@cyclonedx/cdxgen 12.3.1 → 12.3.3

package/lib/helpers/mcpDiscovery.js

@@ -17,30 +17,20 @@ const INLINE_CREDENTIAL_PATTERNS = [
 ];
 
 export function sanitizeMcpRefToken(value) {
-  const input = String(value || "").toLowerCase();
-  const tokens = [];
-  let previousWasSeparator = false;
-  for (const char of input) {
-    const isAlphaNumeric =
-      (char >= "a" && char <= "z") || (char >= "0" && char <= "9");
-    const isAllowedPunctuation = [".", "_", "-"].includes(char);
-    if (isAlphaNumeric || isAllowedPunctuation) {
-      tokens.push(char);
-      previousWasSeparator = false;
-      continue;
-    }
-    if (!previousWasSeparator && tokens.length) {
-      tokens.push("-");
-      previousWasSeparator = true;
-    }
+  const input = String(value || "")
+    .normalize("NFKC")
+    .trim()
+    .toLowerCase();
+  const normalized = input
+    .replaceAll(/[/\\:]/gu, "-")
+    .replaceAll(/[^a-z0-9._-]+/gu, "-")
+    .replaceAll(/[._-]{2,}/gu, "-")
+    .replaceAll(/^\.+|\.+$/gu, "")
+    .replaceAll(/^[._-]+|[._-]+$/gu, "");
+  if (!normalized || normalized === "." || normalized === "..") {
+    return "unknown";
   }
-  while (tokens[0] === "-") {
-    tokens.shift();
-  }
-  while (tokens[tokens.length - 1] === "-") {
-    tokens.pop();
-  }
-  return tokens.join("") || "unknown";
+  return normalized.slice(0, 128);
 }
 
 export function isLocalHost(hostname) {

package/lib/helpers/mcpDiscovery.poku.js

@@ -0,0 +1,21 @@
+import { assert, describe, it } from "poku";
+
+import { sanitizeMcpRefToken } from "./mcpDiscovery.js";
+
+describe("sanitizeMcpRefToken()", () => {
+  it("normalizes path traversal and punctuation-heavy input into safe tokens", () => {
+    assert.strictEqual(
+      sanitizeMcpRefToken("../Secrets/Prod Token"),
+      "secrets-prod-token",
+    );
+    assert.strictEqual(
+      sanitizeMcpRefToken("..\\..\\etc\\passwd"),
+      "etc-passwd",
+    );
+  });
+
+  it("returns unknown for empty or separator-only input", () => {
+    assert.strictEqual(sanitizeMcpRefToken("..."), "unknown");
+    assert.strictEqual(sanitizeMcpRefToken("///"), "unknown");
+  });
+});

package/lib/helpers/propertySanitizer.js

@@ -0,0 +1,121 @@
+import path from "node:path";
+
+const DANGEROUS_OBJECT_KEYS = new Set([
+  "__proto__",
+  "constructor",
+  "prototype",
+]);
+const INLINE_CREDENTIAL_PATTERNS = [
+  /\bAKIA[0-9A-Z]{16}\b/gu,
+  /\bbearer\s+[a-z0-9._-]{16,}\b/giu,
+  /\b(?:sk|rk|pk)_[a-z0-9_-]{8,}\b/giu,
+  /\bgh[pousr]_[a-z0-9]{20,}\b/giu,
+  /\bAIza[0-9A-Za-z_-]{20,}\b/gu,
+];
+const JSON_PROPERTY_NAMES = new Set([
+  "cdx:agent:permission",
+  "cdx:mcp:toolAnnotations",
+  "cdx:skill:metadata",
+]);
+const URL_PATTERN = /https?:\/\/[^\s<>"'),\]}]+/giu;
+
+function sanitizeUrlForBom(value) {
+  const input = String(value || "").trim();
+  if (!input) {
+    return input;
+  }
+  try {
+    const parsed = new URL(input);
+    parsed.username = "";
+    parsed.password = "";
+    parsed.search = "";
+    parsed.hash = "";
+    return parsed.toString();
+  } catch {
+    return input;
+  }
+}
+
+function sanitizeTextForBom(value) {
+  let sanitized = String(value ?? "");
+  sanitized = sanitized.replace(URL_PATTERN, (match) =>
+    sanitizeUrlForBom(match),
+  );
+  for (const pattern of INLINE_CREDENTIAL_PATTERNS) {
+    sanitized = sanitized.replace(pattern, "[redacted]");
+  }
+  return sanitized;
+}
+
+function sanitizeStructuredValueForBom(value) {
+  if (typeof value === "string") {
+    return sanitizeTextForBom(value);
+  }
+  if (Array.isArray(value)) {
+    return value.map((entry) => sanitizeStructuredValueForBom(entry));
+  }
+  if (value && typeof value === "object") {
+    const sanitized = {};
+    for (const [key, entryValue] of Object.entries(value)) {
+      if (DANGEROUS_OBJECT_KEYS.has(key)) {
+        continue;
+      }
+      sanitized[key] = sanitizeStructuredValueForBom(entryValue);
+    }
+    return sanitized;
+  }
+  return value;
+}
+
+function extractCommandExecutable(command) {
+  const trimmedCommand = String(command || "").trim();
+  if (!trimmedCommand) {
+    return "";
+  }
+  const quotedMatch = trimmedCommand.match(/^(['"])(.*?)\1/u);
+  if (quotedMatch?.[2]) {
+    return quotedMatch[2];
+  }
+  const absolutePathMatch = trimmedCommand.match(
+    /^((?:[A-Za-z]:\\|\/).*?\.(?:bat|bin|cjs|cmd|com|exe|jar|js|mjs|ps1|py|rb|sh|ts|tsx))(?=\s|$)/iu,
+  );
+  if (absolutePathMatch?.[1]) {
+    return absolutePathMatch[1];
+  }
+  return trimmedCommand.split(/\s+/u)[0];
+}
+
+function summarizeExecutable(command) {
+  const executable = extractCommandExecutable(command);
+  if (!executable) {
+    return "configured";
+  }
+  if (executable.includes("\\")) {
+    return path.win32.basename(executable) || "configured";
+  }
+  return path.posix.basename(executable) || "configured";
+}
+
+export function sanitizeBomUrl(value) {
+  return sanitizeUrlForBom(value);
+}
+
+export function sanitizeBomPropertyValue(name, value) {
+  if (value === undefined || value === null || value === "") {
+    return value;
+  }
+  if (name === "cdx:mcp:command") {
+    const sanitizedCommand = sanitizeTextForBom(value).trim();
+    if (!sanitizedCommand) {
+      return sanitizedCommand;
+    }
+    return summarizeExecutable(sanitizedCommand);
+  }
+  if (JSON_PROPERTY_NAMES.has(name) || typeof value === "object") {
+    return JSON.stringify(sanitizeStructuredValueForBom(value));
+  }
+  if (typeof value === "string") {
+    return sanitizeTextForBom(value);
+  }
+  return value;
+}