npm - @evantahler/mcpx - Versions diffs - 0.18.5 → 0.18.6 - Mend

@evantahler/mcpx 0.18.5 → 0.18.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json +1 -1
package/src/client/browser.ts +29 -8
package/src/client/debug-fetch.ts +15 -4
package/src/config/loader.ts +5 -2
package/src/output/formatter.ts +7 -4
package/src/validation/schema.ts +3 -2

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "@evantahler/mcpx",
-	"version": "0.18.5",
+	"version": "0.18.6",
 	"description": "A command-line interface for MCP servers. curl for MCP.",
 	"type": "module",
 	"exports": {

package/src/client/browser.ts CHANGED Viewed

@@ -1,20 +1,41 @@
-import { exec } from "node:child_process";
+import { execFile } from "node:child_process";
 /**
  * Open a URL in the default browser (macOS/Windows/Linux).
  * Falls back to printing the URL to stderr if no browser is available
  * (e.g., headless servers, Docker containers).
+ *
+ * Uses execFile (not exec) to avoid shell injection via malicious URLs.
  */
 export function openBrowser(url: string): Promise<void> {
-	const cmd =
-		process.platform === "darwin"
-			? `open "${url}"`
-			: process.platform === "win32"
-				? `start "${url}"`
-				: `xdg-open "${url}"`;
+	// Validate URL scheme to prevent non-HTTP protocols
+	try {
+		const parsed = new URL(url);
+		if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+			process.stderr.write(`Refusing to open non-HTTP URL: ${url}\n`);
+			return Promise.resolve();
+		}
+	} catch {
+		process.stderr.write(`Invalid URL: ${url}\n`);
+		return Promise.resolve();
+	}
+	let cmd: string;
+	let args: string[];
+	if (process.platform === "darwin") {
+		cmd = "open";
+		args = [url];
+	} else if (process.platform === "win32") {
+		cmd = "cmd";
+		args = ["/c", "start", "", url];
+	} else {
+		cmd = "xdg-open";
+		args = [url];
+	}
 	return new Promise((resolve) => {
-		exec(cmd, (err) => {
+		execFile(cmd, args, (err) => {
 			if (err) {
 				process.stderr.write(`Could not open browser. Please visit:\n  ${url}\n`);
 			}

package/src/client/debug-fetch.ts CHANGED Viewed

@@ -68,11 +68,22 @@ function logBody(body: string, fmt: (s: string) => string) {
 	}
 }
+const SENSITIVE_HEADERS = new Set([
+	"authorization",
+	"cookie",
+	"set-cookie",
+	"proxy-authorization",
+	"x-api-key",
+	"api-key",
+	"x-auth-token",
+	"x-token",
+	"token",
+]);
 export function maskSensitive(key: string, value: string): string {
-	const lower = key.toLowerCase();
-	if (lower === "authorization" || lower === "cookie" || lower === "set-cookie") {
-		if (value.length <= 12) return value;
-		return `${value.slice(0, 12)}...`;
+	if (SENSITIVE_HEADERS.has(key.toLowerCase())) {
+		if (value.length <= 6) return "***";
+		return `${value.slice(0, 4)}...`;
 	}
 	return value;
 }

package/src/config/loader.ts CHANGED Viewed

@@ -1,3 +1,4 @@
+import { chmod } from "node:fs/promises";
 import { join, resolve } from "node:path";
 import { DEFAULT_CONFIG_DIR, ENV } from "../constants.ts";
 import { interpolateEnv } from "./env.ts";
@@ -63,6 +64,7 @@ export async function loadConfig(options: LoadConfigOptions = {}): Promise<Confi
 		const cwd = process.cwd();
 		if (await hasServersFile(cwd)) {
 			configDir = cwd;
+			process.stderr.write(`Note: using servers.json from current directory (${cwd})\n`);
 		}
 	}
@@ -109,9 +111,10 @@ async function saveJsonFile(configDir: string, filename: string, data: unknown):
 	await Bun.write(join(configDir, filename), `${JSON.stringify(data, null, 2)}\n`);
 }
-/** Save auth.json to the config directory */
+/** Save auth.json to the config directory with restrictive permissions */
 export async function saveAuth(configDir: string, auth: AuthFile): Promise<void> {
-	return saveJsonFile(configDir, "auth.json", auth);
+	await saveJsonFile(configDir, "auth.json", auth);
+	await chmod(join(configDir, "auth.json"), 0o600).catch(() => {});
 }
 /** Load search.json from the config directory */

package/src/output/formatter.ts CHANGED Viewed

@@ -619,20 +619,23 @@ export function renderMarkdownToAnsi(input: string): string {
 	return restored;
 }
+const MAX_NESTED_JSON_DEPTH = 10;
 /** Recursively parse JSON strings inside MCP content blocks */
-function parseNestedJson(value: unknown): unknown {
+function parseNestedJson(value: unknown, depth = 0): unknown {
+	if (depth > MAX_NESTED_JSON_DEPTH) return value;
 	if (typeof value === "string") {
 		try {
-			return parseNestedJson(JSON.parse(value));
+			return parseNestedJson(JSON.parse(value), depth + 1);
 		} catch {
 			return value;
 		}
 	}
 	if (Array.isArray(value)) {
-		return value.map(parseNestedJson);
+		return value.map((v) => parseNestedJson(v, depth + 1));
 	}
 	if (typeof value === "object" && value !== null) {
-		return Object.fromEntries(Object.entries(value).map(([k, v]) => [k, parseNestedJson(v)]));
+		return Object.fromEntries(Object.entries(value).map(([k, v]) => [k, parseNestedJson(v, depth + 1)]));
 	}
 	return value;
 }

package/src/validation/schema.ts CHANGED Viewed

@@ -28,8 +28,9 @@ function validateWithSchema(
 		try {
 			validate = ajv.compile(schema);
 			validatorCache.set(cacheKey, validate);
-		} catch {
-			return { valid: true, errors: [] };
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : "unknown error";
+			return { valid: false, errors: [{ path: "(schema)", message: `schema compilation failed: ${msg}` }] };
 		}
 	}