npm - cf-memory-mcp - Versions diffs - 3.9.6 → 3.9.7 - Mend

cf-memory-mcp 3.9.6 → 3.9.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/bin/cf-memory-mcp.js +71 -5
package/package.json +1 -1

package/bin/cf-memory-mcp.js CHANGED Viewed

@@ -867,11 +867,29 @@ class CFMemoryMCP {
         // Read each file locally. Note: uploadFileBatch expects `relativePath`
         // (not `path`) — it maps to `file_path` server-side.
+        //
+        // Confine each file to project_root with the same realpath-aware
+        // check used in maybeServeLocalFileContent. Without this, an
+        // attacker could pass file_paths: ["/etc/hosts"] and pollute the
+        // indexed corpus with arbitrary local files. Same vulnerability
+        // class as the get_file_content fix (codex review).
+        const normalizedRoot = (() => {
+            try { return fs.realpathSync(projectRoot); }
+            catch (_) { return projectRoot; }
+        })();
         const files = [];
         const skipped = [];
         for (const rel of filePaths) {
             try {
-                const full = path.resolve(projectRoot, rel);
+                const candidate = path.resolve(normalizedRoot, rel);
+                let full;
+                try { full = fs.realpathSync(candidate); }
+                catch (_) { skipped.push({ path: rel, reason: 'not readable' }); continue; }
+                const relInside = path.relative(normalizedRoot, full);
+                if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) {
+                    skipped.push({ path: rel, reason: 'path escapes project_root' });
+                    continue;
+                }
                 const stat = fs.statSync(full);
                 if (!stat.isFile()) {
                     skipped.push({ path: rel, reason: 'not a file' });
@@ -964,6 +982,15 @@ class CFMemoryMCP {
         // Each file in the list already carries file_hash + indexed_at
         // (list_files was extended to return them), so we don't need any
         // additional server roundtrips. Just hash the local files.
+        //
+        // Defense in depth: indexed file_paths SHOULD be relative-to-root,
+        // but if a previous-version bridge indexed an absolute path, this
+        // loop would have read /etc/hosts to compare hashes. Confine to the
+        // project root via realpath check just like get_file_content.
+        const normalizedRoot = (() => {
+            try { return fs.realpathSync(projectRoot); }
+            catch (_) { return projectRoot; }
+        })();
         const stale = [];
         const missing = [];
         const fresh = [];
@@ -973,7 +1000,18 @@ class CFMemoryMCP {
             const indexedAt = f.indexed_at;
             if (!indexedHash) continue;
-            const full = path.resolve(projectRoot, filePath);
+            const candidate = path.resolve(normalizedRoot, filePath);
+            let full;
+            try { full = fs.realpathSync(candidate); }
+            catch (_) {
+                missing.push({ file_path: filePath, indexed_at: indexedAt, reason: 'file missing locally' });
+                continue;
+            }
+            const relInside = path.relative(normalizedRoot, full);
+            if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) {
+                missing.push({ file_path: filePath, indexed_at: indexedAt, reason: 'indexed path escapes project_root (skipped for safety)' });
+                continue;
+            }
             let content;
             try {
                 content = fs.readFileSync(full, 'utf8');
@@ -1049,13 +1087,27 @@ class CFMemoryMCP {
             return respond({ error: 'Failed to list indexed files' });
         }
+        // Same defense as handleFindStaleFiles: confine indexed file_paths
+        // to the project root via realpath check.
+        const normalizedRoot = (() => {
+            try { return fs.realpathSync(projectRoot); }
+            catch (_) { return projectRoot; }
+        })();
         const staleFiles = [];
         const missing = [];
         for (const f of filesList) {
             const filePath = f.file_path;
             const indexedHash = f.file_hash;
             if (!indexedHash) continue;
-            const full = path.resolve(projectRoot, filePath);
+            const candidate = path.resolve(normalizedRoot, filePath);
+            let full;
+            try { full = fs.realpathSync(candidate); }
+            catch (_) { missing.push(filePath); continue; }
+            const relInside = path.relative(normalizedRoot, full);
+            if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) {
+                missing.push(filePath); // indexed path escapes root
+                continue;
+            }
             let content;
             try {
                 content = fs.readFileSync(full, 'utf8');
@@ -1912,11 +1964,25 @@ class CFMemoryMCP {
             // Try to find a local project root. We watch CF_MEMORY_WATCH_PATH
             // (when auto-watch is on) or fall back to the cwd.
-            const root = process.env.CF_MEMORY_WATCH_PATH || process.cwd();
+            const rawRoot = process.env.CF_MEMORY_WATCH_PATH || process.cwd();
+            // Realpath + relative-path check — same defense as
+            // maybeServeLocalFileContent. Server-supplied file_paths SHOULD be
+            // relative-to-root, but if an old or buggy index stored an
+            // absolute or escaping path, we'd otherwise read it (and reveal
+            // its hash via the stale flag).
+            const root = (() => {
+                try { return fs.realpathSync(rawRoot); }
+                catch (_) { return rawRoot; }
+            })();
             const stalePaths = new Set();
             for (const r of results) {
                 if (!r || !r.file_path || !r.indexed_file_hash) continue;
-                const full = path.resolve(root, r.file_path);
+                const candidate = path.resolve(root, r.file_path);
+                let full;
+                try { full = fs.realpathSync(candidate); }
+                catch (_) { continue; }
+                const relInside = path.relative(root, full);
+                if (!relInside || relInside.startsWith('..') || path.isAbsolute(relInside)) continue;
                 let content;
                 try { content = fs.readFileSync(full, 'utf8'); } catch (_) { continue; }
                 // SHA-256 hex of UTF-8 content. Matches the server's hashContent().

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
 	"name": "cf-memory-mcp",
-	"version": "3.9.6",
+	"version": "3.9.7",
 	"description": "Cloudflare-hosted MCP server for code indexing, retrieval, and assistant memory with a direct remote MCP endpoint and local stdio bridge.",
 	"main": "bin/cf-memory-mcp.js",
 	"bin": {