@jgardner04/ghost-mcp-server 1.13.0 → 1.13.2

package/src/services/ghostServiceImproved.js

@@ -1,5 +1,4 @@
 import GhostAdminAPI from '@tryghost/admin-api';
-import sanitizeHtml from 'sanitize-html';
 import dotenv from 'dotenv';
 import { promises as fs } from 'fs';
 import {
@@ -11,9 +10,12 @@ import {
   CircuitBreaker,
   retryWithBackoff,
 } from '../errors/index.js';
+import { createContextLogger } from '../utils/logger.js';
 
 dotenv.config();
 
+const logger = createContextLogger('ghost-service-improved');
+
 const { GHOST_ADMIN_API_URL, GHOST_ADMIN_API_KEY } = process.env;
 
 // Validate configuration at startup
@@ -115,6 +117,30 @@ const handleApiRequest = async (resource, action, data = {}, options = {}, confi
  * Input validation helpers
  */
 const validators = {
+  validateScheduledStatus(data, resourceLabel = 'Resource') {
+    const errors = [];
+
+    if (data.status === 'scheduled' && !data.published_at) {
+      errors.push({
+        field: 'published_at',
+        message: 'published_at is required when status is scheduled',
+      });
+    }
+
+    if (data.published_at) {
+      const publishDate = new Date(data.published_at);
+      if (isNaN(publishDate.getTime())) {
+        errors.push({ field: 'published_at', message: 'Invalid date format' });
+      } else if (data.status === 'scheduled' && publishDate <= new Date()) {
+        errors.push({ field: 'published_at', message: 'Scheduled date must be in the future' });
+      }
+    }
+
+    if (errors.length > 0) {
+      throw new ValidationError(`${resourceLabel} validation failed`, errors);
+    }
+  },
+
   validatePostData(postData) {
     const errors = [];
 
@@ -133,25 +159,11 @@ const validators = {
       });
     }
 
-    if (postData.status === 'scheduled' && !postData.published_at) {
-      errors.push({
-        field: 'published_at',
-        message: 'published_at is required when status is scheduled',
-      });
-    }
-
-    if (postData.published_at) {
-      const publishDate = new Date(postData.published_at);
-      if (isNaN(publishDate.getTime())) {
-        errors.push({ field: 'published_at', message: 'Invalid date format' });
-      } else if (postData.status === 'scheduled' && publishDate <= new Date()) {
-        errors.push({ field: 'published_at', message: 'Scheduled date must be in the future' });
-      }
-    }
-
     if (errors.length > 0) {
       throw new ValidationError('Post validation failed', errors);
     }
+
+    this.validateScheduledStatus(postData, 'Post');
   },
 
   validateTagData(tagData) {
@@ -225,25 +237,11 @@ const validators = {
       });
     }
 
-    if (pageData.status === 'scheduled' && !pageData.published_at) {
-      errors.push({
-        field: 'published_at',
-        message: 'published_at is required when status is scheduled',
-      });
-    }
-
-    if (pageData.published_at) {
-      const publishDate = new Date(pageData.published_at);
-      if (isNaN(publishDate.getTime())) {
-        errors.push({ field: 'published_at', message: 'Invalid date format' });
-      } else if (pageData.status === 'scheduled' && publishDate <= new Date()) {
-        errors.push({ field: 'published_at', message: 'Scheduled date must be in the future' });
-      }
-    }
-
     if (errors.length > 0) {
       throw new ValidationError('Page validation failed', errors);
     }
+
+    this.validateScheduledStatus(pageData, 'Page');
   },
 
   validateNewsletterData(newsletterData) {
@@ -282,48 +280,7 @@ export async function createPost(postData, options = { source: 'html' }) {
     ...postData,
   };
 
-  // Sanitize HTML content if provided
-  if (dataWithDefaults.html) {
-    // Use proper HTML sanitization library to prevent XSS
-    dataWithDefaults.html = sanitizeHtml(dataWithDefaults.html, {
-      allowedTags: [
-        'h1',
-        'h2',
-        'h3',
-        'h4',
-        'h5',
-        'h6',
-        'blockquote',
-        'p',
-        'a',
-        'ul',
-        'ol',
-        'nl',
-        'li',
-        'b',
-        'i',
-        'strong',
-        'em',
-        'strike',
-        'code',
-        'hr',
-        'br',
-        'div',
-        'span',
-        'img',
-        'pre',
-      ],
-      allowedAttributes: {
-        a: ['href', 'title'],
-        img: ['src', 'alt', 'title', 'width', 'height'],
-        '*': ['class', 'id'],
-      },
-      allowedSchemes: ['http', 'https', 'mailto'],
-      allowedSchemesByTag: {
-        img: ['http', 'https', 'data'],
-      },
-    });
-  }
+  // SECURITY: HTML must be sanitized before reaching this function. See htmlContentSchema in schemas/common.js
 
   try {
     return await handleApiRequest('posts', 'add', dataWithDefaults, options);
@@ -343,18 +300,22 @@ export async function updatePost(postId, updateData, options = {}) {
     throw new ValidationError('Post ID is required for update');
   }
 
