@studiomeyer/mcp-video 1.0.2 → 1.0.3

package/src/lib/sanitize-tool-paths.test.ts

@@ -0,0 +1,185 @@
+import { describe, it, expect } from 'vitest';
+import { sanitizeToolPaths } from './sanitize-tool-paths.js';
+
+/**
+ * Each block pairs an "attack blocked" case with a "benign allowed" case, per
+ * the field shape the tool uses. `sanitizeToolPaths` throws on the first
+ * offending path and is a silent no-op otherwise.
+ */
+describe('sanitize-tool-paths — scalar path fields', () => {
+  it('blocks a leading-dash outputPath (flag injection)', () => {
+    expect(() =>
+      sanitizeToolPaths('crop_video', { inputPath: 'in.mp4', outputPath: '-y' }),
+    ).toThrow(/outputPath.*flag/);
+  });
+
+  it('blocks a leading-dash inputPath', () => {
+    expect(() =>
+      sanitizeToolPaths('adjust_video_speed', { inputPath: '-i', outputPath: 'out.mp4' }),
+    ).toThrow(/inputPath.*flag/);
+  });
+
+  it('blocks a NUL byte in a path', () => {
+    expect(() =>
+      sanitizeToolPaths('extract_audio', { inputPath: 'a.mp4\0-i', outputPath: 'b.mp3' }),
+    ).toThrow(/null byte/);
+  });
+
+  it('allows ordinary input/output paths', () => {
+    expect(() =>
+      sanitizeToolPaths('apply_color_grade', {
+        inputPath: '/home/user/clip.mp4',
+        outputPath: 'relative/out.mp4',
+      }),
+    ).not.toThrow();
+  });
+
+  it('skips omitted optional paths (unchanged benign behaviour)', () => {
+    // outputPath is optional for many tools — undefined must not throw.
+    expect(() => sanitizeToolPaths('extract_audio', { inputPath: 'a.mp4' })).not.toThrow();
+  });
+
+  it('validates every scalar field declared for a tool', () => {
+    expect(() =>
+      sanitizeToolPaths('burn_subtitles', {
+        inputPath: 'in.mp4',
+        outputPath: 'out.mp4',
+        subtitlePath: '-attach',
+      }),
+    ).toThrow(/subtitlePath.*flag/);
+  });
+});
+
+describe('sanitize-tool-paths — string-array path fields (sync_to_beat clips)', () => {
+  it('blocks a malicious entry inside the clips array', () => {
+    expect(() =>
+      sanitizeToolPaths('sync_to_beat', {
+        audioPath: 'beat.mp3',
+        outputPath: 'out.mp4',
+        clips: ['ok1.mp4', '-f', 'ok2.mp4'],
+      }),
+    ).toThrow(/clips\[1\].*flag/);
+  });
+
+  it('allows a clean clips array', () => {
+    expect(() =>
+      sanitizeToolPaths('sync_to_beat', {
+        audioPath: 'beat.mp3',
+        outputPath: 'out.mp4',
+        clips: ['a.mp4', 'b.mp4'],
+      }),
+    ).not.toThrow();
+  });
+});
+
+describe('sanitize-tool-paths — object-array path fields (concat clips / mixer tracks)', () => {
+  it('blocks a malicious clip path in concatenate_videos', () => {
+    expect(() =>
+      sanitizeToolPaths('concatenate_videos', {
+        outputPath: 'out.mp4',
+        clips: [{ path: 'good.mp4' }, { path: '-i' }],
+      }),
+    ).toThrow(/clips\[1\]\.path.*flag/);
+  });
+
+  it('blocks a malicious track path in mix_audio_tracks', () => {
+    expect(() =>
+      sanitizeToolPaths('mix_audio_tracks', {
+        outputPath: 'out.aac',
+        tracks: [{ path: 'voice.mp3' }, { path: '-protocol_whitelist' }],
+      }),
+    ).toThrow(/tracks\[1\]\.path.*flag/);
+  });
+
+  it('allows clean object-array paths', () => {
+    expect(() =>
+      sanitizeToolPaths('concatenate_videos', {
+        outputPath: 'out.mp4',
+        clips: [{ path: 'a.mp4', trimStart: 1 }, { path: 'b.mp4' }],
+      }),
+    ).not.toThrow();
+  });
+});
+
+describe('sanitize-tool-paths — record path fields (render_template clips)', () => {
+  it('blocks a malicious value in the clips record', () => {
+    expect(() =>
