@jgardner04/ghost-mcp-server 1.13.1 → 1.13.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/package.json +6 -18
  2. package/src/__tests__/mcp_server.test.js +204 -117
  3. package/src/__tests__/mcp_server_pages.test.js +32 -18
  4. package/src/config/mcp-config.js +1 -1
  5. package/src/controllers/__tests__/tagController.test.js +12 -8
  6. package/src/controllers/tagController.js +2 -2
  7. package/src/errors/__tests__/index.test.js +3 -3
  8. package/src/errors/index.js +1 -1
  9. package/src/index.js +1 -1
  10. package/src/mcp_server.js +37 -33
  11. package/src/schemas/__tests__/postSchemas.test.js +19 -0
  12. package/src/schemas/__tests__/tagSchemas.test.js +1 -1
  13. package/src/schemas/common.js +2 -2
  14. package/src/schemas/memberSchemas.js +20 -8
  15. package/src/schemas/newsletterSchemas.js +10 -10
  16. package/src/schemas/pageSchemas.js +16 -13
  17. package/src/schemas/postSchemas.js +22 -13
  18. package/src/schemas/tagSchemas.js +12 -7
  19. package/src/schemas/tierSchemas.js +17 -8
  20. package/src/services/__tests__/ghostServiceImproved.members.test.js +15 -6
  21. package/src/services/__tests__/ghostServiceImproved.newsletters.test.js +21 -12
  22. package/src/services/__tests__/ghostServiceImproved.pages.test.js +59 -16
  23. package/src/services/__tests__/ghostServiceImproved.posts.test.js +233 -0
  24. package/src/services/__tests__/ghostServiceImproved.tags.test.js +13 -2
  25. package/src/services/__tests__/ghostServiceImproved.tiers.test.js +18 -19
  26. package/src/services/__tests__/memberService.test.js +0 -28
  27. package/src/services/__tests__/tierService.test.js +0 -28
  28. package/src/services/ghostServiceImproved.js +108 -379
  29. package/src/services/imageProcessingService.js +1 -1
  30. package/src/services/memberService.js +0 -13
  31. package/src/services/tierService.js +0 -13
  32. package/src/utils/__tests__/nqlSanitizer.test.js +38 -0
  33. package/src/utils/__tests__/urlValidator.test.js +137 -1
  34. package/src/utils/nqlSanitizer.js +11 -0
  35. package/src/utils/urlValidator.js +25 -2
@@ -204,18 +204,6 @@ export function validateMemberUpdateData(updateData) {
204
204
  }
205
205
  }
206
206
 
207
- /**
208
- * Sanitizes a value for use in NQL filters to prevent injection
209
- * Escapes backslashes, single quotes, and double quotes
210
- * @param {string} value - The value to sanitize
211
- * @returns {string} The sanitized value
212
- */
213
- export function sanitizeNqlValue(value) {
214
- if (!value) return value;
215
- // Escape backslashes first, then quotes
216
- return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
217
- }
218
-
219
207
  /**
220
208
  * Validates query options for member browsing
221
209
  * @param {Object} options - The query options to validate
@@ -388,5 +376,4 @@ export default {
388
376
  validateMemberLookup,
389
377
  validateSearchQuery,
390
378
  validateSearchOptions,
391
- sanitizeNqlValue,
392
379
  };
@@ -284,21 +284,8 @@ export function validateTierQueryOptions(options) {
284
284
  }
285
285
  }
286
286
 
