npm - cf-memory-mcp - Versions diffs - 3.9.5 → 3.9.7 - Mend

cf-memory-mcp 3.9.5 → 3.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/bin/cf-memory-mcp.js +97 -11
package/package.json +1 -1

package/bin/cf-memory-mcp.js CHANGED Viewed

@@ -867,11 +867,29 @@ class CFMemoryMCP {
         // Read each file locally. Note: uploadFileBatch expects `relativePath`
         // (not `path`) — it maps to `file_path` server-side.
+        //
+        // Confine each file to project_root with the same realpath-aware
+        // check used in maybeServeLocalFileContent. Without this, an
+        // attacker could pass file_paths: ["/etc/hosts"] and pollute the
+        // indexed corpus with arbitrary local files. Same vulnerability
+        // class as the get_file_content fix (codex review).
+        const normalizedRoot = (() => {
+            try { return fs.realpathSync(projectRoot); }
+            catch (_) { return projectRoot; }
+        })();
         const files = [];
         const skipped = [];
         for (const rel of filePaths) {
             try {
-                const full = path.resolve(projectRoot, rel);
+                const candidate = path.resolve(normalizedRoot, rel);
+                let full;
+                try { full = fs.realpathSync(candidate); }
+                catch (_) { skipped.push({ path: rel, reason: 'not readable' }); continue; }
+                const relInside = path.relative(normalizedRoot, full);
+                if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) {
+                    skipped.push({ path: rel, reason: 'path escapes project_root' });
+                    continue;
+                }
                 const stat = fs.statSync(full);
                 if (!stat.isFile()) {
                     skipped.push({ path: rel, reason: 'not a file' });
@@ -964,6 +982,15 @@ class CFMemoryMCP {
         // Each file in the list already carries file_hash + indexed_at
         // (list_files was extended to return them), so we don't need any
         // additional server roundtrips. Just hash the local files.
+        //
+        // Defense in depth: indexed file_paths SHOULD be relative-to-root,
+        // but if a previous-version bridge indexed an absolute path, this
+        // loop would have read /etc/hosts to compare hashes. Confine to the
+        // project root via realpath check just like get_file_content.
+        const normalizedRoot = (() => {
+            try { return fs.realpathSync(projectRoot); }
+            catch (_) { return projectRoot; }
+        })();
         const stale = [];
         const missing = [];
         const fresh = [];
@@ -973,7 +1000,18 @@ class CFMemoryMCP {
             const indexedAt = f.indexed_at;
             if (!indexedHash) continue;
-            const full = path.resolve(projectRoot, filePath);
+            const candidate = path.resolve(normalizedRoot, filePath);
+            let full;
+            try { full = fs.realpathSync(candidate); }
+            catch (_) {
+                missing.push({ file_path: filePath, indexed_at: indexedAt, reason: 'file missing locally' });
+                continue;
+            }
+            const relInside = path.relative(normalizedRoot, full);
+            if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) {
+                missing.push({ file_path: filePath, indexed_at: indexedAt, reason: 'indexed path escapes project_root (skipped for safety)' });
+                continue;
+            }
             let content;
             try {
                 content = fs.readFileSync(full, 'utf8');
@@ -1049,13 +1087,27 @@ class CFMemoryMCP {
             return respond({ error: 'Failed to list indexed files' });
         }
+        // Same defense as handleFindStaleFiles: confine indexed file_paths
+        // to the project root via realpath check.
+        const normalizedRoot = (() => {
+            try { return fs.realpathSync(projectRoot); }
+            catch (_) { return projectRoot; }
+        })();
         const staleFiles = [];
         const missing = [];
         for (const f of filesList) {
             const filePath = f.file_path;
             const indexedHash = f.file_hash;
             if (!indexedHash) continue;
-            const full = path.resolve(projectRoot, filePath);
+            const candidate = path.resolve(normalizedRoot, filePath);
+            let full;
+            try { full = fs.realpathSync(candidate); }
+            catch (_) { missing.push(filePath); continue; }
+            const relInside = path.relative(normalizedRoot, full);
+            if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) {
+                missing.push(filePath); // indexed path escapes root
+                continue;
+            }
             let content;