+      sanitizeToolPaths('render_template', {
+        templateId: 'social-reel',
+        outputPath: 'out.mp4',
+        clips: { intro: 'good.mp4', main: '-y' },
+      }),
+    ).toThrow(/clips\.main.*flag/);
+  });
+
+  it('allows a clean clips record', () => {
+    expect(() =>
+      sanitizeToolPaths('render_template', {
+        templateId: 'social-reel',
+        outputPath: 'out.mp4',
+        clips: { intro: 'a.mp4', main: 'b.mp4' },
+      }),
+    ).not.toThrow();
+  });
+});
+
+describe('sanitize-tool-paths — chroma-key background (path OR hex colour)', () => {
+  it('blocks a leading-dash background path', () => {
+    expect(() =>
+      sanitizeToolPaths('apply_chroma_key', {
+        inputPath: 'in.mp4',
+        outputPath: 'out.mp4',
+        background: '-f',
+      }),
+    ).toThrow(/background.*flag/);
+  });
+
+  it('allows a bare 6-digit hex colour as background', () => {
+    for (const hex of ['00FF00', '#0000FF', '0x000000']) {
+      expect(() =>
+        sanitizeToolPaths('apply_chroma_key', {
+          inputPath: 'in.mp4',
+          outputPath: 'out.mp4',
+          background: hex,
+        }),
+      ).not.toThrow();
+    }
+  });
+
+  it('allows a real background file path', () => {
+    expect(() =>
+      sanitizeToolPaths('apply_chroma_key', {
+        inputPath: 'in.mp4',
+        outputPath: 'out.mp4',
+        background: 'backgrounds/beach.png',
+      }),
+    ).not.toThrow();
+  });
+});
+
+describe('sanitize-tool-paths — registry boundaries', () => {
+  it('is a no-op for tools without path fields', () => {
+    expect(() => sanitizeToolPaths('list_voices', {})).not.toThrow();
+    expect(() => sanitizeToolPaths('list_video_templates', { category: 'promo' })).not.toThrow();
+  });
+
+  it('is a no-op for unknown tools', () => {
+    expect(() => sanitizeToolPaths('nonexistent_tool', { outputPath: '-y' })).not.toThrow();
+  });
+
+  it('tolerates non-object args', () => {
+    expect(() => sanitizeToolPaths('crop_video', null)).not.toThrow();
+    expect(() => sanitizeToolPaths('crop_video', undefined)).not.toThrow();
+    expect(() => sanitizeToolPaths('crop_video', 'not-an-object')).not.toThrow();
+  });
+
+  it('ignores malformed array entries instead of crashing', () => {
+    // objectArray entries that are not objects-with-path are skipped.
+    expect(() =>
+      sanitizeToolPaths('concatenate_videos', {
+        outputPath: 'out.mp4',
+        clips: [null, 'string-entry', { noPath: true }],
+      }),
+    ).not.toThrow();
+  });
+});

package/src/lib/sanitize-tool-paths.ts

@@ -0,0 +1,154 @@
+/**
+ * Central path-argument sanitizer for MCP tool handlers.
+ *
+ * The threat (already documented in ffmpeg-safety.ts) is real: every tool
+ * that shells out to ffmpeg/ffprobe passes user-supplied path strings as
+ * positional arguments. ffmpeg treats any argument that begins with `-` as
+ * a *flag*, not a filename — so a caller (or a confused LLM following an
+ * injected instruction) that sets `outputPath` to `-y`, `-f`, or
+ * `-protocol_whitelist` can rewrite the command instead of naming a file.
+ * Strings containing NUL bytes are equally dangerous (C-string truncation).
+ *
+ * `validateFfmpegPath` was written precisely to stop this, but until now it
+ * was wired into a single engine (narrated-video). The engines validate
+ * *input* existence (`assertExists`) which incidentally blocks some flag
+ * inputs, but they never check *output* paths — and several inputs flow
+ * through `fs.copyFileSync` / the concat demuxer without an existence check
+ * at all. The defense therefore had a wide bypass.