+  // Validate scheduled status if status is being updated
+  if (updateData.status) {
+    validators.validateScheduledStatus(updateData, 'Post');
+  }
+
   // Get the current post first to ensure it exists
   try {
     const existingPost = await handleApiRequest('posts', 'read', { id: postId });
 
-    // Merge with existing data
-    const mergedData = {
-      ...existingPost,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
-      updated_at: existingPost.updated_at, // Required for Ghost API
+      updated_at: existingPost.updated_at,
     };
 
-    return await handleApiRequest('posts', 'edit', mergedData, { id: postId, ...options });
+    return await handleApiRequest('posts', 'edit', editData, { id: postId, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Post', postId);
@@ -454,47 +415,7 @@ export async function createPage(pageData, options = { source: 'html' }) {
     ...pageData,
   };
 
-  // Sanitize HTML content if provided (use same sanitization as posts)
-  if (dataWithDefaults.html) {
-    dataWithDefaults.html = sanitizeHtml(dataWithDefaults.html, {
-      allowedTags: [
-        'h1',
-        'h2',
-        'h3',
-        'h4',
-        'h5',
-        'h6',
-        'blockquote',
-        'p',
-        'a',
-        'ul',
-        'ol',
-        'nl',
-        'li',
-        'b',
-        'i',
-        'strong',
-        'em',
-        'strike',
-        'code',
-        'hr',
-        'br',
-        'div',
-        'span',
-        'img',
-        'pre',
-      ],
-      allowedAttributes: {
-        a: ['href', 'title'],
-        img: ['src', 'alt', 'title', 'width', 'height'],
-        '*': ['class', 'id'],
-      },
-      allowedSchemes: ['http', 'https', 'mailto'],
-      allowedSchemesByTag: {
-        img: ['http', 'https', 'data'],
-      },
-    });
-  }
+  // SECURITY: HTML must be sanitized before reaching this function. See htmlContentSchema in schemas/common.js
 
   try {
     return await handleApiRequest('pages', 'add', dataWithDefaults, options);
@@ -513,60 +434,24 @@ export async function updatePage(pageId, updateData, options = {}) {
     throw new ValidationError('Page ID is required for update');
   }
 
-  // Sanitize HTML if being updated
-  if (updateData.html) {
-    updateData.html = sanitizeHtml(updateData.html, {
-      allowedTags: [
-        'h1',
-        'h2',
-        'h3',
-        'h4',
-        'h5',
-        'h6',
-        'blockquote',
-        'p',
-        'a',
-        'ul',
-        'ol',
-        'nl',
-        'li',
-        'b',
-        'i',
-        'strong',
-        'em',
-        'strike',
-        'code',
-        'hr',
-        'br',
-        'div',
-        'span',
-        'img',
-        'pre',
-      ],
-      allowedAttributes: {
-        a: ['href', 'title'],
-        img: ['src', 'alt', 'title', 'width', 'height'],
-        '*': ['class', 'id'],
-      },
-      allowedSchemes: ['http', 'https', 'mailto'],
-      allowedSchemesByTag: {
-        img: ['http', 'https', 'data'],
-      },
-    });
+  // SECURITY: HTML must be sanitized before reaching this function. See htmlContentSchema in schemas/common.js
+
+  // Validate scheduled status if status is being updated
+  if (updateData.status) {
+    validators.validateScheduledStatus(updateData, 'Page');
   }
 
   try {
     // Get existing page to retrieve updated_at for conflict resolution
     const existingPage = await handleApiRequest('pages', 'read', { id: pageId });
 
-    // Merge existing data with updates, preserving updated_at
-    const mergedData = {
-      ...existingPage,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingPage.updated_at,
     };
 
-    return await handleApiRequest('pages', 'edit', mergedData, { id: pageId, ...options });
+    return await handleApiRequest('pages', 'edit', editData, { id: pageId, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Page', pageId);
@@ -685,8 +570,8 @@ export async function createTag(tagData) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 422) {
       // Check if it's a duplicate tag error
       if (error.originalError.includes('already exists')) {
-        // Try to fetch the existing tag
-        const existingTags = await getTags(tagData.name);
+        // Try to fetch the existing tag by name filter
+        const existingTags = await getTags({ filter: `name:'${tagData.name}'` });
         if (existingTags.length > 0) {
           return existingTags[0]; // Return existing tag instead of failing
         }
@@ -699,17 +584,20 @@ export async function createTag(tagData) {
   }
 }
 
