@jgardner04/ghost-mcp-server 1.13.5 → 1.14.1

package/src/utils/__tests__/sanitizeErrorPayload.test.js

@@ -0,0 +1,130 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { sanitizeErrorPayload } from '../sanitizeErrorPayload.js';
+
+describe('sanitizeErrorPayload', () => {
+  const originalEnv = process.env.GHOST_ADMIN_API_KEY;
+
+  beforeEach(() => {
+    process.env.GHOST_ADMIN_API_KEY = '';
+  });
+
+  afterEach(() => {
+    if (originalEnv === undefined) {
+      delete process.env.GHOST_ADMIN_API_KEY;
+    } else {
+      process.env.GHOST_ADMIN_API_KEY = originalEnv;
+    }
+  });
+
+  it('redacts GHOST_ADMIN_API_KEY when it appears verbatim in a nested string', () => {
+    process.env.GHOST_ADMIN_API_KEY = 'super-secret-env-key-value';
+    const input = {
+      error: { message: 'Leaked super-secret-env-key-value in text' },
+      ghost: { originalMessage: 'also super-secret-env-key-value here' },
+    };
+    const out = sanitizeErrorPayload(input);
+    expect(out.error.message).not.toContain('super-secret-env-key-value');
+    expect(out.error.message).toContain('[REDACTED]');
+    expect(out.ghost.originalMessage).not.toContain('super-secret-env-key-value');
+  });
+
+  it('redacts Ghost-shaped admin key literal embedded in text', () => {
+    const key = `${'a'.repeat(24)}:${'b'.repeat(64)}`;
+    const out = sanitizeErrorPayload({
+      error: { message: `Bad auth with ${key} failed` },
+    });
+    expect(out.error.message).not.toContain(key);
+    expect(out.error.message).toContain('[REDACTED]');
+  });
+
+  it('redacts key= token= and access_token= query params on URLs', () => {
+    const out = sanitizeErrorPayload({
+      error: { message: 'GET https://ghost.example/admin?key=abc123&other=fine' },
+      ghost: {
+        originalMessage: 'https://x/y?token=xyz and https://x/y?access_token=qqq',
+      },
+    });
+    expect(out.error.message).toContain('key=[REDACTED]');
+    expect(out.error.message).toContain('other=fine');
+    expect(out.ghost.originalMessage).toContain('token=[REDACTED]');
+    expect(out.ghost.originalMessage).toContain('access_token=[REDACTED]');
+  });
+
+  it('redacts Authorization / Cookie header-style substrings', () => {
+    const out = sanitizeErrorPayload({
+      error: { message: 'Authorization: Bearer abc.def.ghi and Cookie: sess=xyz' },
+    });
+    expect(out.error.message).not.toContain('abc.def.ghi');
+    expect(out.error.message).not.toContain('sess=xyz');
+    expect(out.error.message).toContain('Authorization');
+    expect(out.error.message).toContain('[REDACTED]');
+  });
+
+  it('redacts every value in a multi-value Cookie header', () => {
+    const out = sanitizeErrorPayload({
+      error: { message: 'Cookie: a=first; b=SECRET_SESSION; c=third' },
+    });
+    expect(out.error.message).not.toContain('SECRET_SESSION');
+    expect(out.error.message).not.toContain('a=first');
+    expect(out.error.message).not.toContain('c=third');
+    expect(out.error.message).toContain('Cookie: [REDACTED]');
+  });
+
+  it('redacts Set-Cookie value but preserves attributes (HttpOnly, Secure, Path)', () => {
+    const out = sanitizeErrorPayload({
+      error: { message: 'Set-Cookie: sess=TOKEN_XYZ; HttpOnly; Secure; Path=/' },
+    });
+    expect(out.error.message).not.toContain('TOKEN_XYZ');
+    expect(out.error.message).toContain('Set-Cookie: [REDACTED]');
+    expect(out.error.message).toContain('HttpOnly');
+    expect(out.error.message).toContain('Secure');
+  });
+
+  it('redacts secrets inside string elements of arrays (truncation flag no longer needed)', () => {
+    const out = sanitizeErrorPayload({
+      ghost: {
+        originalMessage: ['https://x/y?key=LEAKED_1', 'https://x/y?token=LEAKED_2'],
+      },
+    });
+    expect(JSON.stringify(out)).not.toContain('LEAKED_1');
+    expect(JSON.stringify(out)).not.toContain('LEAKED_2');
+    expect(out.ghost.originalMessage[0]).toContain('key=[REDACTED]');
+    expect(out.ghost.originalMessage[1]).toContain('token=[REDACTED]');
+  });
+
+  it('leaves benign content untouched', () => {
+    const input = {
+      error: { message: 'Title is required', code: 'GHOST_VALIDATION_ERROR', statusCode: 400 },
+      ghost: {
+        operation: 'posts.edit',
+        statusCode: 422,
+        originalMessage: 'Post title cannot be blank',
+      },
+    };
+    const out = sanitizeErrorPayload(input);
+    expect(out).toEqual(input);
+  });
+
+  it('truncates long originalMessage', () => {
+    const longMsg = 'x'.repeat(5000);
+    const out = sanitizeErrorPayload({
+      ghost: { originalMessage: longMsg },
+    });
+    expect(out.ghost.originalMessage.length).toBeLessThan(longMsg.length);
+    expect(out.ghost.originalMessage).toContain('[truncated]');
+  });
+
+  it('does not redact env key when env var is empty', () => {
+    process.env.GHOST_ADMIN_API_KEY = '';
+    const out = sanitizeErrorPayload({ error: { message: 'harmless text' } });
+    expect(out.error.message).toBe('harmless text');
+  });
+
+  it('does not mutate the input object', () => {
+    process.env.GHOST_ADMIN_API_KEY = 'SECRET';
+    const input = { error: { message: 'contains SECRET' } };
+    const snapshot = JSON.parse(JSON.stringify(input));
+    sanitizeErrorPayload(input);
+    expect(input).toEqual(snapshot);
+  });
+});

