mcp-searxng 1.1.1 → 1.2.1

package/README.md

@@ -41,9 +41,10 @@ Replace `YOUR_SEARXNG_INSTANCE_URL` with the URL of your SearXNG instance (e.g.
 - **URL Content Reading**: Advanced content extraction with pagination, section filtering, and heading extraction.
 - **Intelligent Caching**: URL content is cached with TTL (Time-To-Live) to improve performance and reduce redundant requests.
 - **Pagination**: Control which page of results to retrieve.
-- **Time Filtering**: Filter results by time range (day, month, year).
+- **Time Filtering**: Filter results by time range (day, week, month, year).
 - **Language Selection**: Filter results by preferred language.
 - **Safe Search**: Control content filtering level for search results.
+- **Relevance Filtering**: Filter out low-scoring search results with `min_score`.
 
 ## How It Works
 
@@ -68,9 +69,10 @@ AI Assistant (e.g. Claude)
   - Inputs:
     - `query` (string): The search query. This string is passed to external search services.
     - `pageno` (number, optional): Search page number, starts at 1 (default 1)
-    - `time_range` (string, optional): Filter results by time range - one of: "day", "month", "year" (default: none)
+    - `time_range` (string, optional): Filter results by time range - one of: "day", "week", "month", "year" (default: none)
     - `language` (string, optional): Language code for results (e.g., "en", "fr", "de") or "all" (default: "all")
     - `safesearch` (number, optional): Safe search filter level (0: None, 1: Moderate, 2: Strict) (default: instance setting)
+    - `min_score` (number, optional): Minimum relevance score from 0.0 to 1.0. Results below this score are filtered out.
 
 - **web_url_read**
   - Read and convert the content from a URL to markdown with advanced content extraction options

package/dist/cache.js

@@ -11,6 +11,7 @@ class SimpleCache {
         this.cleanupInterval = setInterval(() => {
             this.cleanupExpired();
         }, cleanupIntervalMs);
+        this.cleanupInterval.unref();
     }
     cleanupExpired() {
         const now = Date.now();

package/dist/index.d.ts

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-declare const packageVersion = "1.1.1";
+declare const packageVersion = "1.2.1";
 export { packageVersion };
 export declare function isWebUrlReadArgs(args: unknown): args is {
     url: string;

package/dist/index.js

@@ -1,4 +1,6 @@
 #!/usr/bin/env node
+import { fileURLToPath } from "node:url";
+import { realpathSync } from "node:fs";
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
 import { CallToolRequestSchema, ListToolsRequestSchema, SetLevelRequestSchema, ListResourcesRequestSchema, ListResourceTemplatesRequestSchema, ReadResourceRequestSchema, } from "@modelcontextprotocol/sdk/types.js";
@@ -10,7 +12,17 @@ import { fetchAndConvertToMarkdown } from "./url-reader.js";
 import { createConfigResource, createHelpResource } from "./resources.js";
 import { createHttpServer, resolveBindHost } from "./http-server.js";
 // Use a static version string that will be updated by the version script
-const packageVersion = "1.1.1";
+const packageVersion = "1.2.1";
+const isMainModule = (() => {
+    if (process.argv[1] === undefined)
+        return false;
+    try {
+        return fileURLToPath(import.meta.url) === realpathSync(process.argv[1]);
+    }
+    catch {
+        return false;
+    }
+})();
 // Export the version for use in other modules
 export { packageVersion };
 // Type guard for URL reading args
@@ -77,7 +89,7 @@ export function createMcpServer() {
                 if (!isSearXNGWebSearchArgs(args)) {
                     throw new Error("Invalid arguments for web search");
                 }
-                const result = await performWebSearch(mcpServer, args.query, args.pageno, args.time_range, args.language, args.safesearch);
+                const result = await performWebSearch(mcpServer, args.query, args.pageno, args.time_range, args.language, args.safesearch, args.min_score);
                 return {
                     content: [
                         {
@@ -238,17 +250,18 @@ async function main() {
         logMessage(mcpServer, "info", `SearXNG URL: ${process.env.SEARXNG_URL || 'not configured'}`);
     }
 }
-// Handle uncaught errors
-process.on('uncaughtException', (error) => {
-    console.error('Uncaught Exception:', error);
-    process.exit(1);
-});
-process.on('unhandledRejection', (reason, promise) => {
-    console.error('Unhandled Rejection at:', promise, 'reason:', reason);
-    process.exit(1);
-});
-// Start the server (CLI entrypoint)
-main().catch((error) => {
-    console.error("Failed to start server:", error);
-    process.exit(1);
-});
+if (isMainModule) {
+    // Handle uncaught errors for the CLI entrypoint.
+    process.on('uncaughtException', (error) => {
+        console.error('Uncaught Exception:', error);
+        process.exit(1);
+    });
+    process.on('unhandledRejection', (reason, promise) => {
+        console.error('Unhandled Rejection at:', promise, 'reason:', reason);
+        process.exit(1);
+    });
+    main().catch((error) => {
+        console.error("Failed to start server:", error);
+        process.exit(1);
+    });
+}

