@mhingston5/conduit 1.1.7 → 1.1.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mhingston5/conduit",
-  "version": "1.1.7",
+  "version": "1.1.8",
   "type": "module",
   "description": "A secure Code Mode execution substrate for MCP agents",
   "main": "index.js",
@@ -60,6 +60,7 @@
     "p-limit": "^7.2.0",
     "pino": "^10.1.0",
     "pyodide": "^0.29.0",
+    "undici": "^7.18.2",
     "uuid": "^13.0.0",
     "zod": "^4.3.5"
   },

package/src/core/middleware/auth.middleware.ts

@@ -12,10 +12,9 @@ export class AuthMiddleware implements Middleware {
         next: NextFunction
     ): Promise<JSONRPCResponse | null> {
         const providedToken = request.auth?.bearerToken || '';
-        const masterToken = this.securityService.getIpcToken();
 
         // If no master token is set (stdio mode), treat all requests as master (auth disabled)
-        const isMaster = !masterToken || providedToken === masterToken;
+        const isMaster = this.securityService.isMasterToken(providedToken);
         const isSession = !isMaster && this.securityService.validateIpcToken(providedToken);
 
         if (!isMaster && !isSession) {

package/src/core/security.service.ts

@@ -38,16 +38,16 @@ export class SecurityService implements IUrlValidator {
         return this.networkPolicy.checkRateLimit(key);
     }
 
-    validateIpcToken(token: string): boolean {
-        // Fix Sev1: Use timing-safe comparison for sensitive tokens
-        if (!this.ipcToken) {
-            return true;
-        }
-
+    isMasterToken(token: string): boolean {
+        if (!this.ipcToken) return true;
         const expected = Buffer.from(this.ipcToken);
-        const actual = Buffer.from(token);
+        const actual = Buffer.from(token || '');
+        return expected.length === actual.length && crypto.timingSafeEqual(expected, actual);
+    }
 
-        if (expected.length === actual.length && crypto.timingSafeEqual(expected, actual)) {
+    validateIpcToken(token: string): boolean {
+        // Fix Sev1: Use timing-safe comparison for sensitive tokens
+        if (this.isMasterToken(token)) {
             return true;
         }
 

package/src/executors/isolate.executor.ts

@@ -44,33 +44,36 @@ export class IsolateExecutor implements Executor {
 
             let currentLogBytes = 0;
             let currentErrorBytes = 0;
+            let totalLogEntries = 0;
 
-            // Inject console.log/error for output capture
             // Inject console.log/error for output capture
             await jail.set('__log', new ivm.Callback((msg: string) => {
+                if (totalLogEntries + 1 > limits.maxLogEntries) {
+                    throw new Error('[LIMIT_LOG_ENTRIES]');
+                }
                 if (currentLogBytes + msg.length + 1 > limits.maxOutputBytes) {
-                    // Check log entry count limit? We don't track count here yet effectively, but bytes is safer.
-                    // The interface says maxOutputBytes applies to total output.
                     throw new Error('[LIMIT_LOG]');
                 }
-                if (currentLogBytes < limits.maxOutputBytes) {
-                    logs.push(msg);
-                    currentLogBytes += msg.length + 1; // +1 for newline approximation
-                }
+
+                totalLogEntries++;
+                logs.push(msg);
+                currentLogBytes += msg.length + 1; // +1 for newline approximation
             }));
             await jail.set('__error', new ivm.Callback((msg: string) => {
+                if (totalLogEntries + 1 > limits.maxLogEntries) {
+                    throw new Error('[LIMIT_LOG_ENTRIES]');
+                }
                 if (currentErrorBytes + msg.length + 1 > limits.maxOutputBytes) {
                     throw new Error('[LIMIT_OUTPUT]');
                 }
-                if (currentErrorBytes < limits.maxOutputBytes) {
-                    errors.push(msg);
-                    currentErrorBytes += msg.length + 1;
-                }
+
+                totalLogEntries++;
+                errors.push(msg);
+                currentErrorBytes += msg.length + 1;
             }));
 
             // Async tool bridge (ID-based to avoid Promise transfer issues)
             let requestIdCounter = 0;
-            const pendingToolCalls = new Map<number, Promise<any>>(); // Not used by Host, but Host initiates work
 
             await jail.set('__dispatchToolCall', new ivm.Callback((nameStr: string, argsStr: string) => {
                 const requestId = ++requestIdCounter;
@@ -244,6 +247,30 @@ export class IsolateExecutor implements Executor {
                 };
             }
 
