@jgardner04/ghost-mcp-server 1.10.0 → 1.12.0

package/src/schemas/__tests__/common.test.js

@@ -177,6 +177,90 @@ describe('Common Schemas', () => {
     it('should reject empty strings', () => {
       expect(() => htmlContentSchema.parse('')).toThrow();
     });
+
+    // XSS Prevention Tests
+    describe('XSS sanitization', () => {
+      it('should strip script tags', () => {
+        const result = htmlContentSchema.parse('<p>Safe</p><script>alert("xss")</script>');
+        expect(result).not.toContain('<script>');
+        expect(result).not.toContain('alert');
+        expect(result).toContain('<p>Safe</p>');
+      });
+
+      it('should strip onclick and other event handlers', () => {
+        const result = htmlContentSchema.parse('<p onclick="alert(1)">Click me</p>');
+        expect(result).not.toContain('onclick');
+        expect(result).toContain('<p>Click me</p>');
+      });
+
+      it('should strip javascript: URLs', () => {
+        const result = htmlContentSchema.parse('<a href="javascript:alert(1)">Link</a>');
+        expect(result).not.toContain('javascript:');
+      });
+
+      it('should strip onerror handlers on images', () => {
+        const result = htmlContentSchema.parse('<img src="x" onerror="alert(1)">');
+        expect(result).not.toContain('onerror');
+      });
+
+      it('should allow safe tags', () => {
+        const safeHtml =
+          '<h1>Title</h1><p>Paragraph</p><a href="https://example.com">Link</a><ul><li>Item</li></ul>';
+        const result = htmlContentSchema.parse(safeHtml);
+        expect(result).toContain('<h1>');
+        expect(result).toContain('<p>');
+        expect(result).toContain('<a ');
+        expect(result).toContain('<ul>');
+        expect(result).toContain('<li>');
+      });
+
+      it('should allow safe attributes on links', () => {
+        const result = htmlContentSchema.parse(
+          '<a href="https://example.com" title="Example">Link</a>'
+        );
+        expect(result).toContain('href="https://example.com"');
+        expect(result).toContain('title="Example"');
+      });
+
+      it('should allow safe attributes on images', () => {
+        const result = htmlContentSchema.parse(
+          '<img src="https://example.com/img.jpg" alt="Description" title="Title" width="100" height="100">'
+        );
+        expect(result).toContain('src="https://example.com/img.jpg"');
+        expect(result).toContain('alt="Description"');
+      });
+
+      it('should strip style attributes by default', () => {
+        const result = htmlContentSchema.parse('<p style="color: red">Styled</p>');
+        expect(result).not.toContain('style=');
+      });
+
+      it('should strip iframe tags', () => {
+        const result = htmlContentSchema.parse(
+          '<iframe src="https://evil.com"></iframe><p>Safe</p>'
+        );
+        expect(result).not.toContain('<iframe');
+        expect(result).toContain('<p>Safe</p>');
+      });
+
+      it('should strip data: URLs on images', () => {
+        // data: URLs can be used for XSS in some contexts
+        const result = htmlContentSchema.parse(
+          '<img src="data:text/html,<script>alert(1)</script>">'
+        );
+        // The src should either be removed or the tag stripped
+        expect(result).not.toContain('<script>');
+      });
+
+      it('should preserve text content while stripping dangerous elements', () => {
+        const result = htmlContentSchema.parse(
+          '<div>Safe text<script>evil()</script> more text</div>'
+        );
+        expect(result).toContain('Safe text');
+        expect(result).toContain('more text');
+        expect(result).not.toContain('evil');
+      });
+    });
   });
 
   describe('titleSchema', () => {

package/src/schemas/common.js

@@ -1,10 +1,54 @@
 import { z } from 'zod';
+import sanitizeHtml from 'sanitize-html';
 
 /**
  * Common Zod schemas for validation across all Ghost MCP resources.
  * These validators provide consistent validation and security controls.
  */
 