package/dist/resources.js

@@ -43,9 +43,10 @@ Performs web searches using the configured SearXNG instance.
 **Parameters:**
 - \`query\` (required): The search query string
 - \`pageno\` (optional): Page number (default: 1)
-- \`time_range\` (optional): Filter by time - "day", "month", or "year"
+- \`time_range\` (optional): Filter by time - "day", "week", "month", or "year"
 - \`language\` (optional): Language code like "en", "fr", "de" (default: "all")
 - \`safesearch\` (optional): Safe search level - 0 (none), 1 (moderate), 2 (strict)
+- \`min_score\` (optional): Minimum relevance score from 0.0 to 1.0
 
 ### 2. web_url_read
 Reads and converts web page content to Markdown format.
@@ -63,6 +64,10 @@ Reads and converts web page content to Markdown format.
 - \`HTTP_PROXY\` / \`HTTPS_PROXY\`: Proxy server configuration
 - \`NO_PROXY\` / \`no_proxy\`: Comma-separated list of hosts to bypass proxy
 - \`MCP_HTTP_PORT\`: Enable HTTP transport on specified port
+- \`MCP_HTTP_ALLOW_PRIVATE_URLS\`: Allow \`web_url_read\` to fetch private/internal URLs. Disabled by default in all modes.
+
+### URL Reader Security
+\`web_url_read\` blocks private/internal URLs and redirects to private/internal URLs by default. Set \`MCP_HTTP_ALLOW_PRIVATE_URLS=true\` only when internal URL reads are intentional.
 
 ## Transport Modes
 

package/dist/search.d.ts

@@ -1,2 +1,2 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
-export declare function performWebSearch(mcpServer: McpServer, query: string, pageno?: number, time_range?: string, language?: string, safesearch?: number): Promise<string>;
+export declare function performWebSearch(mcpServer: McpServer, query: string, pageno?: number, time_range?: string, language?: string, safesearch?: number, min_score?: number): Promise<string>;

package/dist/search.js

@@ -1,7 +1,7 @@
 import { createProxyAgent, createDefaultAgent, ProxyType } from "./proxy.js";
 import { logMessage } from "./logging.js";
 import { MCPSearXNGError, validateEnvironment, createNetworkError, createServerError, createJSONError, createDataError, createNoResultsMessage } from "./error-handler.js";
-export async function performWebSearch(mcpServer, query, pageno = 1, time_range, language = "all", safesearch) {
+export async function performWebSearch(mcpServer, query, pageno = 1, time_range, language = "all", safesearch, min_score) {
     const startTime = Date.now();
     // Build detailed log message with all parameters
     const searchParams = [
@@ -23,7 +23,7 @@ export async function performWebSearch(mcpServer, query, pageno = 1, time_range,
     url.searchParams.set("format", "json");
     url.searchParams.set("pageno", pageno.toString());
     if (time_range !== undefined &&
-        ["day", "month", "year"].includes(time_range)) {
+        ["day", "week", "month", "year"].includes(time_range)) {
         url.searchParams.set("time_range", time_range);
     }
     if (language && language !== "all") {
@@ -110,14 +110,17 @@ export async function performWebSearch(mcpServer, query, pageno = 1, time_range,
         const context = { url: url.toString(), query };
         throw createDataError(data, context);
     }
-    const results = data.results.map((result) => ({
+    const results = data.results
+        .map((result) => ({
         title: result.title || "",
         content: result.content || "",
         url: result.url || "",
         score: result.score || 0,
-    }));
+    }))
+        .filter((result) => min_score === undefined || result.score >= min_score);
     if (results.length === 0) {
-        logMessage(mcpServer, "info", `No results found for query: "${query}"`);
+        const filterNote = min_score === undefined ? "" : ` after applying min_score=${min_score}`;
+        logMessage(mcpServer, "info", `No results found for query: "${query}"${filterNote}`);
         return createNoResultsMessage(query);
     }
     const duration = Date.now() - startTime;

