drupal-mcp-connector 0.9.0 → 0.9.1

package/CHANGELOG.md

@@ -7,6 +7,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.9.1] - 2026-06-15
+
+### Security
+- Validate and URL-encode JSON:API path segments. The entity `id` is now checked
+  with `validateUuid` and `entityType`/`bundle` with `validateMachineName` (both
+  previously unused), and every segment is `encodeURIComponent`'d. This closes a
+  path-traversal vector where a crafted `id` (e.g. `../../user/user/<uuid>`) could
+  reach a different resource type and bypass the connector's entity-type/PII
+  policy. (Drupal core permissions were always still enforced.)
+
+### Added
+- A [Threat Model](docs/threat-model.md) documenting trust boundaries, threats &
+  mitigations, residual risks (drush SQL bridge; why filter-field names are not
+  machine-name-validated), and the 1.0 security-pass results (`npm audit` clean,
+  adversarial review).
+
 ## [0.9.0] - 2026-06-15
 
 ### Added
@@ -213,6 +229,7 @@ The connector is now **dual-protocol**: every tool runs against an abstract back
 - User tools gained explicit PII-access assertions.
 - Whole tree lint-clean (`npm run lint`) with object-injection sinks rewritten to safe lookups.
 
+[0.9.1]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.9.1
 [0.9.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.9.0
 [0.8.0]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.8.0
 [0.7.1]: https://github.com/Wilkes-Liberty/drupal-mcp-connector/releases/tag/v0.7.1

package/README.md

@@ -177,6 +177,7 @@ Governance keys off the authenticated account's role and OAuth scopes — not re
 | [Tools Reference](docs/tools-reference.md) | Full reference for all 66 tools |
 | [Security Guide](docs/security.md) | Presets, entity access control, field redaction |
 | [Security Hardening](docs/security-hardening.md) | Optional transport, identity, and secrets controls |
+| [Threat Model](docs/threat-model.md) | Trust boundaries, threats & mitigations, residual risks, and the security-pass results |
 | [Deployment](docs/deployment.md) | Run the HTTPS transport in production: Docker, systemd, launchd, reverse proxy, pre-exposure checklist |
 | [Integration Contract](docs/integration-contract.md) | The connector ↔ Drupal-governance contract (identity, OAuth scopes, compatibility) |
 | [Versioning & Stability](docs/versioning.md) | Semver policy: the stable surface, deprecation process, MCP protocol + Node support |

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "drupal-mcp-connector",
-  "version": "0.9.0",
+  "version": "0.9.1",
   "description": "A secure, multi-site Model Context Protocol (MCP) connector for Drupal — dual-protocol JSON:API and GraphQL.",
   "type": "module",
   "main": "src/index.js",

package/src/lib/backends/jsonapi.js

@@ -8,6 +8,7 @@
  */
 
 import { drupalFetch, drupalUploadFile } from "../drupal-fetch.js";
+import { validateUuid, validateMachineName } from "../validate.js";
 import { Backend } from "./backend-interface.js";
 import {
   makeCanonicalEntity,
@@ -132,7 +133,12 @@ export class JsonApiBackend extends Backend {
    * @returns {string} e.g. "/jsonapi/node/article".
    */
   resourcePath(entityType, bundle) {
-    return `/jsonapi/${entityType}/${bundle}`;
+    // Validate before interpolating into the URL: machine names cannot contain
+    // path separators or `..`, so this blocks path-traversal to other resources
+    // (e.g. id="../../user/user/…"). Encoding is belt-and-suspenders.
+    validateMachineName(entityType, "entityType");
+    validateMachineName(bundle, "bundle");
+    return `/jsonapi/${encodeURIComponent(entityType)}/${encodeURIComponent(bundle)}`;
   }
 
   /**
@@ -219,7 +225,8 @@ export class JsonApiBackend extends Backend {
    * @returns {Promise<?import("../canonical.js").CanonicalEntity>} Entity, or null.
    */
   async getEntity({ entityType, bundle, id }) {
-    const data = await drupalFetch(this.site, `${this.resourcePath(entityType, bundle)}/${id}`);
+    validateUuid(id);
+    const data = await drupalFetch(this.site, `${this.resourcePath(entityType, bundle)}/${encodeURIComponent(id)}`);
     return data?.data ? this.toCanonical(data.data) : null;
   }
 
@@ -275,12 +282,13 @@ export class JsonApiBackend extends Backend {
    * @returns {Promise<import("../canonical.js").CanonicalEntity>} The updated entity.
    */
   async updateEntity({ entityType, bundle, id, attributes = {}, relationships }) {
+    validateUuid(id);
     const buildPayload = (attrs) => {
       const payload = { data: { type: `${entityType}--${bundle}`, id, attributes: attrs } };
       if (relationships) payload.data.relationships = relationships;
       return payload;
     };
-    const data = await this.writeWithModerationFallback(`${this.resourcePath(entityType, bundle)}/${id}`, "PATCH", buildPayload, attributes);
+    const data = await this.writeWithModerationFallback(`${this.resourcePath(entityType, bundle)}/${encodeURIComponent(id)}`, "PATCH", buildPayload, attributes);
     return this.toCanonical(data.data);
   }
 
@@ -290,7 +298,8 @@ export class JsonApiBackend extends Backend {
    * @returns {Promise<void>}
    */
   async deleteEntity({ entityType, bundle, id }) {
-    await drupalFetch(this.site, `${this.resourcePath(entityType, bundle)}/${id}`, { method: "DELETE" });
+    validateUuid(id);
+    await drupalFetch(this.site, `${this.resourcePath(entityType, bundle)}/${encodeURIComponent(id)}`, { method: "DELETE" });
   }
 
   /**