@mehmoodqureshi/chrome-mcp 0.2.0 → 0.4.0

package/dist/src/mcp/tools.js

@@ -12,9 +12,11 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.TOOL_HANDLERS = exports.TOOL_DEFINITIONS = void 0;
+exports.resetRateLimiter = resetRateLimiter;
 exports.dispatchToolCall = dispatchToolCall;
 exports.assertNoDrift = assertNoDrift;
 exports.registerTools = registerTools;
+const node_path_1 = require("node:path");
 const types_js_1 = require("@modelcontextprotocol/sdk/types.js");
 const types_1 = require("../executor/types");
 const manager_1 = require("../executor/manager");
@@ -59,6 +61,7 @@ exports.TOOL_DEFINITIONS = [
     { name: 'read_as_markdown', description: 'Read the page (or subtree) as readable markdown.', inputSchema: obj({ selector: { type: 'string' }, tabId: { type: 'string' } }) },
     { name: 'fill_form', description: 'Fill multiple fields (keyed by selector) and optionally submit.', inputSchema: obj({ fields: { type: 'object' }, submitSelector: { type: 'string' }, tabId: { type: 'string' } }, ['fields']) },
     { name: 'download_file', description: 'Download a file by URL or from a link element.', inputSchema: obj({ url: { type: 'string' }, ...TARGET_PROPS, suggestedName: { type: 'string' }, tabId: { type: 'string' } }) },
+    { name: 'upload_file', description: 'Set local file(s) on a file <input> (target by selector or ref) — uploads without the OS dialog. Requires --enable-uploads. `files` are absolute local paths.', inputSchema: obj({ ...TARGET_PROPS, files: { type: 'array', items: { type: 'string' } }, tabId: { type: 'string' } }, ['files']) },
     { name: 'chrome_status', description: 'Report backend/session status.', inputSchema: obj({}) },
 ];
 /** Resolve the URL the policy should be evaluated against (the active tab). */
@@ -122,7 +125,7 @@ exports.TOOL_HANDLERS = {
     type: async (a, ctx) => {
         const t = (0, validators_1.requireTarget)(a);
         await gate(ctx, 'type');
-        return (0, envelopes_1.jsonResult)(await ctx.ex.type(t, (0, validators_1.requireString)(a, 'text'), {
+        return (0, envelopes_1.jsonResult)(await ctx.ex.type(t, (0, validators_1.requireWithinLength)((0, validators_1.requireString)(a, 'text'), 'text', validators_1.MAX_TEXT_LEN), {
             tabId: tabId(a),
             clear: (0, validators_1.optionalBoolean)(a, 'clear'),
             pressEnter: (0, validators_1.optionalBoolean)(a, 'pressEnter'),
@@ -241,6 +244,10 @@ exports.TOOL_HANDLERS = {
         if (typeof fields !== 'object' || fields === null || Array.isArray(fields)) {
             throw new validators_1.McpToolError('"fields" must be an object mapping selector -> string|boolean');
         }
+        for (const [sel, val] of Object.entries(fields)) {
+            if (typeof val === 'string')
+                (0, validators_1.requireWithinLength)(val, `fields["${sel}"]`, validators_1.MAX_TEXT_LEN);
+        }
         return (0, envelopes_1.jsonResult)(await (0, helpers_1.fillForm)(ctx.ex, {
             fields: fields,
             submitSelector: (0, validators_1.optionalString)(a, 'submitSelector'),
@@ -255,6 +262,25 @@ exports.TOOL_HANDLERS = {
             throw new validators_1.McpToolError('provide "url" or a target (selector|ref)');
         return (0, envelopes_1.jsonResult)(await ctx.ex.download({ url, target, tabId: tabId(a), suggestedName: (0, validators_1.optionalString)(a, 'suggestedName') }));
     },
+    upload_file: async (a, ctx) => {
+        const t = (0, validators_1.requireTarget)(a);
+        await gate(ctx, 'upload_file');
+        const files = (0, validators_1.optionalStringArray)(a, 'files');
+        if (!files || files.length === 0)
+            throw new validators_1.McpToolError('"files" must be a non-empty array of absolute local paths');
+        // Path restriction: if uploadsDir is configured, every file must resolve to a
+        // location inside it (blocks `..` traversal and arbitrary-file exfiltration).
+        if (ctx.policy.uploadsDir) {
+            const dir = (0, node_path_1.resolve)(ctx.policy.uploadsDir);
+            for (const f of files) {
+                const abs = (0, node_path_1.resolve)(f);
+                if (abs !== dir && !abs.startsWith(dir + node_path_1.sep)) {
+                    throw new validators_1.McpToolError(`upload denied: "${f}" is outside the allowed uploads dir (${dir})`);
+                }
+            }
+        }
+        return (0, envelopes_1.jsonResult)(await ctx.ex.uploadFile(t, files, { tabId: tabId(a) }));
+    },
     chrome_status: async (_a, ctx) => (0, envelopes_1.jsonResult)(ctx.ex.status()),
 };
 // ---------------------------------------------------------------------------
@@ -267,10 +293,41 @@ function errMessage(err) {
         return `internal error: ${err.message}`;
     return `internal error: ${String(err)}`;
 }
+// ---------------------------------------------------------------------------
+// Rate limiting — a sliding window over tool calls for the active session.
+// Generous by default so normal use and the test suite are unaffected; tune
+// via the constants below.
+// ---------------------------------------------------------------------------
+/** Max tool calls permitted within `RATE_WINDOW_MS`. */
+const RATE_MAX_CALLS = 600;
+/** Sliding-window length, in milliseconds. */
+const RATE_WINDOW_MS = 60_000;
+/** Timestamps (ms) of recent dispatches; older entries are evicted lazily. */
+let rateWindow = [];
+/** Reset limiter state — for tests that exercise the ceiling. */
+function resetRateLimiter() {
+    rateWindow = [];
+}
+/**
+ * Record one call and report whether it is within the ceiling. Evicts entries
+ * older than the window so the array stays bounded.
+ */
+function allowCall(now) {
+    const cutoff = now - RATE_WINDOW_MS;
+    if (rateWindow.length > 0 && rateWindow[0] <= cutoff) {
+        rateWindow = rateWindow.filter((t) => t > cutoff);
+    }
+    if (rateWindow.length >= RATE_MAX_CALLS)
+        return false;
+    rateWindow.push(now);
+    return true;
+}
 async function dispatchToolCall(name, rawArgs) {
     const handler = exports.TOOL_HANDLERS[name];
     if (!handler)
         return (0, envelopes_1.errorResult)(`unknown tool: ${name}`);
+    if (!allowCall(Date.now()))
+        return (0, envelopes_1.errorResult)('rate limit exceeded; slow down');
     try {
         const mgr = (0, manager_1.getManager)();
         const ex = await mgr.ensureReady();