+/**
+ * HTML sanitization configuration
+ * Prevents XSS attacks by allowing only safe HTML tags and attributes
+ */
+const htmlSanitizeConfig = {
+  allowedTags: [
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'h6',
+    'blockquote',
+    'p',
+    'a',
+    'ul',
+    'ol',
+    'nl',
+    'li',
+    'b',
+    'i',
+    'strong',
+    'em',
+    'strike',
+    'code',
+    'hr',
+    'br',
+    'div',
+    'span',
+    'img',
+    'pre',
+    'figure',
+    'figcaption',
+  ],
+  allowedAttributes: {
+    a: ['href', 'name', 'target', 'rel', 'title'],
+    img: ['src', 'alt', 'title', 'width', 'height'],
+    '*': ['class', 'id'],
+  },
+  allowedSchemes: ['http', 'https', 'mailto'],
+  allowedSchemesAppliedToAttributes: ['href', 'src'],
+};
+
 // ----- Basic Type Validators -----
 
 /**
@@ -106,10 +150,13 @@ export const visibilitySchema = z.enum(['public', 'members', 'paid', 'tiers'], {
 
 /**
  * HTML content validation schema
- * Validates that content is a non-empty string
- * Note: HTML sanitization should be performed separately
+ * Validates that content is a non-empty string and sanitizes HTML to prevent XSS
+ * Uses transform to sanitize HTML at schema level (defense-in-depth)
  */
-export const htmlContentSchema = z.string().min(1, 'HTML content cannot be empty');
+export const htmlContentSchema = z
+  .string()
+  .min(1, 'HTML content cannot be empty')
+  .transform((html) => sanitizeHtml(html, htmlSanitizeConfig));
 
 /**
  * Title validation schema

package/src/services/__tests__/ghostServiceImproved.members.test.js

@@ -128,24 +128,9 @@ describe('ghostServiceImproved - Members', () => {
       expect(result).toEqual(mockCreatedMember);
     });
 
-    it('should throw validation error for missing email', async () => {
-      await expect(createMember({})).rejects.toThrow('Member validation failed');
-    });
-
-    it('should throw validation error for invalid email', async () => {
-      await expect(createMember({ email: 'invalid-email' })).rejects.toThrow(
-        'Member validation failed'
-      );
-    });
-
-    it('should throw validation error for invalid labels type', async () => {
-      await expect(
-        createMember({
-          email: 'test@example.com',
-          labels: 'premium',
-        })
-      ).rejects.toThrow('Member validation failed');
-    });
+    // NOTE: Input validation tests (missing email, invalid email, invalid labels)
+    // have been moved to MCP layer tests. The service layer now relies on
+    // Zod schema validation at the MCP tool layer.
 
     it('should handle Ghost API errors', async () => {
       const memberData = {
@@ -225,11 +210,8 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for invalid email in update', async () => {
-      await expect(updateMember('member-1', { email: 'invalid-email' })).rejects.toThrow(
-        'Member validation failed'
-      );
-    });
+    // NOTE: Input validation tests (invalid email in update) have been moved to
+    // MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should throw not found error if member does not exist', async () => {
       api.members.read.mockRejectedValue({
@@ -345,14 +327,8 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for invalid limit', async () => {
-      await expect(getMembers({ limit: 0 })).rejects.toThrow('Member query validation failed');
-      await expect(getMembers({ limit: 101 })).rejects.toThrow('Member query validation failed');
-    });
-
-    it('should throw validation error for invalid page', async () => {
-      await expect(getMembers({ page: 0 })).rejects.toThrow('Member query validation failed');
-    });
+    // NOTE: Input validation tests (invalid limit, invalid page) have been moved to
+    // MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should return empty array when no members found', async () => {
       api.members.browse.mockResolvedValue([]);
@@ -407,15 +383,8 @@ describe('ghostServiceImproved - Members', () => {
       expect(result).toEqual(mockMember);
     });
 