package/src/utils/__tests__/validation.test.js

@@ -54,11 +54,14 @@ describe('validateToolInput', () => {
       const result = validateToolInput(testSchema, { name: '' }, 'test_tool');
 
       expect(result.success).toBe(false);
-      const errorObj = JSON.parse(result.errorResponse.content[0].text);
-      expect(errorObj.name).toBe('ValidationError');
-      expect(errorObj.code).toBe('VALIDATION_ERROR');
-      expect(errorObj.statusCode).toBe(400);
-      expect(errorObj.message).toContain('Validation failed');
+      const text = result.errorResponse.content[0].text;
+      const jsonMatch = text.match(/```json\n([\s\S]+?)\n```/);
+      expect(jsonMatch).toBeTruthy();
+      const envelope = JSON.parse(jsonMatch[1]);
+      expect(envelope.error.name).toBe('ValidationError');
+      expect(envelope.error.code).toBe('VALIDATION_ERROR');
+      expect(envelope.error.statusCode).toBe(400);
+      expect(envelope.error.message).toContain('Validation failed');
     });
   });
 
@@ -141,8 +144,11 @@ describe('validateToolInput', () => {
 
       expect(result.success).toBe(false);
       expect(result.errorResponse.isError).toBe(true);
-      const errorObj = JSON.parse(result.errorResponse.content[0].text);
-      expect(errorObj.code).toBe('VALIDATION_ERROR');
+      const text = result.errorResponse.content[0].text;
+      const jsonMatch = text.match(/```json\n([\s\S]+?)\n```/);
+      expect(jsonMatch).toBeTruthy();
+      const envelope = JSON.parse(jsonMatch[1]);
+      expect(envelope.error.code).toBe('VALIDATION_ERROR');
     });
 