package/dist/tls-config.js

@@ -22,8 +22,10 @@ export function getSystemCACerts() {
         return null;
     }
     for (const caPath of CA_BUNDLE_PATHS) {
+        // eslint-disable-next-line security/detect-non-literal-fs-filename
         if (existsSync(caPath)) {
             try {
+                // eslint-disable-next-line security/detect-non-literal-fs-filename
                 return readFileSync(caPath, "utf8");
             }
             catch {

package/dist/types.d.ts

@@ -13,6 +13,7 @@ export declare function isSearXNGWebSearchArgs(args: unknown): args is {
     time_range?: string;
     language?: string;
     safesearch?: number;
+    min_score?: number;
 };
 export declare const WEB_SEARCH_TOOL: Tool;
 export declare const READ_URL_TOOL: Tool;

package/dist/types.js

@@ -1,8 +1,35 @@
+const VALID_TIME_RANGES = ["day", "week", "month", "year"];
+const VALID_SAFESEARCH_VALUES = [0, 1, 2];
 export function isSearXNGWebSearchArgs(args) {
-    return (typeof args === "object" &&
-        args !== null &&
-        "query" in args &&
-        typeof args.query === "string");
+    if (typeof args !== "object" ||
+        args === null ||
+        !("query" in args) ||
+        typeof args.query !== "string") {
+        return false;
+    }
+    const searchArgs = args;
+    if (searchArgs.pageno !== undefined && (typeof searchArgs.pageno !== "number" || searchArgs.pageno < 1)) {
+        return false;
+    }
+    if (searchArgs.time_range !== undefined &&
+        (typeof searchArgs.time_range !== "string" || !VALID_TIME_RANGES.includes(searchArgs.time_range))) {
+        return false;
+    }
+    if (searchArgs.language !== undefined && typeof searchArgs.language !== "string") {
+        return false;
+    }
+    if (searchArgs.safesearch !== undefined &&
+        (typeof searchArgs.safesearch !== "number" || !VALID_SAFESEARCH_VALUES.includes(searchArgs.safesearch))) {
+        return false;
+    }
+    if (searchArgs.min_score !== undefined &&
+        (typeof searchArgs.min_score !== "number" ||
+            Number.isNaN(searchArgs.min_score) ||
+            searchArgs.min_score < 0 ||
+            searchArgs.min_score > 1)) {
+        return false;
+    }
+    return true;
 }
 export const WEB_SEARCH_TOOL = {
     name: "searxng_web_search",
@@ -29,8 +56,8 @@ export const WEB_SEARCH_TOOL = {
             },
             time_range: {
                 type: "string",
-                description: "Time range of search (day, month, year)",
-                enum: ["day", "month", "year"],
+                description: "Time range of search (day, week, month, year)",
+                enum: ["day", "week", "month", "year"],
             },
             language: {
                 type: "string",
@@ -43,6 +70,12 @@ export const WEB_SEARCH_TOOL = {
                 enum: [0, 1, 2],
                 default: 0,
             },
+            min_score: {
+                type: "number",
+                description: "Minimum relevance score threshold from 0.0 to 1.0. Results below this score are filtered out.",
+                minimum: 0,
+                maximum: 1,
+            },
         },
         required: ["query"],
     },