287
- /**
288
- * Sanitizes a value for use in NQL filters to prevent injection
289
- * Escapes backslashes, single quotes, and double quotes
290
- * @param {string} value - The value to sanitize
291
- * @returns {string} The sanitized value
292
- */
293
- export function sanitizeNqlValue(value) {
294
- if (!value) return value;
295
- // Escape backslashes first, then quotes
296
- return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
297
- }
298
-
299
287
  export default {
300
288
  validateTierData,
301
289
  validateTierUpdateData,
302
290
  validateTierQueryOptions,
303
- sanitizeNqlValue,
304
291
  };
@@ -0,0 +1,38 @@
1
+ import { describe, it, expect } from 'vitest';
2
+ import { sanitizeNqlValue } from '../nqlSanitizer.js';
3
+
4
+ describe('sanitizeNqlValue', () => {
5
+ it('should escape backslashes', () => {
6
+ expect(sanitizeNqlValue('hello\\world')).toBe('hello\\\\world');
7
+ });
8
+
9
+ it('should escape single quotes', () => {
10
+ expect(sanitizeNqlValue("it's")).toBe("it\\'s");
11
+ });
12
+
13
+ it('should escape double quotes', () => {
14
+ expect(sanitizeNqlValue('say "hello"')).toBe('say \\"hello\\"');
15
+ });
16
+
17
+ it('should escape all three special characters combined', () => {
18
+ expect(sanitizeNqlValue('a\\b\'c"d')).toBe('a\\\\b\\\'c\\"d');
19
+ });
20
+
21
+ it('should return null as-is', () => {
22
+ expect(sanitizeNqlValue(null)).toBe(null);
23
+ });
24
+
25
+ it('should return undefined as-is', () => {
26
+ expect(sanitizeNqlValue(undefined)).toBe(undefined);
27
+ });
28
+
29
+ it('should return empty string as-is', () => {
30
+ expect(sanitizeNqlValue('')).toBe('');
31
+ });
32
+
33
+ it('should pass through normal strings without special characters', () => {
34
+ expect(sanitizeNqlValue('simple-value')).toBe('simple-value');
35
+ expect(sanitizeNqlValue('test@example.com')).toBe('test@example.com');
36
+ expect(sanitizeNqlValue('hello world 123')).toBe('hello world 123');
37
+ });
38
+ });
@@ -1,5 +1,11 @@
1
1
  import { describe, it, expect } from 'vitest';
2
- import { validateImageUrl, createSecureAxiosConfig, ALLOWED_DOMAINS } from '../urlValidator.js';
2
+ import {
3
+ validateImageUrl,
4
+ createSecureAxiosConfig,
5
+ createBeforeRedirect,
6
+ isSafeHost,
7
+ ALLOWED_DOMAINS,
8
+ } from '../urlValidator.js';
3
9
 
4
10
  describe('urlValidator', () => {
5
11
  describe('ALLOWED_DOMAINS', () => {
@@ -446,5 +452,135 @@ describe('urlValidator', () => {
446
452
  expect(config2.url).toBe(url2);
447
453
  expect(config1.url).not.toBe(config2.url);
448
454
  });
455
+
456
+ it('should include beforeRedirect callback', () => {
457
+ const config = createSecureAxiosConfig('https://imgur.com/image.jpg');
458
+ expect(config).toHaveProperty('beforeRedirect');
459
+ expect(typeof config.beforeRedirect).toBe('function');
460
+ });
461
+ });
462
+
463
+ describe('isSafeHost', () => {
464
+ it('should allow domains on the allowlist', () => {
465
+ expect(isSafeHost('imgur.com')).toBe(true);
466
+ expect(isSafeHost('i.imgur.com')).toBe(true);
467
+ expect(isSafeHost('github.com')).toBe(true);
468
+ });
469
+
470
+ it('should allow subdomains of allowed domains', () => {
471
+ expect(isSafeHost('cdn.images.unsplash.com')).toBe(true);
472
+ expect(isSafeHost('my-bucket.s3.amazonaws.com')).toBe(true);
473
+ });
474
+
475
+ it('should reject domains not on the allowlist', () => {
476
+ expect(isSafeHost('evil.com')).toBe(false);
477
+ expect(isSafeHost('fakeimgur.com')).toBe(false);
478
+ });
479
+
480
+ it('should block localhost IPs', () => {
481
+ expect(isSafeHost('127.0.0.1')).toBe(false);
482
+ expect(isSafeHost('127.0.0.2')).toBe(false);
483
+ });
484
+
485
+ it('should block private network IPs', () => {
486
+ expect(isSafeHost('10.0.0.1')).toBe(false);
487
+ expect(isSafeHost('192.168.1.1')).toBe(false);
488
+ expect(isSafeHost('172.16.0.1')).toBe(false);
489
+ });
490
+
491
+ it('should block link-local and cloud metadata IPs', () => {
492
+ expect(isSafeHost('169.254.169.254')).toBe(false);
493
+ expect(isSafeHost('169.254.0.1')).toBe(false);
494
+ });
495
+
496
+ it('should block IPv6 private addresses', () => {
497
+ expect(isSafeHost('::1')).toBe(false);
498
+ expect(isSafeHost('fc00::1')).toBe(false);
499
+ expect(isSafeHost('fe80::1')).toBe(false);
500
+ });
501
+
502
+ it('should allow public IPs not on blocklist', () => {
503
+ expect(isSafeHost('8.8.8.8')).toBe(true);
504
+ expect(isSafeHost('1.1.1.1')).toBe(true);
505
+ });
506
+ });
507
+
508
+ describe('createBeforeRedirect', () => {
509
+ it('should not throw for redirects to allowed domains', () => {
510
+ const beforeRedirect = createBeforeRedirect();
511
+ expect(() =>
512
+ beforeRedirect({
513
+ protocol: 'https:',
514
+ hostname: 'imgur.com',
515
+ path: '/image.jpg',
516
+ })
517
+ ).not.toThrow();
518
+ });
519
+
520
+ it('should throw for redirect to 127.0.0.1 (localhost)', () => {
521
+ const beforeRedirect = createBeforeRedirect();
522
+ expect(() =>
523
+ beforeRedirect({
524
+ protocol: 'https:',
525
+ hostname: '127.0.0.1',
526
+ path: '/secret',
527
+ })
528
+ ).toThrow('Redirect blocked');
529
+ });
530
+
531
+ it('should throw for redirect to 169.254.169.254 (AWS metadata)', () => {
532
+ const beforeRedirect = createBeforeRedirect();
533
+ expect(() =>
534
+ beforeRedirect({
535
+ protocol: 'http:',
536
+ hostname: '169.254.169.254',
537
+ path: '/latest/meta-data/',
538
+ })
539
+ ).toThrow('Redirect blocked');
540
+ });
541
+
542
+ it('should throw for redirect to 192.168.x.x (private network)', () => {
543
+ const beforeRedirect = createBeforeRedirect();
544
+ expect(() =>
545
+ beforeRedirect({
546
+ protocol: 'https:',
547
+ hostname: '192.168.1.1',
548
+ path: '/admin',
549
+ })
550
+ ).toThrow('Redirect blocked');
551
+ });
552
+
553
+ it('should throw for redirect to 10.x.x.x (private network)', () => {
554
+ const beforeRedirect = createBeforeRedirect();
555
+ expect(() =>
556
+ beforeRedirect({
557
+ protocol: 'https:',
558
+ hostname: '10.0.0.1',
559
+ path: '/internal',
560
+ })
561
+ ).toThrow('Redirect blocked');
562
+ });
563
+
564
+ it('should throw for redirect to disallowed domain', () => {
565
+ const beforeRedirect = createBeforeRedirect();
566
+ expect(() =>
567
+ beforeRedirect({
568
+ protocol: 'https:',
569
+ hostname: 'evil.com',
570
+ path: '/payload',
571
+ })
572
+ ).toThrow('Redirect blocked');
573
+ });
574
+
575
+ it('should allow redirect between allowed domains', () => {
576
+ const beforeRedirect = createBeforeRedirect();
577
+ expect(() =>
578
+ beforeRedirect({
579
+ protocol: 'https:',
580
+ hostname: 'images.unsplash.com',
581
+ path: '/photo-123',
582
+ })
583
+ ).not.toThrow();
584
+ });
449
585
  });
450
586
  });
@@ -0,0 +1,11 @@
1
+ /**
2
+ * Sanitizes a value for use in NQL (Ghost's filter query language) to prevent injection.
3
+ * Escapes backslashes, single quotes, and double quotes.
4
+ * @param {string} value - The value to sanitize
5
+ * @returns {string} The sanitized value
6
+ */
7
+ export function sanitizeNqlValue(value) {
8
+ if (!value) return value;
9
+ // Escape backslashes first, then quotes
10
+ return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
11
+ }
@@ -147,7 +147,23 @@ const validateImageUrl = (url) => {
147
147
  };
148
148
 