     it('should pass validation when refinement is satisfied', () => {

package/src/utils/formatErrorResponse.js

@@ -0,0 +1,63 @@
+import { BaseError, GhostAPIError, ValidationError } from '../errors/index.js';
+import { sanitizeErrorPayload } from './sanitizeErrorPayload.js';
+
+/**
+ * Builds an MCP tool error response with a consistent envelope shape.
+ * All errors produce `{ error: {...} }`; GhostAPIError additionally includes
+ * a gated `ghost` sub-object with Ghost-specific diagnostic fields. Callers
+ * may pass an optional `extra` object whose contents will be merged into the
+ * envelope under an `extra` key and sanitized alongside the rest.
+ *
+ * @param {Error} error - The caught error.
+ * @param {string} toolName - MCP tool name for the human-readable summary line.
+ * @param {object} [extra] - Optional caller-supplied context; sanitized with the envelope.
+ * @returns {{content: {type: string, text: string}[], isError: true}}
+ */
+export function formatErrorResponse(error, toolName, extra) {
+  // Duck-type ZodError so we don't couple this module to the zod runtime.
+  const normalized =
+    error?.name === 'ZodError' && Array.isArray(error.issues)
+      ? ValidationError.fromZod(error, toolName)
+      : error;
+
+  const base =
+    normalized instanceof BaseError
+      ? normalized.toJSON()
+      : {
+          name: normalized?.name || 'Error',
+          message: normalized?.message || String(normalized),
+          code: 'UNKNOWN',
+          statusCode: 500,
+        };
+
+  const envelope = { error: base };
+
+  if (normalized instanceof GhostAPIError) {
+    envelope.ghost = {
+      operation: normalized.operation,
+      statusCode: normalized.ghostStatusCode,
+      // normalized.originalError is already a string (coerced by ExternalServiceError constructor);
+      // coerce again defensively so the sanitizer always receives a string, not an Error object.
+      originalMessage:
+        typeof normalized.originalError === 'string'
+          ? normalized.originalError
+          : (normalized.originalError?.message ?? String(normalized.originalError)),
+    };
+  }
+
+  if (extra && typeof extra === 'object' && Object.keys(extra).length > 0) {
+    envelope.extra = extra;
+  }
+
+  const sanitized = sanitizeErrorPayload(envelope);
+  const summary = sanitized.ghost
+    ? `Error in ${toolName}: ${sanitized.error.name} [${sanitized.ghost.statusCode ?? '?'} ${sanitized.error.code}] ${sanitized.ghost.operation ?? '?'}: ${sanitized.ghost.originalMessage ?? sanitized.error.message}`
+    : `Error in ${toolName}: ${sanitized.error.message}`;
+
+  const body = `${summary}\n\n\`\`\`json\n${JSON.stringify(sanitized, null, 2)}\n\`\`\``;
+
+  return {
+    content: [{ type: 'text', text: body }],
+    isError: true,
+  };
+}