+ *
+ * This module closes the gap at the handler boundary — the one place every
+ * untrusted MCP argument enters — so no engine logic (filter graph building,
+ * arg ordering) has to change. Each tool declares which argument keys are
+ * path-like; nested arrays of paths (concat clips, audio-mixer tracks) are
+ * walked too.
+ */
+
+import { validateFfmpegPath } from './ffmpeg-safety.js';
+
+/** Describes where path-like values live in a tool's argument object. */
+interface PathFieldSpec {
+  /** Top-level keys whose value is a single path string. */
+  readonly scalar?: readonly string[];
+  /** Keys whose value is an array of path strings (e.g. beat-sync `clips`). */
+  readonly stringArray?: readonly string[];
+  /**
+   * Keys whose value is an array of objects each carrying a `path` field
+   * (e.g. concatenate_videos `clips`, mix_audio_tracks `tracks`).
+   */
+  readonly objectArrayPath?: readonly string[];
+  /** Keys whose value is a record of name → path (template-renderer `clips`). */
+  readonly recordValues?: readonly string[];
+  /**
+   * Keys that are a path OR a benign non-path token (chroma-key `background`
+   * may be a 6-digit hex colour). Only validated when the value looks like a
+   * filesystem path rather than the allowed alternative.
+   */
+  readonly pathOrHex?: readonly string[];
+}
+
+/**
+ * Per-tool path-field registry. Only ffmpeg/ffprobe-shelling tools are listed
+ * here — tools that merely write via fs/Playwright (generate_speech,
+ * screenshot_element) are handled separately because a leading-`-` there is a
+ * file-write, not flag injection. Keep this in sync with the handler args.
+ */
+const TOOL_PATH_FIELDS: Record<string, PathFieldSpec> = {
+  // post-production
+  add_background_music: { scalar: ['videoPath', 'musicPath', 'outputPath'] },
+  concatenate_videos: { scalar: ['outputPath'], objectArrayPath: ['clips'] },
+  generate_intro: { scalar: ['outputPath'] },
+  convert_social_format: { scalar: ['inputPath', 'outputPath'] },
+  convert_all_social_formats: { scalar: ['inputPath', 'outputDir'] },
+  add_text_overlay: { scalar: ['inputPath', 'outputPath'] },
+
+  // editing
+  adjust_video_speed: { scalar: ['inputPath', 'outputPath'] },
+  apply_color_grade: { scalar: ['inputPath', 'outputPath'] },
+  apply_video_effect: { scalar: ['inputPath', 'outputPath'] },
+  crop_video: { scalar: ['inputPath', 'outputPath'] },
+  reverse_clip: { scalar: ['inputPath', 'outputPath'] },
+  extract_audio: { scalar: ['inputPath', 'outputPath'] },
+  burn_subtitles: { scalar: ['inputPath', 'outputPath', 'subtitlePath'] },
+  auto_caption: { scalar: ['inputPath', 'outputPath'] },
+  add_keyframe_animation: { scalar: ['inputPath', 'outputPath'] },
+  compose_picture_in_pip: { scalar: ['mainVideo', 'overlayVideo', 'outputPath'] },
+  add_audio_ducking: { scalar: ['inputPath', 'outputPath'] },
+
+  // capcut-tier
+  apply_lut_preset: { scalar: ['inputPath', 'outputPath'] },
+  apply_voice_effect: { scalar: ['inputPath', 'outputPath'] },
+  apply_chroma_key: { scalar: ['inputPath', 'outputPath'], pathOrHex: ['background'] },
+  sync_to_beat: { scalar: ['audioPath', 'outputPath'], stringArray: ['clips'] },
+  animate_text: { scalar: ['inputPath', 'outputPath'] },
+  mix_audio_tracks: { scalar: ['outputPath'], objectArrayPath: ['tracks'] },
+  render_template: { scalar: ['outputPath', 'musicPath'], recordValues: ['clips'] },
+
+  // tts (narrated video also shells out via the recording + concat pipeline)
+  create_narrated_video: { scalar: ['outputPath', 'backgroundMusicPath'] },
+};
+
+const HEX_COLOR = /^(?:#|0x)?[0-9a-fA-F]{6}$/;
+
+/** A value is "present" for validation if it is a non-empty string. */
+function isPresentString(v: unknown): v is string {
+  return typeof v === 'string' && v.length > 0;
+}
+
+/**
+ * Validate every path-like argument for the named tool. Throws the same
+ * error class `validateFfmpegPath` throws (TypeError / Error) on the first
+ * offending value, which the handler's try/catch turns into a structured
+ * tool error. Tools not in the registry are left untouched.
