mcp-wordpress 1.1.7 → 1.2.2

package/src/security/InputValidator.ts

@@ -0,0 +1,319 @@
+/**
+ * Comprehensive Input Validation and Sanitization System
+ * Provides security-focused validation for all MCP tool inputs
+ */
+
+import { z } from 'zod';
+
+// Common validation patterns
+const URL_PATTERN = /^https?:\/\/[^\s<>'"{}|\\^`\[\]]+$/;
+const EMAIL_PATTERN = /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
+const SLUG_PATTERN = /^[a-z0-9-]+$/;
+const SCRIPT_PATTERN = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
+const SQL_INJECTION_PATTERN = /('|(\\')|(;)|(\\x00)|(\\n)|(\\r)|(\\x1a)|(\\x22)|(\\x27)|(\\x5c)|(\\x60))/i;
+
+/**
+ * Security validation schemas
+ */
+export const SecuritySchemas = {
+  // Safe string with XSS protection
+  safeString: z.string()
+    .max(10000, 'String too long')
+    .refine(val => !SCRIPT_PATTERN.test(val), 'Script tags not allowed')
+    .refine(val => !val.includes('javascript:'), 'JavaScript URLs not allowed')
+    .refine(val => !val.includes('data:'), 'Data URLs not allowed')
+    .refine(val => !val.includes('onerror='), 'Event handlers not allowed')
+    .refine(val => !val.includes('onload='), 'Event handlers not allowed')
+    .refine(val => !val.includes('onfocus='), 'Event handlers not allowed'),
+
+  // HTML content with basic sanitization
+  htmlContent: z.string()
+    .max(100000, 'Content too long')
+    .refine(val => !SCRIPT_PATTERN.test(val), 'Script tags not allowed')
+    .refine(val => !val.includes('javascript:'), 'JavaScript URLs not allowed')
+    .refine(val => !val.includes('on[a-z]+='), 'Event handlers not allowed'),
+
+  // URL validation
+  url: z.string()
+    .url('Invalid URL format')
+    .regex(URL_PATTERN, 'URL contains invalid characters')
+    .refine(val => !val.includes('javascript:'), 'JavaScript URLs not allowed')
+    .refine(val => !val.includes('data:'), 'Data URLs not allowed'),
+
+  // Email validation
+  email: z.string()
+    .email('Invalid email format')
+    .regex(EMAIL_PATTERN, 'Email contains invalid characters')
+    .max(254, 'Email too long'),
+
+  // Slug validation (for URLs, usernames, etc.)
+  slug: z.string()
+    .min(1, 'Slug cannot be empty')
+    .max(100, 'Slug too long')
+    .regex(SLUG_PATTERN, 'Slug can only contain lowercase letters, numbers, and hyphens'),
+
+  // WordPress post/page content
+  wpContent: z.string()
+    .max(1000000, 'Content too long')
+    .refine(val => !SCRIPT_PATTERN.test(val), 'Script tags not allowed in content')
+    .refine(val => !val.includes('javascript:'), 'JavaScript URLs not allowed'),
+
+  // Site ID validation
+  siteId: z.string()
+    .min(1, 'Site ID cannot be empty')
+    .max(50, 'Site ID too long')
+    .regex(/^[a-zA-Z0-9\-_]+$/, 'Site ID can only contain letters, numbers, hyphens, and underscores'),
+
+  // WordPress ID (numeric)
+  wpId: z.number()
+    .int('ID must be an integer')
+    .positive('ID must be positive')
+    .max(999999999, 'ID too large'),
+
+  // Search query with SQL injection protection
+  searchQuery: z.string()
+    .max(500, 'Search query too long')
+    .refine(val => !SQL_INJECTION_PATTERN.test(val), 'Invalid characters in search query')
+    .refine(val => !val.includes('--'), 'SQL comments not allowed')
+    .refine(val => !val.includes('/*'), 'SQL comments not allowed'),
+
+  // File path validation
+  filePath: z.string()
+    .max(500, 'File path too long')
+    .refine(val => !val.includes('..'), 'Path traversal not allowed')
+    .refine(val => !val.includes('<'), 'Invalid characters in path')
+    .refine(val => !val.includes('>'), 'Invalid characters in path'),
+
+  // Password (for display/logging - never log actual passwords)
+  passwordMask: z.string()
+    .transform(() => '[REDACTED]'),
+
+  // WordPress application password format
+  appPassword: z.string()
