blackveil-dns 2.10.9 → 2.10.10

package/README.md

@@ -9,7 +9,7 @@ Open-source DNS & email security scanner for Claude, Cursor, VS Code, and MCP cl
 [![GitHub stars](https://img.shields.io/github/stars/MadaBurns/bv-mcp?style=flat&logo=github)](https://github.com/MadaBurns/bv-mcp/stargazers)
 [![npm version](https://img.shields.io/npm/v/blackveil-dns)](https://www.npmjs.com/package/blackveil-dns)
 [![npm downloads](https://img.shields.io/npm/dm/blackveil-dns)](https://www.npmjs.com/package/blackveil-dns)
-[![Tests](https://img.shields.io/badge/Tests-2587-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions)
+[![Tests](https://img.shields.io/badge/Tests-2610-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions)
 [![Coverage](https://img.shields.io/badge/Coverage-~90%25-brightgreen)](https://github.com/MadaBurns/bv-mcp/actions)
 [![BUSL-1.1 License](https://img.shields.io/badge/License-BUSL--1.1-blue.svg)](LICENSE)
 [![MCP](https://img.shields.io/badge/MCP-2025--03--26-blue)](https://modelcontextprotocol.io/)

package/dist/index.d.ts

@@ -192,7 +192,7 @@ declare function sanitizeDomain(input: string): string;
 declare function sanitizeInput(input: string, maxLength?: number): string;
 
 /** Server version — keep in sync with package.json */
-declare const SERVER_VERSION = "2.10.9";
+declare const SERVER_VERSION = "2.10.10";
 
 /**
  * Map of every tool name to its Zod argument schema.
@@ -231,6 +231,11 @@ declare const TOOLS: McpTool[];
  * Check BIMI records for a domain.
  * Validates the presence and configuration of BIMI TXT records,
  * including logo URL format and VMC authority evidence.
+ *
+ * BIMI `l=` and `a=` tags are extracted from a TXT record at default._bimi.<domain>
+ * and are entirely attacker-controlled. We pass safeFetch instead of the raw
+ * `fetch` so the destination hostname is validated before any outbound request
+ * (H2 fix from the 2026-05-08 security audit).
  */
 declare function checkBimi(domain: string, dnsOptions?: QueryDnsOptions): Promise<CheckResult>;
 

package/dist/index.js

@@ -105,7 +105,7 @@ z.object({
 var REDACTED = "[redacted]";
 var MAX_LOG_STRING_LENGTH = 256;
 var MAX_ERROR_STRING_LENGTH = 1024;
-var SENSITIVE_KEY_PATTERN = /(^ip$|authorization|mcp-session-id|session|token|api[-_]?key|secret|password|cookie|rawbody)/i;
+var SENSITIVE_KEY_PATTERN = /(^ip$|cf-connecting-ip|authorization|mcp-session-id|session|token|api[-_]?key|secret|password|cookie|rawbody)/i;
 function isSensitiveKey(key) {
   return !/^has[A-Z]/.test(key) && SENSITIVE_KEY_PATTERN.test(key);
 }
@@ -580,6 +580,24 @@ function sanitizeDomain(input) {
     return "";
   }
 }
+function validateOutboundUrl(input) {
+  if (!input || typeof input !== "string") {
+    return { valid: false, error: "URL is required" };
+  }
+  let url;
+  try {
+    url = new URL(input);
+  } catch {
+    return { valid: false, error: "URL is malformed" };
+  }
+  if (url.protocol !== "https:") {
+    return { valid: false, error: `URL must use https (got "${url.protocol}")` };
+  }
+  if (url.username || url.password) {
+    return { valid: false, error: "URL must not contain userinfo" };
+  }
+  return validateDomain(url.hostname);
+}
 function sanitizeInput(input, maxLength = 500) {
   if (typeof input !== "string") return "";
   const sanitized = input.replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, "");
@@ -587,7 +605,7 @@ function sanitizeInput(input, maxLength = 500) {
 }
 
 // src/lib/server-version.ts
-var SERVER_VERSION = "2.10.9";
+var SERVER_VERSION = "2.10.10";
 var DomainSchema = z.string().min(1).max(253);
 z.string().regex(/^[0-9a-f]{64}$/);
 var DkimSelectorSchema = z.string().transform((s) => s.trim().toLowerCase()).pipe(z.string().max(63).regex(/^[a-z0-9]([a-z0-9-]*[a-z0-9])?$/));
@@ -682,7 +700,7 @@ var GetBenchmarkArgs = z.object({
   format: FormatSchema.optional().describe("Output verbosity. Auto-detected if omitted.")
 }).passthrough();
 var GetProviderInsightsArgs = z.object({
-  provider: z.string().min(1).describe('Provider (e.g., "google workspace").'),
+  provider: z.string().min(1).max(200).describe('Provider (e.g., "google workspace").'),
   profile: BenchmarkProfileSchema.optional().describe('Profile (default "mail_enabled").'),
   format: FormatSchema.optional().describe("Output verbosity. Auto-detected if omitted.")
 }).passthrough();
@@ -1143,12 +1161,27 @@ function makeQueryDNS(dnsOptions) {
   };
 }
 
+// src/lib/safe-fetch.ts
+function urlOf(input) {
+  if (typeof input === "string") return input;
+  if (input instanceof URL) return input.href;
+  return input.url;
+}
+var safeFetch = async (input, init) => {
+  const url = urlOf(input);
+  const validation = validateOutboundUrl(url);
+  if (!validation.valid) {
+    throw new TypeError(`Outbound fetch blocked: ${validation.error ?? "invalid URL"}`);
+  }
+  return fetch(input, init);
+};
+
 // src/tools/check-bimi.ts
 async function checkBimi(domain, dnsOptions) {
   return checkBIMI(
     domain,
     makeQueryDNS(dnsOptions),
-    { timeout: dnsOptions?.timeoutMs ?? 5e3, fetchFn: fetch }
+    { timeout: dnsOptions?.timeoutMs ?? 5e3, fetchFn: safeFetch }
   );
 }
 async function checkCaa(domain, dnsOptions) {
@@ -3171,7 +3204,7 @@ async function fetchWithRedirects(url, timeoutMs) {
     }
     if (!nextUrl.startsWith("https://")) break;
     try {
-      response = await fetch(nextUrl, {
+      response = await safeFetch(nextUrl, {
         method: "HEAD",
         redirect: "manual",
         headers: { "User-Agent": SCANNER_USER_AGENT },
@@ -3275,7 +3308,7 @@ async function checkHttpSecurityInner(domain) {
         headers: dualResult.headers
       });
     }
-    const response = await fetch(input, init);
+    const response = await safeFetch(input, init);
     capturedHeaders = response.headers;
     return response;
   };