package/dist/src/mcp/validators.d.ts

@@ -13,6 +13,12 @@ import type { Target } from '../executor/types';
 export declare class McpToolError extends Error {
     constructor(message: string);
 }
+/** Max length for CSS selector strings. Real selectors are tiny; cap generously. */
+export declare const MAX_SELECTOR_LEN = 2000;
+/** Max length for free-text input (type text, fill_form values). ~100KB. */
+export declare const MAX_TEXT_LEN = 100000;
+/** Throw if `value` exceeds `max` chars. `key` names the field for the message. */
+export declare function requireWithinLength(value: string, key: string, max: number): string;
 /** Coerce raw tool args into a plain object, rejecting non-objects. */
 export declare function asArgs(raw: unknown): Record<string, unknown>;
 export declare function requireString(args: Record<string, unknown>, key: string): string;

package/dist/src/mcp/validators.js

@@ -6,7 +6,8 @@
  * an actionable message (rendered as a structured `isError` result upstream).
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.McpToolError = void 0;
+exports.MAX_TEXT_LEN = exports.MAX_SELECTOR_LEN = exports.McpToolError = void 0;
+exports.requireWithinLength = requireWithinLength;
 exports.asArgs = asArgs;
 exports.requireString = requireString;
 exports.optionalString = optionalString;
@@ -27,6 +28,20 @@ class McpToolError extends Error {
     }
 }
 exports.McpToolError = McpToolError;
+// ---------------------------------------------------------------------------
+// Input size limits — defend against runaway callers passing huge strings.
+// ---------------------------------------------------------------------------
+/** Max length for CSS selector strings. Real selectors are tiny; cap generously. */
+exports.MAX_SELECTOR_LEN = 2_000;
+/** Max length for free-text input (type text, fill_form values). ~100KB. */
+exports.MAX_TEXT_LEN = 100_000;
+/** Throw if `value` exceeds `max` chars. `key` names the field for the message. */
+function requireWithinLength(value, key, max) {
+    if (value.length > max) {
+        throw new McpToolError(`"${key}" is too long (${value.length} chars; max ${max})`);
+    }
+    return value;
+}
 /** Coerce raw tool args into a plain object, rejecting non-objects. */
 function asArgs(raw) {
     if (raw === undefined || raw === null)
@@ -91,7 +106,10 @@ function requireTarget(args) {
     if (hasSel === hasRef) {
         throw new McpToolError('provide exactly one of "selector" or "ref"');
     }
-    return hasSel ? { selector: args.selector } : { ref: args.ref };
+    if (hasSel) {
+        return { selector: requireWithinLength(args.selector, 'selector', exports.MAX_SELECTOR_LEN) };
+    }
+    return { ref: requireWithinLength(args.ref, 'ref', exports.MAX_SELECTOR_LEN) };
 }
 /** Like `requireTarget` but the target is optional (whole-page reads). */
 function optionalTarget(args) {