package/src/utils/imageInputResolver.js

@@ -0,0 +1,127 @@
+import fs from 'fs/promises';
+import path from 'path';
+import os from 'os';
+import crypto from 'crypto';
+
+export const MAX_BASE64_BYTES = 5 * 1024 * 1024; // 5 MB decoded — respects MCP transport limits
+
+const EXT_BY_MIME = {
+  'image/jpeg': '.jpg',
+  'image/jpg': '.jpg',
+  'image/png': '.png',
+  'image/gif': '.gif',
+  'image/webp': '.webp',
+  'image/svg+xml': '.svg',
+  'image/vnd.microsoft.icon': '.ico',
+  'image/x-icon': '.ico',
+};
+
+/**
+ * Resolve a caller-supplied local image path against `GHOST_MCP_IMAGE_ROOT`.
+ *
+ * Local-file input is *opt-in*: without the env var set, this function
+ * refuses every path. That prevents a compromised MCP client from reading
+ * arbitrary files via the upload tool. When set, the path must:
+ *   - resolve inside the root,
+ *   - exist,
+ *   - not be a symlink that escapes the root.
+ *
+ * @param {string} inputPath - Absolute or relative path supplied by caller.
+ * @returns {Promise<string>} Absolute real path to the image file.
+ */
+export async function resolveLocalImagePath(inputPath) {
+  const root = process.env.GHOST_MCP_IMAGE_ROOT;
+  if (!root) {
+    throw new Error(
+      'imagePath input is disabled: GHOST_MCP_IMAGE_ROOT is not set. ' +
+        'Set it to the directory from which local uploads are allowed.'
+    );
+  }
+  if (typeof inputPath !== 'string' || inputPath.length === 0) {
+    throw new Error('imagePath must be a non-empty string');
+  }
+
+  // Canonicalize the root too — on macOS `/var` resolves to `/private/var`
+  // via realpath, which would otherwise cause false symlink-escape errors.
+  let canonicalRoot;
+  try {
+    canonicalRoot = await fs.realpath(path.resolve(root));
+  } catch {
+    throw new Error(`GHOST_MCP_IMAGE_ROOT does not exist: ${root}`);
+  }
+
+  const resolved = path.resolve(inputPath);
+  // First check the textual path — catches `..` traversal before any FS I/O.
+  const resolvedStart = path.resolve(root);
+  const textuallyInside =
+    resolved === resolvedStart || resolved.startsWith(resolvedStart + path.sep);
+  if (!textuallyInside) {
+    throw new Error(`imagePath is outside the allowed root (${canonicalRoot})`);
+  }
+
+  let stat;
+  try {
+    stat = await fs.stat(resolved);
+  } catch {
+    throw new Error(`imagePath does not exist: ${resolved}`);
+  }
+  if (!stat.isFile()) {
+    throw new Error(`imagePath is not a regular file: ${resolved}`);
+  }
+
+  // Resolve symlinks and re-check containment against the canonical root.
+  const realPath = await fs.realpath(resolved);
+  const realInside = realPath === canonicalRoot || realPath.startsWith(canonicalRoot + path.sep);
+  if (!realInside) {
+    throw new Error(`imagePath symlink escapes the allowed root (${canonicalRoot})`);
+  }
+
+  return realPath;
+}
+
+/**
+ * Decode a base64-encoded image to a fresh temp file.
+ *
+ * Accepts either a bare base64 string or a full `data:<mime>;base64,<data>`
+ * URI. Caps the decoded payload at MAX_BASE64_BYTES to respect MCP
+ * JSON-RPC transport limits — base64 payloads are inline in the tool
+ * call, and stdio transports choke on very large frames.
+ *
+ * @param {string} base64 - Raw base64 or data URI.
+ * @param {string} mimeType - MIME type (used to pick the temp file extension).
+ * @returns {Promise<string>} Absolute path to the decoded temp file.
+ */
+export async function decodeBase64ToTempFile(base64, mimeType) {
+  if (typeof base64 !== 'string' || base64.length === 0) {
+    throw new Error('imageBase64 must be a non-empty string');
+  }
+  const ext = EXT_BY_MIME[(mimeType || '').toLowerCase()];
+  if (!ext) {
+    throw new Error(
+      `Unsupported mimeType: ${mimeType}. Allowed: ${Object.keys(EXT_BY_MIME).join(', ')}`
+    );
+  }
+
+  // Strip optional "data:<mime>;base64," prefix.
+  const payload = base64.startsWith('data:') ? base64.split(',', 2)[1] : base64;
+  if (!payload) throw new Error('Invalid base64 payload');
+
+  // Reject obviously non-base64 input cheaply before allocating.
+  if (!/^[A-Za-z0-9+/=\s]+$/.test(payload)) {
+    throw new Error('Invalid base64 input');
+  }
+
+  const buf = Buffer.from(payload, 'base64');
+  if (buf.length === 0) {
+    throw new Error('Invalid base64 input');
+  }
+  if (buf.length > MAX_BASE64_BYTES) {
+    throw new Error(
+      `imageBase64 decoded size (${buf.length} bytes) exceeds the 5MB limit for MCP transport`
+    );
+  }
+
+  const outPath = path.join(os.tmpdir(), `mcp-b64-${crypto.randomUUID()}${ext}`);
+  await fs.writeFile(outPath, buf);
+  return outPath;
+}