149
149
  /**
150
- * Configures axios with security settings for external requests
150
+ * Creates a beforeRedirect callback that validates each redirect target against
151
+ * the same SSRF rules applied to the initial URL.
152
+ * @returns {function} Axios beforeRedirect callback
153
+ */
154
+ const createBeforeRedirect = () => {
155
+ return (options) => {
156
+ const redirectUrl = `${options.protocol}//${options.hostname}${options.path}`;
157
+ const validation = validateImageUrl(redirectUrl);
158
+ if (!validation.isValid) {
159
+ throw new Error(`Redirect blocked: ${validation.error}`);
160
+ }
161
+ };
162
+ };
163
+
164
+ // Note: DNS rebinding (TOCTOU) attacks are not mitigated by hostname-based validation
165
+ /**
166
+ * Configures axios with security settings for external requests.
151
167
  * @param {string} url - The validated URL to request
152
168
  * @returns {object} Axios configuration with security settings
153
169
  */
@@ -159,10 +175,17 @@ const createSecureAxiosConfig = (url) => {
159
175
  maxRedirects: 3, // Limit redirects
160
176
  maxContentLength: 50 * 1024 * 1024, // 50MB max response
161
177
  validateStatus: (status) => status >= 200 && status < 300, // Only accept 2xx
178
+ beforeRedirect: createBeforeRedirect(),
162
179
  headers: {
163
180
  'User-Agent': 'Ghost-MCP-Server/1.0',
164
181
  },
165
182
  };
166
183
  };
167
184
 
168
- export { validateImageUrl, createSecureAxiosConfig, ALLOWED_DOMAINS };
185
+ export {
186
+ validateImageUrl,
187
+ createSecureAxiosConfig,
188
+ createBeforeRedirect,
189
+ isSafeHost,
190
+ ALLOWED_DOMAINS,
191
+ };