+            if (message.includes('[LIMIT_LOG_ENTRIES]')) {
+                return {
+                    stdout: logs.join('\n'),
+                    stderr: errors.join('\n'),
+                    exitCode: null,
+                    error: {
+                        code: ConduitError.LogLimitExceeded,
+                        message: 'Log entry limit exceeded',
+                    },
+                };
+            }
+
+            if (message.includes('[LIMIT_LOG]') || message.includes('[LIMIT_OUTPUT]')) {
+                return {
+                    stdout: logs.join('\n'),
+                    stderr: errors.join('\n'),
+                    exitCode: null,
+                    error: {
+                        code: ConduitError.OutputLimitExceeded,
+                        message: 'Output limit exceeded',
+                    },
+                };
+            }
+
             this.logger.error({ err }, 'Isolate execution failed');
             return {
                 stdout: logs.join('\n'),

package/src/gateway/upstream.client.ts

@@ -10,6 +10,9 @@ import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js'
 import { StreamableHTTPClientTransport } from '@modelcontextprotocol/sdk/client/streamableHttp.js';
 import { SSEClientTransport } from '@modelcontextprotocol/sdk/client/sse.js';
 import { z } from 'zod';
+import dns from 'node:dns';
+import net from 'node:net';
+import { Agent } from 'undici';
 
 export type UpstreamInfo = {
     id: string;
@@ -30,6 +33,10 @@ export class UpstreamClient {
     private transport?: StdioClientTransport | StreamableHTTPClientTransport | SSEClientTransport;
     private connected: boolean = false;
 
+    // Pinned-IP dispatchers per upstream origin (defends against DNS rebinding)
+    private dispatcherCache = new Map<string, { resolvedIp: string; agent: Agent }>();
+    private pinned?: { origin: string; hostname: string; resolvedIp?: string };
+
     constructor(logger: Logger, info: UpstreamInfo, authService: AuthService, urlValidator: IUrlValidator) {
         this.logger = logger.child({ upstreamId: info.id });
         this.info = info;
@@ -59,7 +66,10 @@ export class UpstreamClient {
         }
 
         if (this.info.type === 'streamableHttp') {
-            this.transport = new StreamableHTTPClientTransport(new URL(this.info.url), {
+            const upstreamUrl = new URL(this.info.url);
+            this.pinned = { origin: upstreamUrl.origin, hostname: upstreamUrl.hostname };
+
+            this.transport = new StreamableHTTPClientTransport(upstreamUrl, {
                 fetch: this.createAuthedFetch(),
             });
             this.mcpClient = new Client({
@@ -72,6 +82,9 @@ export class UpstreamClient {
         }
 
         if (this.info.type === 'sse') {
+            const upstreamUrl = new URL(this.info.url);
+            this.pinned = { origin: upstreamUrl.origin, hostname: upstreamUrl.hostname };
+
             this.mcpClient = new Client({
                 name: 'conduit-gateway',
                 version: '1.0.0',
@@ -81,17 +94,89 @@ export class UpstreamClient {
         }
     }
 
+    private getDispatcher(origin: string, hostname: string, resolvedIp: string): Agent {
+        const existing = this.dispatcherCache.get(origin);
+        if (existing && existing.resolvedIp === resolvedIp) {
+            return existing.agent;
+        }
+
+        if (existing) {
+            try {
+                existing.agent.close();
+            } catch {
+                // ignore
+            }
+        }
+
+        const agent = new Agent({
+            connect: {
+                lookup: (lookupHostname: string, options: any, callback: any) => {
+                    if (lookupHostname === hostname) {
+                        callback(null, resolvedIp, net.isIP(resolvedIp));
+                        return;
+                    }
+                    dns.lookup(lookupHostname, options, callback);
+                },
+            },
+        });
+
+        this.dispatcherCache.set(origin, { resolvedIp, agent });
+        return agent;
+    }
+
     private createAuthedFetch() {
         const creds = this.info.credentials;
-        if (!creds) return fetch;
+        const pinned = this.pinned;
+
+        // Fall back to global fetch
+        const baseFetch = fetch;
 