+ *
+ * Only *present* values are checked — optional paths that the caller omitted
+ * (and the handler will default) are skipped so behaviour is unchanged for
+ * benign callers.
+ */
+export function sanitizeToolPaths(toolName: string, args: unknown): void {
+  const spec = TOOL_PATH_FIELDS[toolName];
+  if (!spec) return;
+  if (typeof args !== 'object' || args === null) return;
+  const record = args as Record<string, unknown>;
+
+  for (const key of spec.scalar ?? []) {
+    const value = record[key];
+    if (isPresentString(value)) validateFfmpegPath(value, key);
+  }
+
+  for (const key of spec.stringArray ?? []) {
+    const value = record[key];
+    if (!Array.isArray(value)) continue;
+    value.forEach((entry, i) => {
+      if (isPresentString(entry)) validateFfmpegPath(entry, `${key}[${i}]`);
+    });
+  }
+
+  for (const key of spec.objectArrayPath ?? []) {
+    const value = record[key];
+    if (!Array.isArray(value)) continue;
+    value.forEach((entry, i) => {
+      if (entry && typeof entry === 'object' && 'path' in entry) {
+        const p = (entry as { path: unknown }).path;
+        if (isPresentString(p)) validateFfmpegPath(p, `${key}[${i}].path`);
+      }
+    });
+  }
+
+  for (const key of spec.recordValues ?? []) {
+    const value = record[key];
+    if (!value || typeof value !== 'object' || Array.isArray(value)) continue;
+    for (const [slot, p] of Object.entries(value as Record<string, unknown>)) {
+      if (isPresentString(p)) validateFfmpegPath(p, `${key}.${slot}`);
+    }
+  }
+
+  for (const key of spec.pathOrHex ?? []) {
+    const value = record[key];
+    // A bare 6-digit hex colour (e.g. "00FF00") is a legitimate non-path
+    // value for chroma-key backgrounds — skip those. Anything else is treated
+    // as a path and must pass the flag-injection / NUL-byte check.
+    if (isPresentString(value) && !HEX_COLOR.test(value)) {
+      validateFfmpegPath(value, key);
+    }
+  }
+}

package/src/lib/url-guard-resolve.test.ts

@@ -0,0 +1,116 @@
+/**
+ * Tests for the async, DNS-resolving URL guard `resolveAndGuardUrl`.
+ *
+ * This is the strong SSRF check now used by every URL-taking handler
+ * (record_website_*, create_narrated_video, screenshot_element,
+ * detect_page_features). Where the sync `guardUrl` only inspects the literal
+ * host, this one resolves the hostname and rejects when it points at a
+ * loopback / RFC1918 / cloud-metadata address — the classic DNS-rebinding
+ * bypass. `node:dns/promises.lookup` is mocked so the suite is hermetic and
+ * never hits the network.
+ */
+
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+
+const lookupMock = vi.hoisted(() => vi.fn());
+
+vi.mock('node:dns/promises', () => ({ lookup: lookupMock }));
+
+// Import AFTER the mock so the binding is the mock.