-export async function getTags(name) {
-  const options = {
-    limit: 'all',
-    ...(name && { filter: `name:'${name}'` }),
-  };
-
+export async function getTags(options = {}) {
   try {
-    const tags = await handleApiRequest('tags', 'browse', {}, options);
+    const tags = await handleApiRequest(
+      'tags',
+      'browse',
+      {},
+      {
+        limit: 15,
+        ...options,
+      }
+    );
     return tags || [];
   } catch (error) {
-    console.error('Failed to get tags:', error);
+    logger.error('Failed to get tags', { error: error.message });
     throw error;
   }
 }
@@ -737,13 +625,11 @@ export async function updateTag(tagId, updateData) {
   validators.validateTagUpdateData(updateData); // Validate update data
 
   try {
-    const existingTag = await getTag(tagId);
-    const mergedData = {
-      ...existingTag,
-      ...updateData,
-    };
+    // Verify tag exists before updating
+    await getTag(tagId);
 
-    return await handleApiRequest('tags', 'edit', mergedData, { id: tagId });
+    // Send only changed fields (tags don't use updated_at for OCC)
+    return await handleApiRequest('tags', 'edit', { ...updateData }, { id: tagId });
   } catch (error) {
     if (error instanceof NotFoundError) {
       throw error;
@@ -831,14 +717,13 @@ export async function updateMember(memberId, updateData, options = {}) {
     // Get existing member to retrieve updated_at for conflict resolution
     const existingMember = await handleApiRequest('members', 'read', { id: memberId });
 
-    // Merge existing data with updates, preserving updated_at
-    const mergedData = {
-      ...existingMember,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingMember.updated_at,
     };
 
-    return await handleApiRequest('members', 'edit', mergedData, { id: memberId, ...options });
+    return await handleApiRequest('members', 'edit', editData, { id: memberId, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Member', memberId);
@@ -1031,14 +916,13 @@ export async function updateNewsletter(newsletterId, updateData) {
       id: newsletterId,
     });
 
-    // Merge existing data with updates, preserving updated_at
-    const mergedData = {
-      ...existingNewsletter,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingNewsletter.updated_at,
     };
 
-    return await handleApiRequest('newsletters', 'edit', mergedData, { id: newsletterId });
+    return await handleApiRequest('newsletters', 'edit', editData, { id: newsletterId });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Newsletter', newsletterId);
@@ -1105,17 +989,16 @@ export async function updateTier(id, updateData, options = {}) {
   validateTierUpdateData(updateData);
 
   try {
-    // Get existing tier for merge
+    // Get existing tier to retrieve updated_at for conflict resolution
     const existingTier = await handleApiRequest('tiers', 'read', { id }, { id });
 
-    // Merge updates with existing data
-    const mergedData = {
-      ...existingTier,
+    // Send only changed fields + updated_at for OCC (optimistic concurrency control)
+    const editData = {
       ...updateData,
       updated_at: existingTier.updated_at,
     };
 
-    return await handleApiRequest('tiers', 'edit', mergedData, { id, ...options });
+    return await handleApiRequest('tiers', 'edit', editData, { id, ...options });
   } catch (error) {
     if (error instanceof GhostAPIError && error.ghostStatusCode === 404) {
       throw new NotFoundError('Tier', id);

package/src/utils/__tests__/urlValidator.test.js

@@ -1,5 +1,11 @@
 import { describe, it, expect } from 'vitest';
-import { validateImageUrl, createSecureAxiosConfig, ALLOWED_DOMAINS } from '../urlValidator.js';
+import {
+  validateImageUrl,
+  createSecureAxiosConfig,
+  createBeforeRedirect,
+  isSafeHost,
+  ALLOWED_DOMAINS,
+} from '../urlValidator.js';
 