         return async (input: any, init: any = {}) => {
-            const headers = new Headers(init.headers || {});
-            const authHeaders = await this.authService.getAuthHeaders(creds);
-            for (const [k, v] of Object.entries(authHeaders)) {
-                headers.set(k, v);
+            const requestUrlStr = (() => {
+                if (typeof input === 'string') return input;
+                if (input instanceof URL) return input.toString();
+                if (input instanceof Request) return input.url;
+                return String(input);
+            })();
+
+            const requestUrl = pinned
+                ? new URL(requestUrlStr, pinned.origin)
+                : new URL(requestUrlStr);
+
+            // Hard safety boundary: never allow fetch to escape upstream origin
+            if (pinned && requestUrl.origin !== pinned.origin) {
+                throw new Error(`Forbidden upstream redirect/origin: ${requestUrl.origin}`);
+            }
+
+            // Validate and (optionally) pin resolved IP for DNS-rebinding defense
+            if (pinned && !pinned.resolvedIp) {
+                const securityResult = await this.urlValidator.validateUrl(pinned.origin);
+                if (!securityResult.valid) {
+                    throw new Error(securityResult.message || 'Forbidden URL');
+                }
+                pinned.resolvedIp = securityResult.resolvedIp;
+            }
+
+            const headers = new Headers((input instanceof Request ? input.headers : undefined) || undefined);
+            const initHeaders = new Headers(init.headers || {});
+            for (const [k, v] of initHeaders.entries()) headers.set(k, v);
+
+            if (creds) {
+                const authHeaders = await this.authService.getAuthHeaders(creds);
+                for (const [k, v] of Object.entries(authHeaders)) {
+                    headers.set(k, v);
+                }
             }
-            return fetch(input, { ...init, headers });
+
+            const request = input instanceof Request
+                ? new Request(input, { ...init, headers, redirect: init.redirect ?? 'manual' })
+                : new Request(requestUrl.toString(), { ...init, headers, redirect: init.redirect ?? 'manual' });
+
+            const dispatcher = (pinned && pinned.resolvedIp)
+                ? this.getDispatcher(pinned.origin, pinned.hostname, pinned.resolvedIp)
+                : undefined;
+
+            return baseFetch(request, dispatcher ? { dispatcher } : undefined);
         };
     }
 
@@ -119,6 +204,9 @@ export class UpstreamClient {
                 this.logger.error({ url: this.info.url }, 'Blocked upstream URL (SSRF)');
                 throw new Error(securityResult.message || 'Forbidden URL');
             }
+            if (this.pinned) {
+                this.pinned.resolvedIp = securityResult.resolvedIp;
+            }
         }
 
         try {

package/src/index.ts

@@ -1,5 +1,6 @@
 #!/usr/bin/env node
 import { Command } from 'commander';
+import { createRequire } from 'node:module';
 import { ConfigService } from './core/config.service.js';
 import { createLogger, loggerStorage } from './core/logger.js';
 import { SocketTransport } from './transport/socket.transport.js';
@@ -20,10 +21,13 @@ import { handleAuth } from './auth.cmd.js';
 
 const program = new Command();
 
+const require = createRequire(import.meta.url);
+const pkg = require('../package.json') as { version?: string };
+
 program
     .name('conduit')
     .description('A secure Code Mode execution substrate for MCP agents')
-    .version('1.0.0');
+    .version(pkg.version || '0.0.0');
 
 program
     .command('serve', { isDefault: true })

package/tests/middleware.test.ts

@@ -15,6 +15,7 @@ describe('Middleware Tests', () => {
             validateToken: vi.fn(),
             checkRateLimit: vi.fn(),
             getIpcToken: vi.fn(),
+            isMasterToken: vi.fn(),
             validateIpcToken: vi.fn(),
             getSession: vi.fn(),
         };
@@ -39,8 +40,7 @@ describe('Middleware Tests', () => {
             authMiddleware = new AuthMiddleware(mockSecurityService as SecurityService);
         });
 
-        it('should validate bearer token', () => {
-            mockSecurityService.validateToken.mockReturnValue(true);
+        it('should validate bearer token', async () => {
             const request = {
                 jsonrpc: '2.0',
                 id: 1,
@@ -48,24 +48,27 @@ describe('Middleware Tests', () => {
                 auth: { bearerToken: 'valid-token' }
             };
 
-            mockSecurityService.getIpcToken.mockReturnValue('master-token');
+            // Not master and not a valid session -> Forbidden
+            mockSecurityService.isMasterToken.mockReturnValue(false);
             mockSecurityService.validateIpcToken.mockReturnValue(false);
-            // Mock validateToken behavior via logic or specific mock if used, but AuthMiddleware uses getIpcToken/validateIpcToken
 
-            authMiddleware.handle(request as any, context, mockNext);
+            const result1 = await authMiddleware.handle(request as any, context, mockNext);
+            expect(mockSecurityService.isMasterToken).toHaveBeenCalledWith('valid-token');
             expect(mockSecurityService.validateIpcToken).toHaveBeenCalledWith('valid-token');
-            expect(mockNext).not.toHaveBeenCalled(); // Should fail because neither master nor session valid
-            // Wait, logic says: isMaster = token === getIpcToken(). isSession = validateIpcToken() && !isMaster.
-            // If valid-token is NOT master and NOT session, it returns 403.
+            expect(result1?.error?.code).toBe(ConduitError.Forbidden);
+            expect(mockNext).not.toHaveBeenCalled();
+
+            // Master token -> allowed
+            mockNext.mockClear();
+            mockSecurityService.isMasterToken.mockReturnValue(true);
 