package/src/utils/sanitizeErrorPayload.js

@@ -0,0 +1,67 @@
+/**
+ * Sole chokepoint for sanitizing error payloads surfaced to MCP clients.
+ * Walks the envelope and replaces values that could leak credentials.
+ */
+
+const GHOST_KEY_PATTERN = /[0-9a-f]{24}:[0-9a-f]{64}/gi;
+const URL_SECRET_QS_PATTERN = /([?&](?:key|token|access_token)=)[^&\s"']+/gi;
+// Authorization / Set-Cookie values stop at ';' (Set-Cookie attributes like
+// HttpOnly/Secure are not secrets). A bare `Cookie` header can contain multiple
+// `name=value` pairs separated by ';' — all of which may be session tokens — so
+// it gets a separate, greedier pattern that stops only at end-of-line.
+const AUTH_HEADER_PATTERN = /(Authorization|Set-Cookie)\s*[:=]\s*[^\r\n,;]+/gi;
+// Negative look-behind so this pattern matches a bare `Cookie:` header but not
+// the `Cookie` substring inside `Set-Cookie:` (handled by AUTH_HEADER_PATTERN).
+const COOKIE_HEADER_PATTERN = /(?<!Set-)(Cookie)\s*[:=]\s*[^\r\n]+/gi;
+const REDACTED = '[REDACTED]';
+const ORIGINAL_MESSAGE_MAX_BYTES = 2048;
+
+function redactString(value, envKey) {
+  if (typeof value !== 'string' || value.length === 0) return value;
+  let out = value;
+  if (envKey) {
+    out = out.replaceAll(envKey, REDACTED);
+  }
+  out = out.replace(GHOST_KEY_PATTERN, REDACTED);
+  out = out.replace(URL_SECRET_QS_PATTERN, `$1${REDACTED}`);
+  out = out.replace(AUTH_HEADER_PATTERN, `$1: ${REDACTED}`);
+  out = out.replace(COOKIE_HEADER_PATTERN, `$1: ${REDACTED}`);
+  return out;
+}
+
+function truncate(value, maxBytes) {
+  if (typeof value !== 'string') return value;
+  if (Buffer.byteLength(value, 'utf8') <= maxBytes) return value;
+  // Slice by bytes (not chars) to honour the byte limit even for multibyte content.
+  return `${Buffer.from(value, 'utf8').subarray(0, maxBytes).toString('utf8')}…[truncated]`;
+}
+
+function walk(node, envKey) {
+  if (node === null || node === undefined) return node;
+  if (typeof node === 'string') return redactString(node, envKey);
+  if (Array.isArray(node)) return node.map((item) => walk(item, envKey));
+  if (typeof node === 'object') {
+    const result = {};
+    for (const [k, v] of Object.entries(node)) {
+      const walked = walk(v, envKey);
+      result[k] =
+        k === 'originalMessage' && typeof walked === 'string'
+          ? truncate(walked, ORIGINAL_MESSAGE_MAX_BYTES)
+          : walked;
+    }
+    return result;
+  }
+  return node;
+}
+
+/**
+ * Deep-walks an error envelope and redacts known secret patterns.
+ * Non-destructive: returns a new object; does not mutate input.
+ *
+ * @param {object} envelope - Error envelope object.
+ * @returns {object} Sanitized envelope.
+ */
+export function sanitizeErrorPayload(envelope) {
+  const envKey = process.env.GHOST_ADMIN_API_KEY || '';
+  return walk(envelope, envKey);
+}

package/src/utils/validation.js

@@ -3,6 +3,7 @@
  * Provides explicit Zod validation to ensure input is validated at handler entry points.
  */
 import { ValidationError } from '../errors/index.js';
+import { formatErrorResponse } from './formatErrorResponse.js';
 
 /**
  * Validates tool input against a Zod schema and returns a structured result.
@@ -18,10 +19,7 @@ export const validateToolInput = (schema, input, toolName) => {
     const error = ValidationError.fromZod(result.error, toolName);
     return {
       success: false,
-      errorResponse: {
-        content: [{ type: 'text', text: JSON.stringify(error.toJSON(), null, 2) }],
-        isError: true,
-      },
+      errorResponse: formatErrorResponse(error, toolName),
     };
   }
   return { success: true, data: result.data };