@jgardner04/ghost-mcp-server 1.14.2 → 1.14.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jgardner04/ghost-mcp-server",
-  "version": "1.14.2",
+  "version": "1.14.4",
   "description": "A Model Context Protocol (MCP) server for interacting with Ghost CMS via the Admin API",
   "author": "Jonathan Gardner",
   "type": "module",

package/src/__tests__/helpers/testUtils.js

@@ -117,3 +117,25 @@ export async function waitFor(condition, timeout = 5000, interval = 100) {
 export function delay(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
 }
+
+/**
+ * Asserts that a promise rejects with a specific error type and message.
+ * Combines the common double `.rejects` pattern into a single call.
+ *
+ * @param {Promise} promise - The promise expected to reject
+ * @param {Function} ErrorClass - The expected error constructor (e.g., NotFoundError)
+ * @param {string|RegExp} message - The expected error message (string or regex)
+ *
+ * @example
+ * import { expectRejection } from '../helpers/testUtils.js';
+ *
+ * await expectRejection(
+ *   updateMember('non-existent', { name: 'Test' }),
+ *   NotFoundError,
+ *   'Member not found'
+ * );
+ */
+export async function expectRejection(promise, ErrorClass, message) {
+  await expect(promise).rejects.toBeInstanceOf(ErrorClass);
+  await expect(promise).rejects.toThrow(message);
+}

package/src/services/__tests__/ghostServiceImproved.members.test.js

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createMockContextLogger } from '../../__tests__/helpers/mockLogger.js';
-import { mockDotenv } from '../../__tests__/helpers/testUtils.js';
+import { mockDotenv, expectRejection } from '../../__tests__/helpers/testUtils.js';
 import { mockGhostApiModule } from '../../__tests__/helpers/mockGhostApi.js';
 
 // Mock the Ghost Admin API using shared mock factory
@@ -187,9 +187,11 @@ describe('ghostServiceImproved - Members', () => {
       const error404 = new GhostAPIError('members.read', 'Member not found', 404);
       api.members.read.mockRejectedValue(error404);
 
-      const rejection = updateMember('non-existent', { name: 'Test' });
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Member not found');
+      await expectRejection(
+        updateMember('non-existent', { name: 'Test' }),
+        NotFoundError,
+        'Member not found'
+      );
     });
   });
 
@@ -213,9 +215,7 @@ describe('ghostServiceImproved - Members', () => {
       const error404 = new GhostAPIError('members.delete', 'Member not found', 404);
       api.members.delete.mockRejectedValue(error404);
 
-      const rejection = deleteMember('non-existent');
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Member not found');
+      await expectRejection(deleteMember('non-existent'), NotFoundError, 'Member not found');
     });
   });
 
@@ -360,9 +360,7 @@ describe('ghostServiceImproved - Members', () => {
       const error404 = new GhostAPIError('members.read', 'Member not found', 404);
       api.members.read.mockRejectedValue(error404);
 
-      const rejection = getMember({ id: 'non-existent' });
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Member not found');
+      await expectRejection(getMember({ id: 'non-existent' }), NotFoundError, 'Member not found');
     });
 
     it('should throw not found error when member not found by email', async () => {

package/src/services/__tests__/ghostServiceImproved.pages.test.js

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createMockContextLogger } from '../../__tests__/helpers/mockLogger.js';
-import { mockDotenv } from '../../__tests__/helpers/testUtils.js';
+import { mockDotenv, expectRejection } from '../../__tests__/helpers/testUtils.js';
 import { mockGhostApiModule } from '../../__tests__/helpers/mockGhostApi.js';
 
 // Mock the Ghost Admin API using shared mock factory
@@ -210,9 +210,11 @@ describe('ghostServiceImproved - Pages', () => {
       error422.response = { status: 422 };
       api.pages.add.mockRejectedValue(error422);
 