-            // Let's make it a master token to pass 'valid-token' test
-            mockSecurityService.getIpcToken.mockReturnValue('valid-token');
-            authMiddleware.handle(request as any, context, mockNext);
+            const result2 = await authMiddleware.handle(request as any, context, mockNext);
+            expect(result2?.error).toBeUndefined();
             expect(mockNext).toHaveBeenCalled();
         });
 
         it('should throw Forbidden if token is invalid', async () => {
-            mockSecurityService.getIpcToken.mockReturnValue('master-token');
+            mockSecurityService.isMasterToken.mockReturnValue(false);
             mockSecurityService.validateIpcToken.mockReturnValue(false);
 
             const request = {
@@ -76,7 +79,7 @@ describe('Middleware Tests', () => {
             };
 
             const result = await authMiddleware.handle(request as any, context, mockNext);
-            expect(result.error?.code).toBe(ConduitError.Forbidden);
+            expect(result?.error?.code).toBe(ConduitError.Forbidden);
             expect(mockNext).not.toHaveBeenCalled();
         });
     });

package/tests/routing.test.ts

@@ -43,6 +43,7 @@ describe('RequestController Routing', () => {
             createSession: vi.fn().mockReturnValue('token'),
             invalidateSession: vi.fn(),
             getIpcToken: vi.fn().mockReturnValue('master-token'),
+            isMasterToken: vi.fn().mockReturnValue(true),
             validateIpcToken: vi.fn().mockReturnValue(true),
             getSession: vi.fn(),
             checkRateLimit: vi.fn().mockReturnValue(true),

package/tests/upstream.transports.test.ts

@@ -1,4 +1,4 @@
-import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 
 const mcpClientMocks = {
     connect: vi.fn(async () => undefined),
@@ -60,8 +60,15 @@ vi.mock('@modelcontextprotocol/sdk/client/stdio.js', () => {
 });
 
 describe('UpstreamClient (remote transports)', () => {
+    const originalFetch = globalThis.fetch;
+
     beforeEach(() => {
         vi.clearAllMocks();
+        globalThis.fetch = vi.fn(async () => new Response(null, { status: 200 })) as any;
+    });
+
+    afterEach(() => {
+        globalThis.fetch = originalFetch;
     });
 
     it('uses Streamable HTTP client transport for type=streamableHttp', async () => {
@@ -87,6 +94,38 @@ describe('UpstreamClient (remote transports)', () => {
         expect(res.result).toBeDefined();
     });
 
+    it('pins DNS resolution and blocks cross-origin fetches', async () => {
+        const { UpstreamClient } = await import('../src/gateway/upstream.client.js');
+
+        const logger: any = { child: () => logger, debug: vi.fn(), info: vi.fn(), error: vi.fn() };
+        const authService: any = { getAuthHeaders: vi.fn(async () => ({ Authorization: 'Bearer t' })) };
+        const urlValidator: any = { validateUrl: vi.fn(async () => ({ valid: true, resolvedIp: '93.184.216.34' })) };
+
+        const client = new UpstreamClient(
+            logger,
+            { id: 'atl', type: 'streamableHttp', url: 'https://mcp.atlassian.com/v1/sse' } as any,
+            authService,
+            urlValidator
+        );
+
+        // Trigger initial URL validation + pinning
+        await client.call({ jsonrpc: '2.0', id: '1', method: 'tools/list' } as any, { correlationId: 'c1' } as any);
+
+        const [, opts] = transportMocks.streamableHttpCtor.mock.calls[0];
+        const wrappedFetch = opts.fetch;
+
+        // Same-origin request should pass a dispatcher and block redirects
+        await wrappedFetch('https://mcp.atlassian.com/v1/sse', {});
+        expect((globalThis.fetch as any).mock.calls.length).toBeGreaterThan(0);
+        const [request, init] = (globalThis.fetch as any).mock.calls.at(-1);
+        expect(request).toBeInstanceOf(Request);
+        expect(request.redirect).toBe('manual');
+        expect(init?.dispatcher).toBeDefined();
+
+        // Cross-origin request should be blocked
+        await expect(wrappedFetch('https://evil.example.com/', {})).rejects.toThrow(/Forbidden upstream redirect\/origin/);
+    });
+
     it('lazily creates SSE transport for type=sse and attaches auth headers', async () => {
         const { UpstreamClient } = await import('../src/gateway/upstream.client.js');