-    it('should throw validation error when neither id nor email provided', async () => {
-      await expect(getMember({})).rejects.toThrow('Member lookup validation failed');
-    });
-
-    it('should throw validation error for invalid email format', async () => {
-      await expect(getMember({ email: 'invalid-email' })).rejects.toThrow(
-        'Member lookup validation failed'
-      );
-    });
+    // NOTE: Input validation tests (missing id/email, invalid email format) have been
+    // moved to MCP layer tests. The service layer now relies on Zod schema validation.
 
     it('should throw not found error when member not found by ID', async () => {
       api.members.read.mockRejectedValue({
@@ -493,27 +462,9 @@ describe('ghostServiceImproved - Members', () => {
       );
     });
 
-    it('should throw validation error for empty query', async () => {
-      await expect(searchMembers('')).rejects.toThrow('Search query validation failed');
-      await expect(searchMembers('   ')).rejects.toThrow('Search query validation failed');
-    });
-
-    it('should throw validation error for non-string query', async () => {
-      await expect(searchMembers(123)).rejects.toThrow('Search query validation failed');
-      await expect(searchMembers(null)).rejects.toThrow('Search query validation failed');
-    });
-
-    it('should throw validation error for invalid limit', async () => {
-      await expect(searchMembers('test', { limit: 0 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-      await expect(searchMembers('test', { limit: 51 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-      await expect(searchMembers('test', { limit: 100 })).rejects.toThrow(
-        'Search options validation failed'
-      );
-    });
+    // NOTE: Input validation tests (empty query, non-string query, invalid limit)
+    // have been moved to MCP layer tests. The service layer now relies on
+    // Zod schema validation at the MCP tool layer.
 
     it('should sanitize query to prevent NQL injection', async () => {
       const mockMembers = [];