-      const rejection = createPage({ title: 'Test', html: '<p>Content</p>' });
-      await expect(rejection).rejects.toBeInstanceOf(ValidationError);
-      await expect(rejection).rejects.toThrow('Page creation failed due to validation errors');
+      await expectRejection(
+        createPage({ title: 'Test', html: '<p>Content</p>' }),
+        ValidationError,
+        'Page creation failed due to validation errors'
+      );
     });
 
     it('should NOT include tags in page creation (pages do not support tags)', async () => {
@@ -276,9 +278,11 @@ describe('ghostServiceImproved - Pages', () => {
       const error404 = new GhostAPIError('pages.read', 'Page not found', 404);
       api.pages.read.mockRejectedValue(error404);
 
-      const rejection = updatePage('nonexistent-id', { title: 'Updated' });
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Page not found');
+      await expectRejection(
+        updatePage('nonexistent-id', { title: 'Updated' }),
+        NotFoundError,
+        'Page not found'
+      );
     });
 
     it('should preserve updated_at timestamp for conflict resolution', async () => {
@@ -388,9 +392,7 @@ describe('ghostServiceImproved - Pages', () => {
       const error404 = new GhostAPIError('pages.delete', 'Page not found', 404);
       api.pages.delete.mockRejectedValue(error404);
 
-      const rejection = deletePage('nonexistent-id');
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Page not found');
+      await expectRejection(deletePage('nonexistent-id'), NotFoundError, 'Page not found');
     });
   });
 
@@ -437,9 +439,7 @@ describe('ghostServiceImproved - Pages', () => {
       const error404 = new GhostAPIError('pages.read', 'Page not found', 404);
       api.pages.read.mockRejectedValue(error404);
 
-      const rejection = getPage('nonexistent-id');
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Page not found');
+      await expectRejection(getPage('nonexistent-id'), NotFoundError, 'Page not found');
     });
   });
 

package/src/services/__tests__/ghostServiceImproved.posts.test.js

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createMockContextLogger } from '../../__tests__/helpers/mockLogger.js';
-import { mockDotenv } from '../../__tests__/helpers/testUtils.js';
+import { mockDotenv, expectRejection } from '../../__tests__/helpers/testUtils.js';
 import { mockGhostApiModule } from '../../__tests__/helpers/mockGhostApi.js';
 
 // Mock the Ghost Admin API using shared mock factory
@@ -95,9 +95,11 @@ describe('ghostServiceImproved - Posts (updatePost)', () => {
       const error404 = new GhostAPIError('posts.read', 'Post not found', 404);
       api.posts.read.mockRejectedValue(error404);
 
-      const rejection = updatePost('nonexistent-id', { title: 'Updated' });
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Post not found');
+      await expectRejection(
+        updatePost('nonexistent-id', { title: 'Updated' }),
+        NotFoundError,
+        'Post not found'
+      );
     });
 
     it('should throw ValidationError when updating to scheduled without published_at', async () => {

package/src/services/__tests__/ghostServiceImproved.tags.test.js

@@ -1,6 +1,6 @@
 import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { createMockContextLogger } from '../../__tests__/helpers/mockLogger.js';
-import { mockDotenv } from '../../__tests__/helpers/testUtils.js';
+import { mockDotenv, expectRejection } from '../../__tests__/helpers/testUtils.js';
 import { mockGhostApiModule } from '../../__tests__/helpers/mockGhostApi.js';
 
 // Mock the Ghost Admin API using shared mock factory
@@ -254,9 +254,7 @@ describe('ghostServiceImproved - Tags', () => {
       const error404 = new GhostAPIError('tags.read', 'Tag not found', 404);
       api.tags.read.mockRejectedValue(error404);
 
-      const rejection = getTag('non-existent');
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Tag not found');
+      await expectRejection(getTag('non-existent'), NotFoundError, 'Tag not found');
     });
   });
 
@@ -412,9 +410,11 @@ describe('ghostServiceImproved - Tags', () => {
       const error404 = new GhostAPIError('tags.read', 'Tag not found', 404);
       api.tags.read.mockRejectedValue(error404);
 
-      const rejection = updateTag('non-existent', { name: 'Test' });
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Tag not found');
+      await expectRejection(
+        updateTag('non-existent', { name: 'Test' }),
+        NotFoundError,
+        'Tag not found'
+      );
     });
   });
 