 describe('urlValidator', () => {
   describe('ALLOWED_DOMAINS', () => {
@@ -446,5 +452,135 @@ describe('urlValidator', () => {
       expect(config2.url).toBe(url2);
       expect(config1.url).not.toBe(config2.url);
     });
+
+    it('should include beforeRedirect callback', () => {
+      const config = createSecureAxiosConfig('https://imgur.com/image.jpg');
+      expect(config).toHaveProperty('beforeRedirect');
+      expect(typeof config.beforeRedirect).toBe('function');
+    });
+  });
+
+  describe('isSafeHost', () => {
+    it('should allow domains on the allowlist', () => {
+      expect(isSafeHost('imgur.com')).toBe(true);
+      expect(isSafeHost('i.imgur.com')).toBe(true);
+      expect(isSafeHost('github.com')).toBe(true);
+    });
+
+    it('should allow subdomains of allowed domains', () => {
+      expect(isSafeHost('cdn.images.unsplash.com')).toBe(true);
+      expect(isSafeHost('my-bucket.s3.amazonaws.com')).toBe(true);
+    });
+
+    it('should reject domains not on the allowlist', () => {
+      expect(isSafeHost('evil.com')).toBe(false);
+      expect(isSafeHost('fakeimgur.com')).toBe(false);
+    });
+
+    it('should block localhost IPs', () => {
+      expect(isSafeHost('127.0.0.1')).toBe(false);
+      expect(isSafeHost('127.0.0.2')).toBe(false);
+    });
+
+    it('should block private network IPs', () => {
+      expect(isSafeHost('10.0.0.1')).toBe(false);
+      expect(isSafeHost('192.168.1.1')).toBe(false);
+      expect(isSafeHost('172.16.0.1')).toBe(false);
+    });
+
+    it('should block link-local and cloud metadata IPs', () => {
+      expect(isSafeHost('169.254.169.254')).toBe(false);
+      expect(isSafeHost('169.254.0.1')).toBe(false);
+    });
+
+    it('should block IPv6 private addresses', () => {
+      expect(isSafeHost('::1')).toBe(false);
+      expect(isSafeHost('fc00::1')).toBe(false);
+      expect(isSafeHost('fe80::1')).toBe(false);
+    });
+
+    it('should allow public IPs not on blocklist', () => {
+      expect(isSafeHost('8.8.8.8')).toBe(true);
+      expect(isSafeHost('1.1.1.1')).toBe(true);
+    });
+  });
+
+  describe('createBeforeRedirect', () => {
+    it('should not throw for redirects to allowed domains', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: 'imgur.com',
+          path: '/image.jpg',
+        })
+      ).not.toThrow();
+    });
+
+    it('should throw for redirect to 127.0.0.1 (localhost)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: '127.0.0.1',
+          path: '/secret',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to 169.254.169.254 (AWS metadata)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'http:',
+          hostname: '169.254.169.254',
+          path: '/latest/meta-data/',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to 192.168.x.x (private network)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: '192.168.1.1',
+          path: '/admin',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to 10.x.x.x (private network)', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: '10.0.0.1',
+          path: '/internal',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should throw for redirect to disallowed domain', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: 'evil.com',
+          path: '/payload',
+        })
+      ).toThrow('Redirect blocked');
+    });
+
+    it('should allow redirect between allowed domains', () => {
+      const beforeRedirect = createBeforeRedirect();
+      expect(() =>
+        beforeRedirect({
+          protocol: 'https:',
+          hostname: 'images.unsplash.com',
+          path: '/photo-123',
+        })
+      ).not.toThrow();
+    });
   });
 });

package/src/utils/urlValidator.js

@@ -147,7 +147,23 @@ const validateImageUrl = (url) => {
 };
 
 /**
- * Configures axios with security settings for external requests
+ * Creates a beforeRedirect callback that validates each redirect target against
+ * the same SSRF rules applied to the initial URL.
+ * @returns {function} Axios beforeRedirect callback
+ */
+const createBeforeRedirect = () => {
+  return (options) => {
+    const redirectUrl = `${options.protocol}//${options.hostname}${options.path}`;
+    const validation = validateImageUrl(redirectUrl);
+    if (!validation.isValid) {
+      throw new Error(`Redirect blocked: ${validation.error}`);
+    }
+  };
+};
+
+// Note: DNS rebinding (TOCTOU) attacks are not mitigated by hostname-based validation
+/**
+ * Configures axios with security settings for external requests.
  * @param {string} url - The validated URL to request
  * @returns {object} Axios configuration with security settings
  */
@@ -159,10 +175,17 @@ const createSecureAxiosConfig = (url) => {
     maxRedirects: 3, // Limit redirects
     maxContentLength: 50 * 1024 * 1024, // 50MB max response
     validateStatus: (status) => status >= 200 && status < 300, // Only accept 2xx
+    beforeRedirect: createBeforeRedirect(),
     headers: {
       'User-Agent': 'Ghost-MCP-Server/1.0',
     },
   };
 };
 
-export { validateImageUrl, createSecureAxiosConfig, ALLOWED_DOMAINS };
+export {
+  validateImageUrl,
+  createSecureAxiosConfig,
+  createBeforeRedirect,
+  isSafeHost,
+  ALLOWED_DOMAINS,
+};