package/src/services/__tests__/ghostServiceImproved.tiers.test.js

@@ -0,0 +1,392 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { createMockContextLogger } from '../../__tests__/helpers/mockLogger.js';
+import { mockDotenv } from '../../__tests__/helpers/testUtils.js';
+
+// Mock the Ghost Admin API with tiers support
+vi.mock('@tryghost/admin-api', () => ({
+  default: vi.fn(function () {
+    return {
+      posts: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      pages: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      tags: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      members: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      tiers: {
+        add: vi.fn(),
+        browse: vi.fn(),
+        read: vi.fn(),
+        edit: vi.fn(),
+        delete: vi.fn(),
+      },
+      site: {
+        read: vi.fn(),
+      },
+      images: {
+        upload: vi.fn(),
+      },
+    };
+  }),
+}));
+
+// Mock dotenv
+vi.mock('dotenv', () => mockDotenv());
+
+// Mock logger
+vi.mock('../../utils/logger.js', () => ({
+  createContextLogger: createMockContextLogger(),
+}));
+
+// Mock fs for validateImagePath
+vi.mock('fs/promises', () => ({
+  default: {
+    access: vi.fn(),
+  },
+}));
+
+// Import after setting up mocks
+import {
+  createTier,
+  updateTier,
+  deleteTier,
+  getTiers,
+  getTier,
+  api,
+} from '../ghostServiceImproved.js';
+
+describe('ghostServiceImproved - Tiers', () => {
+  beforeEach(() => {
+    // Reset all mocks before each test
+    vi.clearAllMocks();
+  });
+
+  describe('createTier', () => {
+    it('should create a tier with required fields', async () => {
+      const tierData = {
+        name: 'Premium',
+        currency: 'USD',
+      };
+
+      const mockCreatedTier = {
+        id: 'tier-1',
+        name: 'Premium',
+        currency: 'USD',
+        type: 'paid',
+        active: true,
+      };
+
+      api.tiers.add.mockResolvedValue(mockCreatedTier);
+
+      const result = await createTier(tierData);
+
+      expect(api.tiers.add).toHaveBeenCalledWith(
+        expect.objectContaining({
+          name: 'Premium',
+          currency: 'USD',
+        }),
+        expect.any(Object)
+      );
+      expect(result).toEqual(mockCreatedTier);
+    });
+
+    it('should create a tier with all optional fields', async () => {
+      const tierData = {
+        name: 'Premium Membership',
+        currency: 'USD',
+        description: 'Access to premium content',
+        monthly_price: 999,
+        yearly_price: 9999,
+        benefits: ['Ad-free experience', 'Exclusive content'],
+        welcome_page_url: 'https://example.com/welcome',
+      };
+
+      const mockCreatedTier = {
+        id: 'tier-2',
+        ...tierData,
+        type: 'paid',
+        active: true,
+      };
+
+      api.tiers.add.mockResolvedValue(mockCreatedTier);
+
+      const result = await createTier(tierData);
+
+      expect(api.tiers.add).toHaveBeenCalledWith(
+        expect.objectContaining(tierData),
+        expect.any(Object)
+      );
+      expect(result).toEqual(mockCreatedTier);
+    });
+
+    it('should throw ValidationError when name is missing', async () => {
+      await expect(
+        createTier({
+          currency: 'USD',
+        })
+      ).rejects.toThrow('Tier validation failed');
+    });
+
+    it('should throw ValidationError when currency is missing', async () => {
+      await expect(
+        createTier({
+          name: 'Premium',
+        })
+      ).rejects.toThrow('Tier validation failed');
+    });
+
+    it('should throw ValidationError when currency is invalid', async () => {
+      await expect(
+        createTier({
+          name: 'Premium',
+          currency: 'us',
+        })
+      ).rejects.toThrow('Tier validation failed');
+    });
+  });
+
+  describe('getTiers', () => {
+    it('should get all tiers with default options', async () => {
+      const mockTiers = [
+        {
+          id: 'tier-1',
+          name: 'Free',
+          type: 'free',
+          active: true,
+        },
+        {
+          id: 'tier-2',
+          name: 'Premium',
+          type: 'paid',
+          active: true,
+        },
+      ];
+
+      api.tiers.browse.mockResolvedValue(mockTiers);
+
+      const result = await getTiers();
+
+      expect(api.tiers.browse).toHaveBeenCalledWith(
+        expect.objectContaining({
+          limit: 15,
+        }),
+        expect.any(Object)
+      );
+      expect(result).toEqual(mockTiers);
+    });
+
+    it('should get tiers with custom limit', async () => {
+      const mockTiers = [
+        {
+          id: 'tier-1',
+          name: 'Free',
+          type: 'free',
+          active: true,
+        },
+      ];
+
+      api.tiers.browse.mockResolvedValue(mockTiers);
+
+      const result = await getTiers({ limit: 5 });
+
+      expect(api.tiers.browse).toHaveBeenCalledWith(
+        expect.objectContaining({
+          limit: 5,
+        }),
+        expect.any(Object)
+      );
+      expect(result).toEqual(mockTiers);
+    });
+
+    it('should get tiers with filter', async () => {