@@ -438,9 +438,7 @@ describe('ghostServiceImproved - Tags', () => {
       const error404 = new GhostAPIError('tags.delete', 'Tag not found', 404);
       api.tags.delete.mockRejectedValue(error404);
 
-      const rejection = deleteTag('non-existent');
-      await expect(rejection).rejects.toBeInstanceOf(NotFoundError);
-      await expect(rejection).rejects.toThrow('Tag not found');
+      await expectRejection(deleteTag('non-existent'), NotFoundError, 'Tag not found');
     });
   });
 });

package/src/utils/__tests__/urlValidator.test.js

@@ -377,6 +377,40 @@ describe('urlValidator', () => {
         expect(result.isValid).toBe(true);
       });
     });
+
+    // Regression tests for JON-151: the previous two-parser sequence
+    // (Joi.uri() + new URL()) could disagree on these edge cases, opening a
+    // path-around-isSafeHost SSRF window. The single-parser pipeline must
+    // either reject these or canonicalize them consistently with new URL().
+    describe('parse-disagreement regressions (JON-151)', () => {
+      it('should reject credentials-prefixed URL whose true host is private (127.0.0.1)', () => {
+        // WHATWG: hostname is 127.0.0.1. A naive parser that split on '@' the
+        // wrong way could see "imgur.com" and let this through. isSafeHost
+        // must see 127.0.0.1 and reject.
+        const result = validateImageUrl('https://imgur.com@127.0.0.1/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+
+      it('should reject Unicode hostname not on the allowlist', () => {
+        // new URL('https://☃.com/') canonicalizes the host to xn--n3h.com
+        // (Punycode). Either form must be rejected — neither is allowlisted.
+        const result = validateImageUrl('https://☃.com/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+
+      it('should reject Punycode hostname not on the allowlist', () => {
+        const result = validateImageUrl('https://xn--n3h.com/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+
+      it('should reject IPv6 loopback with zone ID', () => {
+        // [::1%25eth0] is the percent-encoded form of [::1%eth0]. The host is
+        // still ::1 — the SSRF guard must catch it regardless of whether the
+        // parser accepts the zone-ID syntax or rejects the URL outright.
+        const result = validateImageUrl('http://[::1%25eth0]/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+    });
   });
 
   describe('createSecureAxiosConfig', () => {

package/src/utils/urlValidator.js

@@ -1,4 +1,4 @@
-import Joi from 'joi';
+import { z } from 'zod';
 import { URL } from 'url';
 
 // Configure allowed domains for image downloads
@@ -69,6 +69,25 @@ const isSafeHost = (hostname) => {
   );
 };
 
+// Single-parser URL schema. z.string().url() uses the WHATWG URL parser
+// (same engine as new URL() below), so the schema check and the subsequent
+// hostname extraction cannot disagree on edge cases like embedded
+// credentials, IDN/Unicode, or IPv6 zone IDs. See JON-151.
+const urlSchema = z
+  .string()
+  .url()
+  .refine(
+    (s) => {
+      try {
+        const proto = new URL(s).protocol;
+        return proto === 'http:' || proto === 'https:';
+      } catch {
+        return false;
+      }
+    },
+    { message: 'must use http or https scheme' }
+  );
+
 /**
  * Validates and sanitizes a URL for safe external requests
  * @param {string} url - The URL to validate
@@ -76,19 +95,11 @@ const isSafeHost = (hostname) => {
  */
 const validateImageUrl = (url) => {
   try {
-    // Basic URL validation with Joi
-    const urlSchema = Joi.string()
-      .uri({
-        scheme: ['http', 'https'],
-        allowRelative: false,
-      })
-      .required();
-
-    const validation = urlSchema.validate(url);
-    if (validation.error) {
+    const result = urlSchema.safeParse(url);
+    if (!result.success) {
       return {
         isValid: false,
-        error: `Invalid URL format: ${validation.error.details[0].message}`,
+        error: `Invalid URL format: ${result.error.issues[0].message}`,
       };
     }