package/dist/src/security/policy.d.ts

@@ -22,6 +22,10 @@ export interface Policy {
     allowEval: boolean;
     /** Allow `download_file`. */
     allowDownloads: boolean;
+    /** Allow `upload_file` (sends local files to the page — exfiltration risk). */
+    allowUploads: boolean;
+    /** If set, `upload_file` may only read files inside this directory (absolute path). */
+    uploadsDir?: string;
     /** Allow acting on / reading tabs whose URL is not in `allowDomains` is governed
      *  by `allowDomains`; this flag instead relaxes tab *management* (list/select)
      *  to all tabs regardless of their URL. Default false. */

package/dist/src/security/policy.js

@@ -29,6 +29,8 @@ exports.DEFAULT_POLICY = Object.freeze({
     allowDomains: [],
     allowEval: false,
     allowDownloads: false,
+    allowUploads: false,
+    uploadsDir: undefined,
     allowAllTabs: false,
     enableMutations: false,
 });
@@ -38,6 +40,8 @@ function resolvePolicy(partial) {
         allowDomains: partial?.allowDomains ?? [...exports.DEFAULT_POLICY.allowDomains],
         allowEval: partial?.allowEval ?? exports.DEFAULT_POLICY.allowEval,
         allowDownloads: partial?.allowDownloads ?? exports.DEFAULT_POLICY.allowDownloads,
+        allowUploads: partial?.allowUploads ?? exports.DEFAULT_POLICY.allowUploads,
+        uploadsDir: partial?.uploadsDir ?? exports.DEFAULT_POLICY.uploadsDir,
         allowAllTabs: partial?.allowAllTabs ?? exports.DEFAULT_POLICY.allowAllTabs,
         enableMutations: partial?.enableMutations ?? exports.DEFAULT_POLICY.enableMutations,
     };
@@ -83,7 +87,11 @@ function isMutatingMethod(method) {
 }
 /** Whether the method touches a specific URL that must be allowlisted. */
 function isUrlGated(method) {
-    return READ_CONTENT.has(method) || MUTATE_CONTENT.has(method) || NAVIGATION.has(method) || method === 'eval';
+    return (READ_CONTENT.has(method) ||
+        MUTATE_CONTENT.has(method) ||
+        NAVIGATION.has(method) ||
+        method === 'eval' ||
+        method === 'upload_file');
 }
 // ---------------------------------------------------------------------------
 // Domain matching
@@ -134,6 +142,10 @@ function assertUrlAllowed(url, method, policy) {
     if (method === 'download_file' && !policy.allowDownloads) {
         throw new types_1.ExecutorError('POLICY_DENIED', 'downloads are disabled. Pass --enable-downloads or set allowDownloads.');
     }
+    if (method === 'upload_file' && !policy.allowUploads) {
+        throw new types_1.ExecutorError('POLICY_DENIED', 'uploads are disabled (sending local files to a page is an exfiltration risk). ' +
+            'Pass --enable-uploads or set allowUploads.');
+    }
     if (isMutatingMethod(method) && !policy.enableMutations) {
         throw new types_1.ExecutorError('POLICY_DENIED', `mutating tool "${method}" is disabled (safe-mode). Pass --enable-mutations to allow it.`);
     }

package/extension-dist/background.js

@@ -26,6 +26,7 @@
     "eval",
     "wait_for",
     "download_file",
+    "upload_file",
     "ping_probe"
   ];
 
