@jgardner04/ghost-mcp-server 1.14.3 → 1.14.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jgardner04/ghost-mcp-server",
-  "version": "1.14.3",
+  "version": "1.14.4",
   "description": "A Model Context Protocol (MCP) server for interacting with Ghost CMS via the Admin API",
   "author": "Jonathan Gardner",
   "type": "module",

package/src/utils/__tests__/urlValidator.test.js

@@ -377,6 +377,40 @@ describe('urlValidator', () => {
         expect(result.isValid).toBe(true);
       });
     });
+
+    // Regression tests for JON-151: the previous two-parser sequence
+    // (Joi.uri() + new URL()) could disagree on these edge cases, opening a
+    // path-around-isSafeHost SSRF window. The single-parser pipeline must
+    // either reject these or canonicalize them consistently with new URL().
+    describe('parse-disagreement regressions (JON-151)', () => {
+      it('should reject credentials-prefixed URL whose true host is private (127.0.0.1)', () => {
+        // WHATWG: hostname is 127.0.0.1. A naive parser that split on '@' the
+        // wrong way could see "imgur.com" and let this through. isSafeHost
+        // must see 127.0.0.1 and reject.
+        const result = validateImageUrl('https://imgur.com@127.0.0.1/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+
+      it('should reject Unicode hostname not on the allowlist', () => {
+        // new URL('https://☃.com/') canonicalizes the host to xn--n3h.com
+        // (Punycode). Either form must be rejected — neither is allowlisted.
+        const result = validateImageUrl('https://☃.com/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+
+      it('should reject Punycode hostname not on the allowlist', () => {
+        const result = validateImageUrl('https://xn--n3h.com/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+
+      it('should reject IPv6 loopback with zone ID', () => {
+        // [::1%25eth0] is the percent-encoded form of [::1%eth0]. The host is
+        // still ::1 — the SSRF guard must catch it regardless of whether the
+        // parser accepts the zone-ID syntax or rejects the URL outright.
+        const result = validateImageUrl('http://[::1%25eth0]/image.jpg');
+        expect(result.isValid).toBe(false);
+      });
+    });
   });
 
   describe('createSecureAxiosConfig', () => {

package/src/utils/urlValidator.js

@@ -1,4 +1,4 @@
-import Joi from 'joi';
+import { z } from 'zod';
 import { URL } from 'url';
 
 // Configure allowed domains for image downloads
@@ -69,6 +69,25 @@ const isSafeHost = (hostname) => {
   );
 };
 
+// Single-parser URL schema. z.string().url() uses the WHATWG URL parser
+// (same engine as new URL() below), so the schema check and the subsequent
+// hostname extraction cannot disagree on edge cases like embedded
+// credentials, IDN/Unicode, or IPv6 zone IDs. See JON-151.
+const urlSchema = z
+  .string()
+  .url()
+  .refine(
+    (s) => {
+      try {
+        const proto = new URL(s).protocol;
+        return proto === 'http:' || proto === 'https:';
+      } catch {
+        return false;
+      }
+    },
+    { message: 'must use http or https scheme' }
+  );
+
 /**
  * Validates and sanitizes a URL for safe external requests
  * @param {string} url - The URL to validate
@@ -76,19 +95,11 @@ const isSafeHost = (hostname) => {
  */
 const validateImageUrl = (url) => {
   try {
-    // Basic URL validation with Joi
-    const urlSchema = Joi.string()
-      .uri({
-        scheme: ['http', 'https'],
-        allowRelative: false,
-      })
-      .required();
-
-    const validation = urlSchema.validate(url);
-    if (validation.error) {
+    const result = urlSchema.safeParse(url);
+    if (!result.success) {
       return {
         isValid: false,
-        error: `Invalid URL format: ${validation.error.details[0].message}`,
+        error: `Invalid URL format: ${result.error.issues[0].message}`,
       };
     }