+      const mockTiers = [
+        {
+          id: 'tier-2',
+          name: 'Premium',
+          type: 'paid',
+          active: true,
+        },
+      ];
+
+      api.tiers.browse.mockResolvedValue(mockTiers);
+
+      const result = await getTiers({ filter: 'type:paid' });
+
+      expect(api.tiers.browse).toHaveBeenCalledWith(
+        expect.objectContaining({
+          filter: 'type:paid',
+        }),
+        expect.any(Object)
+      );
+      expect(result).toEqual(mockTiers);
+    });
+
+    it('should return empty array when no tiers found', async () => {
+      api.tiers.browse.mockResolvedValue([]);
+
+      const result = await getTiers();
+
+      expect(result).toEqual([]);
+    });
+
+    it('should throw ValidationError for invalid limit', async () => {
+      await expect(getTiers({ limit: 0 })).rejects.toThrow('Tier query validation failed');
+      await expect(getTiers({ limit: 101 })).rejects.toThrow('Tier query validation failed');
+    });
+  });
+
+  describe('getTier', () => {
+    it('should get a single tier by ID', async () => {
+      const mockTier = {
+        id: 'tier-1',
+        name: 'Premium',
+        currency: 'USD',
+        type: 'paid',
+        active: true,
+      };
+
+      api.tiers.read.mockResolvedValue(mockTier);
+
+      const result = await getTier('tier-1');
+
+      expect(api.tiers.read).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 'tier-1',
+        }),
+        expect.objectContaining({
+          id: 'tier-1',
+        })
+      );
+      expect(result).toEqual(mockTier);
+    });
+
+    it('should throw ValidationError when ID is missing', async () => {
+      await expect(getTier()).rejects.toThrow('Tier ID is required');
+    });
+
+    it('should throw ValidationError when ID is empty string', async () => {
+      await expect(getTier('')).rejects.toThrow('Tier ID is required');
+    });
+
+    it('should throw NotFoundError when tier does not exist', async () => {
+      const mockError = new Error('Tier not found');
+      mockError.response = { status: 404 };
+
+      api.tiers.read.mockRejectedValue(mockError);
+
+      await expect(getTier('nonexistent-id')).rejects.toThrow();
+    });
+  });
+
+  describe('updateTier', () => {
+    it('should update a tier', async () => {
+      const existingTier = {
+        id: 'tier-1',
+        name: 'Premium',
+        currency: 'USD',
+        monthly_price: 999,
+        updated_at: '2024-01-01T00:00:00.000Z',
+      };
+
+      const updateData = {
+        name: 'Premium Plus',
+        monthly_price: 1299,
+      };
+
+      const mockUpdatedTier = {
+        ...existingTier,
+        ...updateData,
+      };
+
+      api.tiers.read.mockResolvedValue(existingTier);
+      api.tiers.edit.mockResolvedValue(mockUpdatedTier);
+
+      const result = await updateTier('tier-1', updateData);
+
+      expect(api.tiers.read).toHaveBeenCalledWith(
+        expect.objectContaining({ id: 'tier-1' }),
+        expect.objectContaining({ id: 'tier-1' })
+      );
+      expect(api.tiers.edit).toHaveBeenCalledWith(
+        expect.objectContaining({
+          ...existingTier,
+          ...updateData,
+        }),
+        expect.objectContaining({
+          id: 'tier-1',
+        })
+      );
+      expect(result).toEqual(mockUpdatedTier);
+    });
+
+    it('should throw ValidationError when ID is missing', async () => {
+      await expect(updateTier('', { name: 'Updated' })).rejects.toThrow(
+        'Tier ID is required for update'
+      );
+    });
+
+    it('should throw ValidationError for invalid update data', async () => {
+      await expect(updateTier('tier-1', { monthly_price: -100 })).rejects.toThrow(
+        'Tier validation failed'
+      );
+    });
+
+    it('should throw NotFoundError when tier does not exist', async () => {
+      const mockError = new Error('Tier not found');
+      mockError.response = { status: 404 };
+
+      api.tiers.read.mockRejectedValue(mockError);
+
+      await expect(updateTier('nonexistent-id', { name: 'Updated' })).rejects.toThrow();
+    });
+  });
+
+  describe('deleteTier', () => {
+    it('should delete a tier', async () => {
+      api.tiers.delete.mockResolvedValue({ success: true });
+
+      const result = await deleteTier('tier-1');
+
+      expect(api.tiers.delete).toHaveBeenCalledWith('tier-1', expect.any(Object));
+      expect(result).toEqual({ success: true });
+    });
+
+    it('should throw ValidationError when ID is missing', async () => {
+      await expect(deleteTier()).rejects.toThrow('Tier ID is required for deletion');
+    });
+
+    it('should throw ValidationError when ID is empty string', async () => {
+      await expect(deleteTier('')).rejects.toThrow('Tier ID is required for deletion');
+    });
+
+    it('should throw NotFoundError when tier does not exist', async () => {
+      const mockError = new Error('Tier not found');
+      mockError.response = { status: 404 };
+
+      api.tiers.delete.mockRejectedValue(mockError);
+
+      await expect(deleteTier('nonexistent-id')).rejects.toThrow();
+    });
+  });
+});