             try {
                 content = fs.readFileSync(full, 'utf8');
@@ -1808,11 +1860,27 @@ class CFMemoryMCP {
             // files because path.resolve treats absolute file_paths as-is and
             // doesn't enforce ancestry. This is a security finding from codex
             // review; fix before reading anything off disk.
-            const normalizedRoot = path.resolve(projectRoot);
-            const resolvedFull = path.resolve(normalizedRoot, filePath);
-            // Path must be strictly under the project root. `relative` returns
-            // an empty string for the root itself and a `..`-prefixed string
-            // for anything outside.
+            //
+            // Also dereference symlinks via fs.realpathSync — without this,
+            // an attacker could create a symlink inside the project root
+            // pointing at /etc/passwd and the relative-path check would
+            // still pass (the symlink itself is in-root). realpath gives
+            // the underlying target which we then check the same way.
+            const normalizedRoot = (() => {
+                try { return fs.realpathSync(path.resolve(projectRoot)); }
+                catch (_) { return path.resolve(projectRoot); }
+            })();
+            const candidateFull = path.resolve(normalizedRoot, filePath);
+            let resolvedFull;
+            try {
+                resolvedFull = fs.realpathSync(candidateFull);
+            } catch (_) {
+                return false; // doesn't exist or unreadable
+            }
+            // Path must be strictly under the (real) project root. `relative`
+            // returns an empty string for the root itself and a `..`-prefixed
+            // string for anything outside. Use the realpath of both sides so
+            // symlinks can't smuggle the target out of the root.
             const relative = path.relative(normalizedRoot, resolvedFull);
             if (!relative || relative.startsWith('..') || path.isAbsolute(relative)) {
                 _mcpTrace('GFC_LOCAL_REJECT_ESCAPE', `${filePath} -> ${resolvedFull} escapes root ${normalizedRoot}`);
@@ -1856,7 +1924,11 @@ class CFMemoryMCP {
             const language = extToLang[ext] || null;
             const payload = {
-                file_path: path.relative(projectRoot, resolvedFull) || path.basename(resolvedFull),
+                // Use normalizedRoot (the realpath'd root) to match resolvedFull
+                // (also realpath'd). Using the original projectRoot here gave
+                // weird relative paths on macOS where /tmp is a symlink to
+                // /private/tmp.
+                file_path: path.relative(normalizedRoot, resolvedFull) || path.basename(resolvedFull),
                 language,
                 total_lines: totalLines,
                 size_bytes: stat.size,
@@ -1892,11 +1964,25 @@ class CFMemoryMCP {
             // Try to find a local project root. We watch CF_MEMORY_WATCH_PATH
             // (when auto-watch is on) or fall back to the cwd.
-            const root = process.env.CF_MEMORY_WATCH_PATH || process.cwd();
+            const rawRoot = process.env.CF_MEMORY_WATCH_PATH || process.cwd();
+            // Realpath + relative-path check — same defense as
+            // maybeServeLocalFileContent. Server-supplied file_paths SHOULD be
+            // relative-to-root, but if an old or buggy index stored an
+            // absolute or escaping path, we'd otherwise read it (and reveal
+            // its hash via the stale flag).
+            const root = (() => {
+                try { return fs.realpathSync(rawRoot); }
+                catch (_) { return rawRoot; }
+            })();
             const stalePaths = new Set();
             for (const r of results) {
                 if (!r || !r.file_path || !r.indexed_file_hash) continue;
-                const full = path.resolve(root, r.file_path);
+                const candidate = path.resolve(root, r.file_path);
+                let full;
+                try { full = fs.realpathSync(candidate); }
+                catch (_) { continue; }
+                const relInside = path.relative(root, full);
+                if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) continue;
                 let content;
                 try { content = fs.readFileSync(full, 'utf8'); } catch (_) { continue; }
                 // SHA-256 hex of UTF-8 content. Matches the server's hashContent().

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "cf-memory-mcp",
-	"version": "3.9.5",
+	"version": "3.9.7",
 	"description": "Cloudflare-hosted MCP server for code indexing, retrieval, and assistant memory with a direct remote MCP endpoint and local stdio bridge.",
 	"main": "bin/cf-memory-mcp.js",
 	"bin": {