package/dist/url-reader.js

@@ -6,6 +6,8 @@ import { logMessage } from "./logging.js";
 import { urlCache } from "./cache.js";
 import { getHttpSecurityConfig } from "./http-security.js";
 import { createURLFormatError, createURLSecurityPolicyError, createNetworkError, createServerError, createContentError, createConversionError, createTimeoutError, createEmptyContentWarning, createUnexpectedError } from "./error-handler.js";
+const REDIRECT_STATUS_CODES = new Set([301, 302, 303, 307, 308]);
+const MAX_REDIRECTS = 5;
 function isPrivateHostname(hostname) {
     const lower = hostname.toLowerCase().replace(/\.+$/, "");
     return lower === "localhost" || lower.endsWith(".localhost");
@@ -14,7 +16,8 @@ function isPrivateIpv4(hostname) {
     if (isIP(hostname) !== 4) {
         return false;
     }
-    return (hostname.startsWith("10.") ||
+    return (hostname.startsWith("0.") ||
+        hostname.startsWith("10.") ||
         hostname.startsWith("127.") ||
         hostname.startsWith("192.168.") ||
         /^172\.(1[6-9]|2\d|3[0-1])\./.test(hostname) ||
@@ -39,17 +42,28 @@ function isPrivateIPv6(hostname) {
     const mapped = addr.match(/^::ffff:(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$/);
     if (mapped)
         return isPrivateIpv4(mapped[1]);
+    // IPv4-mapped ::ffff:<hhhh>:<hhhh> — convert the hex segments to dotted decimal
+    const hexMapped = addr.match(/^::ffff:([0-9a-f]{1,4}):([0-9a-f]{1,4})$/);
+    if (hexMapped) {
+        const high = parseInt(hexMapped[1], 16);
+        const low = parseInt(hexMapped[2], 16);
+        const ipv4 = `${high >> 8}.${high & 0xff}.${low >> 8}.${low & 0xff}`;
+        return isPrivateIpv4(ipv4);
+    }
     return false;
 }
 function assertUrlAllowed(url) {
     const security = getHttpSecurityConfig();
-    if (!security.harden || security.allowPrivateUrls) {
+    if (security.allowPrivateUrls) {
         return;
     }
     if (isPrivateHostname(url.hostname) || isPrivateIpv4(url.hostname) || isPrivateIPv6(url.hostname)) {
         throw createURLSecurityPolicyError(url.toString());
     }
 }
+function isRedirectResponse(response) {
+    return REDIRECT_STATUS_CODES.has(response.status);
+}
 function applyCharacterPagination(content, startChar = 0, maxLength) {
     if (startChar >= content.length) {
         return "";
@@ -58,18 +72,15 @@ function applyCharacterPagination(content, startChar = 0, maxLength) {
     const end = maxLength ? Math.min(content.length, start + maxLength) : content.length;
     return content.slice(start, end);
 }
-function escapeRegExp(str) {
-    return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
-}
 function extractSection(markdownContent, sectionHeading) {
     const lines = markdownContent.split('\n');
-    const sectionRegex = new RegExp(`^#{1,6}\\s*.*${escapeRegExp(sectionHeading)}.*$`, 'i');
+    const normalizedHeading = sectionHeading.toLowerCase();
     let startIndex = -1;
     let currentLevel = 0;
-    // Find the section start
+    // Find the section start — string match avoids RegExp constructor with user input
     for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
-        if (sectionRegex.test(line)) {
+        if (/^#{1,6}\s/.test(line) && line.toLowerCase().includes(normalizedHeading)) {
             startIndex = i;
             currentLevel = (line.match(/^#+/) || [''])[0].length;
             break;
@@ -93,6 +104,7 @@ function extractSection(markdownContent, sectionHeading) {
 function extractParagraphRange(markdownContent, range) {
     const paragraphs = markdownContent.split('\n\n').filter(p => p.trim().length > 0);
     // Parse range (e.g., "1-5", "3", "10-")
+    // eslint-disable-next-line security/detect-unsafe-regex
     const rangeMatch = range.match(/^(\d+)(?:-(\d*))?$/);
     if (!rangeMatch) {
         return "";
@@ -176,16 +188,11 @@ export async function fetchAndConvertToMarkdown(mcpServer, url, timeoutMs = 1000
     const controller = new AbortController();
     const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
     try {
-        // Prepare request options with proxy support
+        // Prepare base request options with proxy support
         const requestOptions = {
             signal: controller.signal,