@@ -174,7 +175,22 @@
       const r = el.getBoundingClientRect();
       if (r.width === 0 && r.height === 0) return false;
       const s = window.getComputedStyle(el);
-      return s.visibility !== "hidden" && s.display !== "none";
+      if (s.visibility === "hidden" || s.display === "none") return false;
+      const cv = el.checkVisibility;
+      if (typeof cv === "function") {
+        try {
+          return cv.call(el, { checkOpacity: false, checkVisibilityCSS: true });
+        } catch {
+        }
+      }
+      let p = el.parentElement;
+      while (p) {
+        const ps = window.getComputedStyle(p);
+        if (ps.display === "none" || ps.visibility === "hidden") return false;
+        p = p.parentElement;
+      }
+      if (el.offsetParent === null && s.position !== "fixed") return false;
+      return true;
     };
     const accName = (el) => {
       const aria = el.getAttribute("aria-label");
@@ -210,7 +226,36 @@
       }
       return tag;
     };
-    const els = Array.from(document.querySelectorAll(sel)).filter(visible);
+    const seen = /* @__PURE__ */ new Set();
+    const candidates = [];
+    const collect = (root) => {
+      if (candidates.length >= max) return;
+      let matched;
+      try {
+        matched = Array.from(root.querySelectorAll(sel));
+      } catch {
+        matched = [];
+      }
+      for (const el of matched) {
+        if (candidates.length >= max) break;
+        if (seen.has(el)) continue;
+        seen.add(el);
+        candidates.push(el);
+      }
+      let hosts;
+      try {
+        hosts = Array.from(root.querySelectorAll("*"));
+      } catch {
+        hosts = [];
+      }
+      for (const host of hosts) {
+        if (candidates.length >= max) break;
+        const sr = host.shadowRoot;
+        if (sr) collect(sr);
+      }
+    };
+    collect(document);
+    const els = candidates.filter(visible);
     const nodes = [];
     let n = 0;
     for (const el of els) {
@@ -377,6 +422,7 @@
     "eval",
     "wait_for",
     "download_file",
+    "upload_file",
     "ping_probe"
   ]);
   var ChromeExecutor = class {
@@ -396,8 +442,19 @@
         }
         case "tab_new": {
           const url = typeof cmd.params.url === "string" ? cmd.params.url : void 0;
+          const BLANK = /^(about:blank|chrome:\/\/newtab|chrome:\/\/new-tab-page|edge:\/\/newtab)/i;
+          const blank = (await chrome.tabs.query({})).find(
+            (t2) => t2.id !== void 0 && (BLANK.test(t2.url ?? "") || (t2.url ?? "") === "" || t2.pendingUrl === "about:blank")
+          );
+          if (blank?.id !== void 0) {
+            if (url) {
+              await chrome.tabs.update(blank.id, { url });
+              await waitComplete(blank.id);
+            }
+            return { ...await tabInfo(await chrome.tabs.get(blank.id)), reused: true };
+          }
           const t = await chrome.tabs.create({ url, active: false });
-          return tabInfo(t);
+          return { ...await tabInfo(t), reused: false };
         }
         case "tab_close": {
           const id = parseTabId(String(cmd.tabId));
@@ -732,6 +789,23 @@
           const downloadId = await chrome.downloads.download({ url, filename: name });
           return { path: `(downloads)/${name}`, backend: "extension", bytes: 0, suggestedName: name };
         }
+        // -- upload: set local file(s) on a file <input> via CDP DOM.setFileInputFiles --
+        case "upload_file": {
+          const id = await targetTab(cmd);
+          const sel = requireSelector(cmd);
+          const files = Array.isArray(cmd.params.files) ? cmd.params.files.map(String) : [];
+          if (files.length === 0) throw new CmdError("BAD_ARGS", 'upload_file requires a non-empty "files" array');
+          if (!await waitForSelector(id, sel)) throw new CmdError("SELECTOR_NOT_FOUND", `no element for selector: ${sel}`);
+          await withDebugger(id, async (t) => {
+            const doc = await chrome.debugger.sendCommand(t, "DOM.getDocument", { depth: 0 });
+            const rootId = doc.root?.nodeId;
+            if (!rootId) throw new CmdError("CDP_ERROR", "could not read the document root");
+            const found = await chrome.debugger.sendCommand(t, "DOM.querySelector", { nodeId: rootId, selector: sel });
+            if (!found.nodeId) throw new CmdError("SELECTOR_NOT_FOUND", `no element for selector: ${sel}`);
+            await chrome.debugger.sendCommand(t, "DOM.setFileInputFiles", { files, nodeId: found.nodeId });
+          });
+          return { ok: true };
+        }
         default:
           throw new CmdError("UNKNOWN_METHOD", `unhandled method: ${cmd.method}`);
       }

package/extension-dist/manifest.json

@@ -1,12 +1,12 @@
 {
   "manifest_version": 3,
   "name": "Chrome MCP Bridge",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Lets a local chrome-mcp server drive this browser. Pair it with the server's handshake token.",
   "minimum_chrome_version": "116",
   "background": { "service_worker": "background.js" },
   "permissions": ["tabs", "scripting", "activeTab", "downloads", "storage", "alarms", "cookies", "debugger"],
-  "host_permissions": ["http://*/*", "https://*/*"],
+  "host_permissions": ["<all_urls>"],
   "options_page": "options.html",
   "action": { "default_title": "Chrome MCP — open options to pair" }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mehmoodqureshi/chrome-mcp",
-  "version": "0.2.0",
+  "version": "0.4.0",
   "description": "Drive a real Chrome browser over MCP. A stdio MCP server (CLI) plus an MV3 extension, behind one pluggable Executor (extension via chrome.scripting, or a Playwright CDP fallback).",
   "author": "Mehmood Ur Rehman Qureshi",
   "license": "MIT",