npm - @yamo/mcp-server - Versions diffs - 1.3.0 → 1.3.2 - Mend

@yamo/mcp-server 1.3.0 → 1.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# 🤖 YAMO Chain MCP Server [![npm version](https://badge.fury.io/js/@yamo%2Fmcp-server.svg)](https://www.npmjs.com/package/@yamo/mcp-server)
+# 🤖 YAMO Chain MCP Server [![npm version](https://img.shields.io/npm/v/@yamo/mcp-server?style=flat-square)](https://www.npmjs.com/package/@yamo/mcp-server)
 This MCP Server acts as a bridge, allowing LLMs to interact with the YAMO Blockchain. It is now powered by `@yamo/core` for robust IPFS handling.

package/dist/index.js CHANGED Viewed

@@ -47,6 +47,14 @@ const crypto_1 = __importDefault(require("crypto"));
 const path_1 = __importDefault(require("path"));
 const pkg = JSON.parse(fs_1.default.readFileSync(path_1.default.join(__dirname, '../package.json'), 'utf8'));
 dotenv.config();
+// Validation helper for bytes32 hashes (Part 3: Security Fixes)
+function validateBytes32(value, fieldName) {
+    if (!value.match(/^0x[a-fA-F0-9]{64}$/)) {
+        throw new Error(`${fieldName} must be a valid bytes32 hash (0x + 64 hex chars). ` +
+            `Received: ${value.substring(0, 20)}...` +
+            `\nDo NOT include algorithm prefixes like "sha256:"`);
+    }
+}
 const SUBMIT_BLOCK_TOOL = {
     name: "yamo_submit_block",
     description: `Submits a YAMO block to the YAMORegistry smart contract.
@@ -227,22 +235,31 @@ class YamoMcpServer {
             try {
                 if (name === "yamo_submit_block") {
                     const { blockId, previousBlock, contentHash, consensusType, ledger, content, files, encryptionKey } = args;
-                    // Process files - auto-read if they're file paths
+                    // Process files - auto-read if they're file paths (with security fix)
                     let processedFiles = files;
                     if (files && Array.isArray(files)) {
                         processedFiles = files.map((file) => {
                             // Check if content is a file path that exists
                             if (typeof file.content === 'string' && fs_1.default.existsSync(file.content)) {
+                                // Security: Resolve to absolute path and restrict to cwd (Part 3: Security Fixes)
+                                const filePath = path_1.default.resolve(file.content);
+                                const allowedDir = process.cwd();
+                                if (!filePath.startsWith(allowedDir)) {
+                                    throw new Error(`File path outside allowed directory: ${file.content}`);
+                                }
                                 console.error(`[DEBUG] Auto-reading file from path: ${file.content}`);
                                 return {
                                     name: file.name,
-                                    content: fs_1.default.readFileSync(file.content, 'utf8')
+                                    content: fs_1.default.readFileSync(filePath, 'utf8')
                                 };
                             }
                             // Otherwise use content as-is
                             return file;
                         });
                     }
+                    // Input validation (Part 3: Security Fixes)
+                    validateBytes32(contentHash, "contentHash");
+                    validateBytes32(previousBlock, "previousBlock");
                     let ipfsCID = undefined;
                     if (content) {
                         ipfsCID = await this.ipfs.upload({
@@ -251,13 +268,19 @@ class YamoMcpServer {
                             encryptionKey
                         });
                     }
-                    const txHash = await this.chain.submitBlock(blockId, previousBlock, contentHash, consensusType, ledger, ipfsCID);
+                    const tx = await this.chain.submitBlock(blockId, previousBlock, contentHash, consensusType, ledger, ipfsCID);
+                    const receipt = await tx.wait();
                     return {
                         content: [{ type: "text", text: JSON.stringify({
                                     success: true,
                                     blockId,
-                                    transactionHash: txHash,
-                                    ipfsCID: ipfsCID || null
+                                    transactionHash: tx.hash,
+                                    blockNumber: receipt.blockNumber,
+                                    gasUsed: receipt.gasUsed.toString(),
+                                    effectiveGasPrice: receipt.effectiveGasPrice?.toString(),
+                                    ipfsCID: ipfsCID || null,
+                                    contractAddress: this.chain.getContractAddress(),
+                                    timestamp: new Date().toISOString()
                                 }, null, 2) }],
                     };
                 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@yamo/mcp-server",
-  "version": "1.3.0",
+  "version": "1.3.2",
   "description": "YAMO Protocol v0.4 - Model Context Protocol server for AI agents",
   "main": "dist/index.js",
   "type": "commonjs",
@@ -17,7 +17,9 @@
     "build": "tsc",
     "prepublishOnly": "npm run build",
     "start": "node dist/index.js",
-    "dev": "ts-node src/index.ts"
+    "dev": "ts-node src/index.ts",
+    "test": "node --test test/**/*.test.js",
+    "test:security": "node --test test/security.test.js"
   },
   "keywords": [
     "yamo",