+import { resolveAndGuardUrl } from './url-guard.js';
+
+const ORIGINAL_ALLOW_INTERNAL = process.env.MCP_VIDEO_ALLOW_INTERNAL;
+
+beforeEach(() => {
+  lookupMock.mockReset();
+  delete process.env.MCP_VIDEO_ALLOW_INTERNAL;
+});
+afterEach(() => {
+  if (ORIGINAL_ALLOW_INTERNAL === undefined) delete process.env.MCP_VIDEO_ALLOW_INTERNAL;
+  else process.env.MCP_VIDEO_ALLOW_INTERNAL = ORIGINAL_ALLOW_INTERNAL;
+});
+
+describe('resolveAndGuardUrl — DNS-rebinding defense', () => {
+  it('blocks a public hostname that resolves to a loopback address', async () => {
+    lookupMock.mockResolvedValueOnce([{ address: '127.0.0.1', family: 4 }]);
+    const res = await resolveAndGuardUrl('https://rebind.evil.example/');
+    expect(res.ok).toBe(false);
+    if (!res.ok) expect(res.reason).toMatch(/resolves to private address 127\.0\.0\.1/);
+  });
+
+  it('blocks a hostname resolving to the cloud-metadata IP (169.254.169.254)', async () => {
+    lookupMock.mockResolvedValueOnce([{ address: '169.254.169.254', family: 4 }]);
+    const res = await resolveAndGuardUrl('https://metadata.evil.example/');
+    expect(res.ok).toBe(false);
+    if (!res.ok) expect(res.reason).toMatch(/169\.254\.169\.254/);
+  });
+
+  it('blocks when ANY resolved address is internal (multi-A record)', async () => {
+    lookupMock.mockResolvedValueOnce([
+      { address: '93.184.216.34', family: 4 }, // public
+      { address: '10.0.0.5', family: 4 }, // private — must trip the guard
+    ]);
+    const res = await resolveAndGuardUrl('https://mixed.evil.example/');
+    expect(res.ok).toBe(false);
+    if (!res.ok) expect(res.reason).toMatch(/10\.0\.0\.5/);
+  });
+
+  it('blocks an internal IPv6 resolution (unique-local fc00::/7)', async () => {
+    lookupMock.mockResolvedValueOnce([{ address: 'fc00::1', family: 6 }]);
+    const res = await resolveAndGuardUrl('https://v6.evil.example/');
+    expect(res.ok).toBe(false);
+  });
+
+  it('allows a hostname that resolves to a public address', async () => {
+    lookupMock.mockResolvedValueOnce([{ address: '93.184.216.34', family: 4 }]);
+    const res = await resolveAndGuardUrl('https://example.com/page');
+    expect(res.ok).toBe(true);
+    if (res.ok) expect(res.url).toContain('example.com');
+  });
+
+  it('returns a clean failure when DNS resolution itself fails', async () => {
+    lookupMock.mockRejectedValueOnce(new Error('ENOTFOUND'));
+    const res = await resolveAndGuardUrl('https://nxdomain.invalid/');
+    expect(res.ok).toBe(false);
+    if (!res.ok) expect(res.reason).toMatch(/DNS lookup failed/);
+  });
+});
+
+describe('resolveAndGuardUrl — short-circuits (no DNS call)', () => {
+  it('rejects a non-http scheme before any lookup', async () => {
+    const res = await resolveAndGuardUrl('file:///etc/passwd');
+    expect(res.ok).toBe(false);
+    expect(lookupMock).not.toHaveBeenCalled();
+  });
+
+  it('rejects a literal internal IP via the sync layer (no lookup needed)', async () => {
+    const res = await resolveAndGuardUrl('http://127.0.0.1/');
+    expect(res.ok).toBe(false);
+    expect(lookupMock).not.toHaveBeenCalled();
+  });
+
+  it('does not resolve a literal public IPv4 (already host-checked)', async () => {
+    const res = await resolveAndGuardUrl('https://93.184.216.34/');
+    expect(res.ok).toBe(true);
+    expect(lookupMock).not.toHaveBeenCalled();
+  });
+
+  it('does not resolve a literal IPv6 host', async () => {
+    const res = await resolveAndGuardUrl('https://[2606:2800:220:1:248:1893:25c8:1946]/');
+    expect(res.ok).toBe(true);
+    expect(lookupMock).not.toHaveBeenCalled();
+  });
+
+  it('skips DNS entirely when MCP_VIDEO_ALLOW_INTERNAL=1', async () => {
+    process.env.MCP_VIDEO_ALLOW_INTERNAL = '1';
+    const res = await resolveAndGuardUrl('https://internal.dev.example/');
+    expect(res.ok).toBe(true);
+    expect(lookupMock).not.toHaveBeenCalled();
+  });
+
+  it('rejects a non-string input without resolving', async () => {
+    const res = await resolveAndGuardUrl(undefined);
+    expect(res.ok).toBe(false);
+    expect(lookupMock).not.toHaveBeenCalled();
+  });
+});