIDATION_ERROR, "Invalid number value (NaN or Infinity)", { input });
         }
         let clamped = false;
         if (min !== undefined && value < min) {
@@ -298,7 +350,12 @@ export class Sanitization {
             clamped = true;
         }
         if (clamped) {
-            logger.debug('Number clamped to range', { input, min, max, finalValue: value });
+            logger.debug("Number clamped to range", {
+                input,
+                min,
+                max,
+                finalValue: value,
+            });
         }
         return value;
     }
@@ -310,20 +367,20 @@ export class Sanitization {
      */
     sanitizeForLogging(input) {
         try {
-            if (!input || typeof input !== 'object') {
+            if (!input || typeof input !== "object") {
                 return input;
             }
-            const clonedInput = typeof structuredClone === 'function'
+            const clonedInput = typeof structuredClone === "function"
                 ? structuredClone(input)
                 : JSON.parse(JSON.stringify(input)); // Fallback for older Node versions
             this.redactSensitiveFields(clonedInput);
             return clonedInput;
         }
         catch (error) {
-            logger.error('Error during log sanitization', {
-                error: error instanceof Error ? error.message : String(error)
+            logger.error("Error during log sanitization", {
+                error: error instanceof Error ? error.message : String(error),
             });
-            return '[Log Sanitization Failed]';
+            return "[Log Sanitization Failed]";
         }
     }
     /**
@@ -338,12 +395,12 @@ export class Sanitization {
      * @param {unknown} obj - The object or array to redact.
      */
     redactSensitiveFields(obj) {
-        if (!obj || typeof obj !== 'object') {
+        if (!obj || typeof obj !== "object") {
             return;
         }
         if (Array.isArray(obj)) {
-            obj.forEach(item => {
-                if (item && typeof item === 'object') {
+            obj.forEach((item) => {
+                if (item && typeof item === "object") {
                     this.redactSensitiveFields(item);
                 }
             });
@@ -352,11 +409,11 @@ export class Sanitization {
         for (const key in obj) {
             if (Object.prototype.hasOwnProperty.call(obj, key)) {
                 const value = obj[key];
-                const isSensitive = this.sensitiveFields.some(field => key.toLowerCase().includes(field.toLowerCase()));
+                const isSensitive = this.sensitiveFields.some((field) => key.toLowerCase().includes(field.toLowerCase()));
                 if (isSensitive) {
-                    obj[key] = '[REDACTED]';
+                    obj[key] = "[REDACTED]";
                 }
-                else if (value && typeof value === 'object') {
+                else if (value && typeof value === "object") {
                     this.redactSensitiveFields(value);
                 }
             }

package/package.json

@@ -1,54 +1,55 @@
 {
   "name": "@cyanheads/git-mcp-server",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "description": "An MCP (Model Context Protocol) server enabling LLMs and AI agents to interact with Git repositories. Provides tools for comprehensive Git operations including clone, commit, branch, diff, log, status, push, pull, merge, rebase, worktree, tag management, and more, via the MCP standard. STDIO & HTTP.",
+  "main": "dist/index.js",
+  "files": [
+    "dist"
+  ],
+  "bin": {
+    "git-mcp-server": "dist/index.js"
+  },
+  "exports": "./dist/index.js",
+  "types": "dist/index.d.ts",
   "type": "module",
-  "license": "Apache-2.0",
-  "author": "Casey Hand @cyanheads",
   "repository": {
     "type": "git",
     "url": "git+https://github.com/cyanheads/git-mcp-server.git"
   },
-  "homepage": "https://github.com/cyanheads/git-mcp-server#readme",
   "bugs": {
     "url": "https://github.com/cyanheads/git-mcp-server/issues"
   },
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "bin": {
-    "git-mcp-server": "dist/index.js"
-  },
-  "files": [
-    "dist"
-  ],
+  "homepage": "https://github.com/cyanheads/git-mcp-server#readme",
   "scripts": {
     "build": "tsc && node --loader ts-node/esm scripts/make-executable.ts dist/index.js",
     "start": "node dist/index.js",
     "start:stdio": "MCP_LOG_LEVEL=debug MCP_TRANSPORT_TYPE=stdio node dist/index.js",
     "start:http": "MCP_LOG_LEVEL=debug MCP_TRANSPORT_TYPE=http node dist/index.js",
     "rebuild": "ts-node --esm scripts/clean.ts && npm run build",
+    "docs:generate": "typedoc --tsconfig ./tsconfig.typedoc.json",
     "tree": "ts-node --esm scripts/tree.ts",
+    "fetch-spec": "ts-node --esm scripts/fetch-openapi-spec.ts",
+    "format": "prettier --write \"**/*.{ts,js,json,md,html,css}\"",
     "inspector": "npx @modelcontextprotocol/inspector --config mcp.json --server git-mcp-server",
     "inspector:http": "npx @modelcontextprotocol/inspector --config mcp.json --server git-mcp-server-http",
     "clean": "ts-node --esm scripts/clean.ts"
   },
-  "publishConfig": {
-    "access": "public"
-  },
   "dependencies": {
-    "@modelcontextprotocol/inspector": "^0.13.0",
-    "@modelcontextprotocol/sdk": "^1.12.1",
+    "@modelcontextprotocol/inspector": "^0.14.1",
+    "@modelcontextprotocol/sdk": "^1.12.3",
     "@types/jsonwebtoken": "^9.0.9",
-    "@types/node": "^22.15.29",
+    "@types/node": "^24.0.1",
     "@types/sanitize-html": "^2.16.0",
     "@types/validator": "^13.15.1",
+    "chalk": "^5.4.1",
     "chrono-node": "2.8.0",
+    "cli-table3": "^0.6.5",
     "dotenv": "^16.5.0",
     "express": "^5.1.0",
     "ignore": "^7.0.5",
+    "jose": "^6.0.11",
     "jsonwebtoken": "^9.0.2",
-    "openai": "^5.0.2",
+    "openai": "^5.3.0",
     "partial-json": "^0.1.7",
     "sanitize-html": "^2.17.0",
     "tiktoken": "^1.0.21",
@@ -58,7 +59,7 @@
     "winston": "^3.17.0",
     "winston-daily-rotate-file": "^5.0.0",
     "yargs": "^18.0.0",
-    "zod": "^3.25.49"
+    "zod": "^3.25.64"
   },
   "keywords": [
     "typescript",
@@ -81,7 +82,6 @@
     "diff",
     "fetch",
     "log",
-    "llm-tools",
     "merge",
     "pull",
     "push",
@@ -95,7 +95,29 @@
     "ai-agent",
     "automation"
   ],
+  "author": "cyanheads <casey@caseyjhand.com> (https://github.com/cyanheads/git-mcp-server#readme)",
+  "license": "Apache-2.0",
+  "funding": [
+    {
+      "type": "github",
+      "url": "https://github.com/sponsors/cyanheads"
+    },
+    {
+      "type": "buy_me_a_coffee",
+      "url": "https://www.buymeacoffee.com/cyanheads"
+    }
+  ],
+  "engines": {
+    "node": ">=20.0.0"
+  },
   "devDependencies": {
-    "@types/express": "^5.0.2"
+    "@types/express": "^5.0.3",
+    "@types/js-yaml": "^4.0.9",
+    "js-yaml": "^4.1.0",
+    "prettier": "^3.5.3",
+    "typedoc": "^0.28.5"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }