@jgardner04/ghost-mcp-server 1.13.1 → 1.13.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +6 -18
- package/src/__tests__/mcp_server.test.js +204 -117
- package/src/__tests__/mcp_server_pages.test.js +32 -18
- package/src/config/mcp-config.js +1 -1
- package/src/controllers/__tests__/tagController.test.js +12 -8
- package/src/controllers/tagController.js +2 -2
- package/src/errors/__tests__/index.test.js +3 -3
- package/src/errors/index.js +1 -1
- package/src/index.js +1 -1
- package/src/mcp_server.js +37 -33
- package/src/schemas/__tests__/postSchemas.test.js +19 -0
- package/src/schemas/__tests__/tagSchemas.test.js +1 -1
- package/src/schemas/common.js +2 -2
- package/src/schemas/memberSchemas.js +20 -8
- package/src/schemas/newsletterSchemas.js +10 -10
- package/src/schemas/pageSchemas.js +16 -13
- package/src/schemas/postSchemas.js +22 -13
- package/src/schemas/tagSchemas.js +12 -7
- package/src/schemas/tierSchemas.js +17 -8
- package/src/services/__tests__/ghostServiceImproved.members.test.js +15 -6
- package/src/services/__tests__/ghostServiceImproved.newsletters.test.js +21 -12
- package/src/services/__tests__/ghostServiceImproved.pages.test.js +59 -16
- package/src/services/__tests__/ghostServiceImproved.posts.test.js +233 -0
- package/src/services/__tests__/ghostServiceImproved.tags.test.js +13 -2
- package/src/services/__tests__/ghostServiceImproved.tiers.test.js +18 -19
- package/src/services/__tests__/memberService.test.js +0 -28
- package/src/services/__tests__/tierService.test.js +0 -28
- package/src/services/ghostServiceImproved.js +108 -379
- package/src/services/imageProcessingService.js +1 -1
- package/src/services/memberService.js +0 -13
- package/src/services/tierService.js +0 -13
- package/src/utils/__tests__/nqlSanitizer.test.js +38 -0
- package/src/utils/__tests__/urlValidator.test.js +137 -1
- package/src/utils/nqlSanitizer.js +11 -0
- package/src/utils/urlValidator.js +25 -2
|
@@ -204,18 +204,6 @@ export function validateMemberUpdateData(updateData) {
|
|
|
204
204
|
}
|
|
205
205
|
}
|
|
206
206
|
|
|
207
|
-
/**
|
|
208
|
-
* Sanitizes a value for use in NQL filters to prevent injection
|
|
209
|
-
* Escapes backslashes, single quotes, and double quotes
|
|
210
|
-
* @param {string} value - The value to sanitize
|
|
211
|
-
* @returns {string} The sanitized value
|
|
212
|
-
*/
|
|
213
|
-
export function sanitizeNqlValue(value) {
|
|
214
|
-
if (!value) return value;
|
|
215
|
-
// Escape backslashes first, then quotes
|
|
216
|
-
return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
|
|
217
|
-
}
|
|
218
|
-
|
|
219
207
|
/**
|
|
220
208
|
* Validates query options for member browsing
|
|
221
209
|
* @param {Object} options - The query options to validate
|
|
@@ -388,5 +376,4 @@ export default {
|
|
|
388
376
|
validateMemberLookup,
|
|
389
377
|
validateSearchQuery,
|
|
390
378
|
validateSearchOptions,
|
|
391
|
-
sanitizeNqlValue,
|
|
392
379
|
};
|
|
@@ -284,21 +284,8 @@ export function validateTierQueryOptions(options) {
|
|
|
284
284
|
}
|
|
285
285
|
}
|
|
286
286
|
|
|
287
|
-
/**
|
|
288
|
-
* Sanitizes a value for use in NQL filters to prevent injection
|
|
289
|
-
* Escapes backslashes, single quotes, and double quotes
|
|
290
|
-
* @param {string} value - The value to sanitize
|
|
291
|
-
* @returns {string} The sanitized value
|
|
292
|
-
*/
|
|
293
|
-
export function sanitizeNqlValue(value) {
|
|
294
|
-
if (!value) return value;
|
|
295
|
-
// Escape backslashes first, then quotes
|
|
296
|
-
return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
|
|
297
|
-
}
|
|
298
|
-
|
|
299
287
|
export default {
|
|
300
288
|
validateTierData,
|
|
301
289
|
validateTierUpdateData,
|
|
302
290
|
validateTierQueryOptions,
|
|
303
|
-
sanitizeNqlValue,
|
|
304
291
|
};
|
|
@@ -0,0 +1,38 @@
|
|
|
1
|
+
import { describe, it, expect } from 'vitest';
|
|
2
|
+
import { sanitizeNqlValue } from '../nqlSanitizer.js';
|
|
3
|
+
|
|
4
|
+
describe('sanitizeNqlValue', () => {
|
|
5
|
+
it('should escape backslashes', () => {
|
|
6
|
+
expect(sanitizeNqlValue('hello\\world')).toBe('hello\\\\world');
|
|
7
|
+
});
|
|
8
|
+
|
|
9
|
+
it('should escape single quotes', () => {
|
|
10
|
+
expect(sanitizeNqlValue("it's")).toBe("it\\'s");
|
|
11
|
+
});
|
|
12
|
+
|
|
13
|
+
it('should escape double quotes', () => {
|
|
14
|
+
expect(sanitizeNqlValue('say "hello"')).toBe('say \\"hello\\"');
|
|
15
|
+
});
|
|
16
|
+
|
|
17
|
+
it('should escape all three special characters combined', () => {
|
|
18
|
+
expect(sanitizeNqlValue('a\\b\'c"d')).toBe('a\\\\b\\\'c\\"d');
|
|
19
|
+
});
|
|
20
|
+
|
|
21
|
+
it('should return null as-is', () => {
|
|
22
|
+
expect(sanitizeNqlValue(null)).toBe(null);
|
|
23
|
+
});
|
|
24
|
+
|
|
25
|
+
it('should return undefined as-is', () => {
|
|
26
|
+
expect(sanitizeNqlValue(undefined)).toBe(undefined);
|
|
27
|
+
});
|
|
28
|
+
|
|
29
|
+
it('should return empty string as-is', () => {
|
|
30
|
+
expect(sanitizeNqlValue('')).toBe('');
|
|
31
|
+
});
|
|
32
|
+
|
|
33
|
+
it('should pass through normal strings without special characters', () => {
|
|
34
|
+
expect(sanitizeNqlValue('simple-value')).toBe('simple-value');
|
|
35
|
+
expect(sanitizeNqlValue('test@example.com')).toBe('test@example.com');
|
|
36
|
+
expect(sanitizeNqlValue('hello world 123')).toBe('hello world 123');
|
|
37
|
+
});
|
|
38
|
+
});
|
|
@@ -1,5 +1,11 @@
|
|
|
1
1
|
import { describe, it, expect } from 'vitest';
|
|
2
|
-
import {
|
|
2
|
+
import {
|
|
3
|
+
validateImageUrl,
|
|
4
|
+
createSecureAxiosConfig,
|
|
5
|
+
createBeforeRedirect,
|
|
6
|
+
isSafeHost,
|
|
7
|
+
ALLOWED_DOMAINS,
|
|
8
|
+
} from '../urlValidator.js';
|
|
3
9
|
|
|
4
10
|
describe('urlValidator', () => {
|
|
5
11
|
describe('ALLOWED_DOMAINS', () => {
|
|
@@ -446,5 +452,135 @@ describe('urlValidator', () => {
|
|
|
446
452
|
expect(config2.url).toBe(url2);
|
|
447
453
|
expect(config1.url).not.toBe(config2.url);
|
|
448
454
|
});
|
|
455
|
+
|
|
456
|
+
it('should include beforeRedirect callback', () => {
|
|
457
|
+
const config = createSecureAxiosConfig('https://imgur.com/image.jpg');
|
|
458
|
+
expect(config).toHaveProperty('beforeRedirect');
|
|
459
|
+
expect(typeof config.beforeRedirect).toBe('function');
|
|
460
|
+
});
|
|
461
|
+
});
|
|
462
|
+
|
|
463
|
+
describe('isSafeHost', () => {
|
|
464
|
+
it('should allow domains on the allowlist', () => {
|
|
465
|
+
expect(isSafeHost('imgur.com')).toBe(true);
|
|
466
|
+
expect(isSafeHost('i.imgur.com')).toBe(true);
|
|
467
|
+
expect(isSafeHost('github.com')).toBe(true);
|
|
468
|
+
});
|
|
469
|
+
|
|
470
|
+
it('should allow subdomains of allowed domains', () => {
|
|
471
|
+
expect(isSafeHost('cdn.images.unsplash.com')).toBe(true);
|
|
472
|
+
expect(isSafeHost('my-bucket.s3.amazonaws.com')).toBe(true);
|
|
473
|
+
});
|
|
474
|
+
|
|
475
|
+
it('should reject domains not on the allowlist', () => {
|
|
476
|
+
expect(isSafeHost('evil.com')).toBe(false);
|
|
477
|
+
expect(isSafeHost('fakeimgur.com')).toBe(false);
|
|
478
|
+
});
|
|
479
|
+
|
|
480
|
+
it('should block localhost IPs', () => {
|
|
481
|
+
expect(isSafeHost('127.0.0.1')).toBe(false);
|
|
482
|
+
expect(isSafeHost('127.0.0.2')).toBe(false);
|
|
483
|
+
});
|
|
484
|
+
|
|
485
|
+
it('should block private network IPs', () => {
|
|
486
|
+
expect(isSafeHost('10.0.0.1')).toBe(false);
|
|
487
|
+
expect(isSafeHost('192.168.1.1')).toBe(false);
|
|
488
|
+
expect(isSafeHost('172.16.0.1')).toBe(false);
|
|
489
|
+
});
|
|
490
|
+
|
|
491
|
+
it('should block link-local and cloud metadata IPs', () => {
|
|
492
|
+
expect(isSafeHost('169.254.169.254')).toBe(false);
|
|
493
|
+
expect(isSafeHost('169.254.0.1')).toBe(false);
|
|
494
|
+
});
|
|
495
|
+
|
|
496
|
+
it('should block IPv6 private addresses', () => {
|
|
497
|
+
expect(isSafeHost('::1')).toBe(false);
|
|
498
|
+
expect(isSafeHost('fc00::1')).toBe(false);
|
|
499
|
+
expect(isSafeHost('fe80::1')).toBe(false);
|
|
500
|
+
});
|
|
501
|
+
|
|
502
|
+
it('should allow public IPs not on blocklist', () => {
|
|
503
|
+
expect(isSafeHost('8.8.8.8')).toBe(true);
|
|
504
|
+
expect(isSafeHost('1.1.1.1')).toBe(true);
|
|
505
|
+
});
|
|
506
|
+
});
|
|
507
|
+
|
|
508
|
+
describe('createBeforeRedirect', () => {
|
|
509
|
+
it('should not throw for redirects to allowed domains', () => {
|
|
510
|
+
const beforeRedirect = createBeforeRedirect();
|
|
511
|
+
expect(() =>
|
|
512
|
+
beforeRedirect({
|
|
513
|
+
protocol: 'https:',
|
|
514
|
+
hostname: 'imgur.com',
|
|
515
|
+
path: '/image.jpg',
|
|
516
|
+
})
|
|
517
|
+
).not.toThrow();
|
|
518
|
+
});
|
|
519
|
+
|
|
520
|
+
it('should throw for redirect to 127.0.0.1 (localhost)', () => {
|
|
521
|
+
const beforeRedirect = createBeforeRedirect();
|
|
522
|
+
expect(() =>
|
|
523
|
+
beforeRedirect({
|
|
524
|
+
protocol: 'https:',
|
|
525
|
+
hostname: '127.0.0.1',
|
|
526
|
+
path: '/secret',
|
|
527
|
+
})
|
|
528
|
+
).toThrow('Redirect blocked');
|
|
529
|
+
});
|
|
530
|
+
|
|
531
|
+
it('should throw for redirect to 169.254.169.254 (AWS metadata)', () => {
|
|
532
|
+
const beforeRedirect = createBeforeRedirect();
|
|
533
|
+
expect(() =>
|
|
534
|
+
beforeRedirect({
|
|
535
|
+
protocol: 'http:',
|
|
536
|
+
hostname: '169.254.169.254',
|
|
537
|
+
path: '/latest/meta-data/',
|
|
538
|
+
})
|
|
539
|
+
).toThrow('Redirect blocked');
|
|
540
|
+
});
|
|
541
|
+
|
|
542
|
+
it('should throw for redirect to 192.168.x.x (private network)', () => {
|
|
543
|
+
const beforeRedirect = createBeforeRedirect();
|
|
544
|
+
expect(() =>
|
|
545
|
+
beforeRedirect({
|
|
546
|
+
protocol: 'https:',
|
|
547
|
+
hostname: '192.168.1.1',
|
|
548
|
+
path: '/admin',
|
|
549
|
+
})
|
|
550
|
+
).toThrow('Redirect blocked');
|
|
551
|
+
});
|
|
552
|
+
|
|
553
|
+
it('should throw for redirect to 10.x.x.x (private network)', () => {
|
|
554
|
+
const beforeRedirect = createBeforeRedirect();
|
|
555
|
+
expect(() =>
|
|
556
|
+
beforeRedirect({
|
|
557
|
+
protocol: 'https:',
|
|
558
|
+
hostname: '10.0.0.1',
|
|
559
|
+
path: '/internal',
|
|
560
|
+
})
|
|
561
|
+
).toThrow('Redirect blocked');
|
|
562
|
+
});
|
|
563
|
+
|
|
564
|
+
it('should throw for redirect to disallowed domain', () => {
|
|
565
|
+
const beforeRedirect = createBeforeRedirect();
|
|
566
|
+
expect(() =>
|
|
567
|
+
beforeRedirect({
|
|
568
|
+
protocol: 'https:',
|
|
569
|
+
hostname: 'evil.com',
|
|
570
|
+
path: '/payload',
|
|
571
|
+
})
|
|
572
|
+
).toThrow('Redirect blocked');
|
|
573
|
+
});
|
|
574
|
+
|
|
575
|
+
it('should allow redirect between allowed domains', () => {
|
|
576
|
+
const beforeRedirect = createBeforeRedirect();
|
|
577
|
+
expect(() =>
|
|
578
|
+
beforeRedirect({
|
|
579
|
+
protocol: 'https:',
|
|
580
|
+
hostname: 'images.unsplash.com',
|
|
581
|
+
path: '/photo-123',
|
|
582
|
+
})
|
|
583
|
+
).not.toThrow();
|
|
584
|
+
});
|
|
449
585
|
});
|
|
450
586
|
});
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Sanitizes a value for use in NQL (Ghost's filter query language) to prevent injection.
|
|
3
|
+
* Escapes backslashes, single quotes, and double quotes.
|
|
4
|
+
* @param {string} value - The value to sanitize
|
|
5
|
+
* @returns {string} The sanitized value
|
|
6
|
+
*/
|
|
7
|
+
export function sanitizeNqlValue(value) {
|
|
8
|
+
if (!value) return value;
|
|
9
|
+
// Escape backslashes first, then quotes
|
|
10
|
+
return value.replace(/\\/g, '\\\\').replace(/'/g, "\\'").replace(/"/g, '\\"');
|
|
11
|
+
}
|
|
@@ -147,7 +147,23 @@ const validateImageUrl = (url) => {
|
|
|
147
147
|
};
|
|
148
148
|
|
|
149
149
|
/**
|
|
150
|
-
*
|
|
150
|
+
* Creates a beforeRedirect callback that validates each redirect target against
|
|
151
|
+
* the same SSRF rules applied to the initial URL.
|
|
152
|
+
* @returns {function} Axios beforeRedirect callback
|
|
153
|
+
*/
|
|
154
|
+
const createBeforeRedirect = () => {
|
|
155
|
+
return (options) => {
|
|
156
|
+
const redirectUrl = `${options.protocol}//${options.hostname}${options.path}`;
|
|
157
|
+
const validation = validateImageUrl(redirectUrl);
|
|
158
|
+
if (!validation.isValid) {
|
|
159
|
+
throw new Error(`Redirect blocked: ${validation.error}`);
|
|
160
|
+
}
|
|
161
|
+
};
|
|
162
|
+
};
|
|
163
|
+
|
|
164
|
+
// Note: DNS rebinding (TOCTOU) attacks are not mitigated by hostname-based validation
|
|
165
|
+
/**
|
|
166
|
+
* Configures axios with security settings for external requests.
|
|
151
167
|
* @param {string} url - The validated URL to request
|
|
152
168
|
* @returns {object} Axios configuration with security settings
|
|
153
169
|
*/
|
|
@@ -159,10 +175,17 @@ const createSecureAxiosConfig = (url) => {
|
|
|
159
175
|
maxRedirects: 3, // Limit redirects
|
|
160
176
|
maxContentLength: 50 * 1024 * 1024, // 50MB max response
|
|
161
177
|
validateStatus: (status) => status >= 200 && status < 300, // Only accept 2xx
|
|
178
|
+
beforeRedirect: createBeforeRedirect(),
|
|
162
179
|
headers: {
|
|
163
180
|
'User-Agent': 'Ghost-MCP-Server/1.0',
|
|
164
181
|
},
|
|
165
182
|
};
|
|
166
183
|
};
|
|
167
184
|
|
|
168
|
-
export {
|
|
185
|
+
export {
|
|
186
|
+
validateImageUrl,
|
|
187
|
+
createSecureAxiosConfig,
|
|
188
|
+
createBeforeRedirect,
|
|
189
|
+
isSafeHost,
|
|
190
|
+
ALLOWED_DOMAINS,
|
|
191
|
+
};
|