+            redirect: "manual",
         };
-        // Add proxy or default dispatcher (includes system CA certs for TLS)
-        const proxyAgent = createProxyAgent(url, ProxyType.URL_READER);
-        const dispatcher = proxyAgent ?? createDefaultAgent();
-        if (dispatcher) {
-            requestOptions.dispatcher = dispatcher;
-        }
         // Add User-Agent header if configured (URL_READER_USER_AGENT takes priority over USER_AGENT)
         const userAgent = process.env.URL_READER_USER_AGENT || process.env.USER_AGENT;
         if (userAgent) {
@@ -195,17 +202,47 @@ export async function fetchAndConvertToMarkdown(mcpServer, url, timeoutMs = 1000
             };
         }
         let response;
+        let currentUrl = parsedUrl;
+        let usedDispatcher = false;
         try {
-            // Fetch the URL with the abort signal.
-            // Use undici's own fetch so it shares the same internal version as the
-            // Agent/ProxyAgent dispatcher — avoids the Node.js bundled-undici vs
-            // npm-undici version mismatch that breaks Content-Encoding decompression.
-            response = await undiciFetch(url, requestOptions);
+            for (let redirects = 0; redirects <= MAX_REDIRECTS; redirects++) {
+                // Add proxy or default dispatcher (includes system CA certs for TLS)
+                const proxyAgent = createProxyAgent(currentUrl.toString(), ProxyType.URL_READER);
+                const dispatcher = proxyAgent ?? createDefaultAgent();
+                usedDispatcher = !!dispatcher;
+                const currentRequestOptions = {
+                    ...requestOptions,
+                };
+                if (dispatcher) {
+                    currentRequestOptions.dispatcher = dispatcher;
+                }
+                // Fetch the URL with the abort signal.
+                // Use undici's own fetch so it shares the same internal version as the
+                // Agent/ProxyAgent dispatcher — avoids the Node.js bundled-undici vs
+                // npm-undici version mismatch that breaks Content-Encoding decompression.
+                response = await undiciFetch(currentUrl.toString(), currentRequestOptions);
+                if (!isRedirectResponse(response)) {
+                    break;
+                }
+                const location = response.headers.get("location");
+                if (!location) {
+                    break;
+                }
+                if (redirects === MAX_REDIRECTS) {
+                    throw createContentError(`Too many redirects while fetching URL: ${url}`, url);
+                }
+                const nextUrl = new URL(location, currentUrl);
+                assertUrlAllowed(nextUrl);
+                currentUrl = nextUrl;
+            }
         }
         catch (error) {
+            if (error.name === 'MCPSearXNGError') {
+                throw error;
+            }
             const context = {
-                url,
-                proxyAgent: !!dispatcher,
+                url: currentUrl.toString(),
+                proxyAgent: usedDispatcher,
                 timeout: timeoutMs
             };
             throw createNetworkError(error, context);

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "mcp-searxng",
-    "version": "1.1.1",
+    "version": "1.2.1",
     "mcpName": "io.github.ihor-sokoliuk/mcp-searxng",
     "description": "MCP server for SearXNG integration",
     "license": "MIT",
@@ -42,6 +42,8 @@
         "bootstrap": "npm install && npm run build",
         "inspector": "DANGEROUSLY_OMIT_AUTH=true npx @modelcontextprotocol/inspector node dist/index.js",
         "lint": "eslint src __tests__",
+        "audit:deps": "npm audit --audit-level=moderate",
+        "security": "npm run lint && npm run audit:deps",
         "postversion": "TAG=$(node scripts/update-version.js | tail -1) && git add src/index.ts .mcp/server.json && git commit --amend --no-edit && git tag -f $TAG"
     },
     "dependencies": {
@@ -61,6 +63,7 @@
         "c8": "^11.0.0",
         "cross-env": "^10.1.0",
         "eslint": "^10.1.0",
+        "eslint-plugin-security": "^4.0.0",
         "shx": "^0.4.0",
         "supertest": "^7.2.2",
         "tsx": "^4.21.0",