fast-context-mcp 1.1.1 → 1.1.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "fast-context-mcp",
-  "version": "1.1.1",
+  "version": "1.1.3",
   "description": "AI-driven semantic code search MCP server (Node.js)",
   "type": "module",
   "main": "src/server.mjs",

package/src/core.mjs

@@ -12,7 +12,7 @@
  */
 
 import { readdirSync, existsSync, statSync } from "node:fs";
-import { resolve, join, relative, sep } from "node:path";
+import { resolve, join, relative, sep, isAbsolute } from "node:path";
 import { gzipSync } from "node:zlib";
 import { randomUUID } from "node:crypto";
 import { platform, arch, release, version as osVersion, hostname, cpus, totalmem } from "node:os";
@@ -934,7 +934,8 @@ function _parseAnswer(xmlText, projectRoot) {
 
     // Path safety: reject traversal attempts (../) and paths outside project root
     const fullPath = resolve(projectRoot, rel);
-    if (!fullPath.startsWith(resolvedRoot + sep) && fullPath !== resolvedRoot) {
+    const relToRoot = relative(resolvedRoot, fullPath);
+    if (relToRoot === ".." || relToRoot.startsWith(`..${sep}`) || isAbsolute(relToRoot)) {
       continue;
     }
 

package/src/executor.mjs

@@ -52,6 +52,10 @@ export class ToolExecutor {
    * @returns {string}
    */
   _real(virtual) {
+    // Guard against undefined/null from malformed AI responses
+    if (virtual == null || typeof virtual !== "string") {
+      return this.root;
+    }
     if (virtual.startsWith("/codebase") || virtual.startsWith("\\codebase")) {
       const rel = virtual.slice("/codebase".length).replace(/^[\/\\]+/, "");
       return join(this.root, rel);
@@ -122,6 +126,12 @@ export class ToolExecutor {
    * @returns {Promise<string>}
    */
   async rgAsync(pattern, path, include = null, exclude = null) {
+    if (!pattern || typeof pattern !== "string") {
+      return "Error: missing or invalid pattern";
+    }
+    if (!path || typeof path !== "string") {
+      return "Error: missing or invalid path";
+    }
     this.collectedRgPatterns.push(pattern);
     const rp = this._real(path);
     if (!existsSync(rp)) {
@@ -168,6 +178,12 @@ export class ToolExecutor {
    * @returns {string}
    */
   rg(pattern, path, include = null, exclude = null) {
+    if (!pattern || typeof pattern !== "string") {
+      return "Error: missing or invalid pattern";
+    }
+    if (!path || typeof path !== "string") {
+      return "Error: missing or invalid path";
+    }
     this.collectedRgPatterns.push(pattern);
     const rp = this._real(path);
     if (!existsSync(rp)) {
@@ -215,6 +231,9 @@ export class ToolExecutor {
    * @returns {string}
    */
   readfile(file, startLine = null, endLine = null) {
+    if (!file || typeof file !== "string") {
+      return "Error: missing or invalid file path";
+    }
     const rp = this._real(file);
     try {
       const stat = statSync(rp);
@@ -249,6 +268,9 @@ export class ToolExecutor {
    * @returns {string}
    */
   tree(path, levels = null) {
+    if (!path || typeof path !== "string") {
+      return "Error: missing or invalid path";
+    }
     const rp = this._real(path);
     try {
       const stat = statSync(rp);
@@ -284,6 +306,9 @@ export class ToolExecutor {
    * @returns {string}
    */
   ls(path, longFormat = false, allFiles = false) {
+    if (!path || typeof path !== "string") {
+      return "Error: missing or invalid path";
+    }
     const rp = this._real(path);
     try {
       const stat = statSync(rp);
@@ -341,6 +366,12 @@ export class ToolExecutor {
    * @returns {string}
    */
   glob(pattern, path, typeFilter = "all") {
+    if (!pattern || typeof pattern !== "string") {
+      return "Error: missing or invalid pattern";
+    }
+    if (!path || typeof path !== "string") {
+      return "Error: missing or invalid path";
+    }
     const rp = this._real(path);
 
     // Use recursive readdir + fnmatch since Node 22 globSync may not be available
@@ -378,6 +409,9 @@ export class ToolExecutor {
    * @returns {Promise<string>}
    */
   async execCommandAsync(cmd) {
+    if (!cmd || typeof cmd !== "object") {
+      return "Error: missing or invalid command";
+    }
     const t = cmd.type || "";
     switch (t) {
       case "rg":
@@ -401,6 +435,9 @@ export class ToolExecutor {
    * @returns {string}
    */
   execCommand(cmd) {
+    if (!cmd || typeof cmd !== "object") {
+      return "Error: missing or invalid command";
+    }
     const t = cmd.type || "";
     switch (t) {
       case "rg":
@@ -424,13 +461,14 @@ export class ToolExecutor {
    * @returns {Promise<string>}
    */
   async execToolCallAsync(args) {
+    if (!args || typeof args !== "object") {
+      return "Error: missing or invalid tool args";
+    }
     const keys = Object.keys(args).filter((k) => k.startsWith("command")).sort();
-    const tasks = keys
-      .filter((key) => typeof args[key] === "object")
-      .map(async (key) => {
-        const output = await this.execCommandAsync(args[key]);
-        return `<${key}_result>\n${output}\n</${key}_result>`;
-      });
+    const tasks = keys.map(async (key) => {
+      const output = await this.execCommandAsync(args[key]);
+      return `<${key}_result>\n${output}\n</${key}_result>`;
+    });
     const results = await Promise.all(tasks);
     return results.join("");
   }
@@ -442,12 +480,13 @@ export class ToolExecutor {
    */
   execToolCall(args) {
     const parts = [];
+    if (!args || typeof args !== "object") {
+      return "Error: missing or invalid tool args";
+    }
     const keys = Object.keys(args).filter((k) => k.startsWith("command")).sort();
     for (const key of keys) {
-      if (typeof args[key] === "object") {
-        const output = this.execCommand(args[key]);
-        parts.push(`<${key}_result>\n${output}\n</${key}_result>`);
-      }
+      const output = this.execCommand(args[key]);
+      parts.push(`<${key}_result>\n${output}\n</${key}_result>`);
     }
     return parts.join("");
   }