+    .regex(/^[a-zA-Z0-9\s]{24}$/, 'Invalid application password format')
+    .transform(val => val.replace(/\s/g, ' ')) // Normalize spaces
+};
+
+/**
+ * Input sanitization functions
+ */
+export class InputSanitizer {
+  /**
+   * Sanitize HTML content by removing dangerous elements
+   */
+  static sanitizeHtml(input: string): string {
+    return input
+      .replace(SCRIPT_PATTERN, '') // Remove script tags
+      .replace(/javascript:/gi, '') // Remove javascript: URLs
+      .replace(/data:/gi, '') // Remove data: URLs
+      .replace(/on[a-z]+\s*=/gi, '') // Remove event handlers
+      .replace(/<iframe[^>]*>/gi, '') // Remove iframes
+      .replace(/<object[^>]*>/gi, '') // Remove objects
+      .replace(/<embed[^>]*>/gi, ''); // Remove embeds
+  }
+
+  /**
+   * Sanitize search queries to prevent SQL injection
+   */
+  static sanitizeSearchQuery(query: string): string {
+    return query
+      .replace(/['"\\;]/g, '') // Remove quotes and backslashes
+      .replace(/--/g, '') // Remove SQL comments
+      .replace(/\/\*/g, '') // Remove SQL comments
+      .replace(/\*/g, '') // Remove wildcards
+      .trim()
+      .substring(0, 500); // Limit length
+  }
+
+  /**
+   * Sanitize file paths to prevent directory traversal
+   */
+  static sanitizeFilePath(path: string): string {
+    return path
+      .replace(/\.\./g, '') // Remove directory traversal
+      .replace(/[<>]/g, '') // Remove angle brackets
+      .replace(/[|&;$`\\]/g, '') // Remove shell metacharacters
+      .trim();
+  }
+
+  /**
+   * Encode output for safe display
+   */
+  static encodeOutput(input: string): string {
+    return input
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;')
+      .replace(/'/g, '&#x27;');
+  }
+}
+
+/**
+ * Security validation decorator for tool methods
+ */
+export function validateSecurity(schema: z.ZodSchema) {
+  return function (target: any, propertyName: string, descriptor: PropertyDescriptor) {
+    const method = descriptor.value;
+
+    descriptor.value = async function (...args: any[]) {
+      try {
+        // Validate input parameters
+        const params = args[0] || {};
+        const validatedParams = schema.parse(params);
+
+        // Log security validation (without sensitive data)
+        console.log(`Security validation passed for ${propertyName}`, {
+          timestamp: new Date().toISOString(),
+          method: propertyName,
+          paramCount: Object.keys(validatedParams).length
+        });
+
+        // Call original method with validated params
+        return await method.call(this, validatedParams, ...args.slice(1));
+      } catch (error) {
+        // Log security validation failure
+        console.error(`Security validation failed for ${propertyName}`, {
+          timestamp: new Date().toISOString(),
+          method: propertyName,
+          error: error instanceof z.ZodError ? error.errors : (error instanceof Error ? error.message : String(error))
+        });
+
+        throw new SecurityValidationError(
+          `Security validation failed for ${propertyName}`,
+          error instanceof z.ZodError ? error.errors : [{ message: error instanceof Error ? error.message : String(error) }]
+        );
+      }
+    };
+
+    return descriptor;
+  };
+}
+
+/**
+ * Custom security validation error
+ */
+export class SecurityValidationError extends Error {
+  public readonly errors: any[];
+
+  constructor(message: string, errors: any[] = []) {
+    super(message);
+    this.name = 'SecurityValidationError';
+    this.errors = errors;
+  }
+}
+
+/**
+ * Tool-specific validation schemas
+ */
+export const ToolSchemas = {
+  // Post creation/update
+  postData: z.object({
+    site: SecuritySchemas.siteId.optional(),
+    title: SecuritySchemas.safeString.optional(),
+    content: SecuritySchemas.wpContent.optional(),
+    excerpt: SecuritySchemas.safeString.optional(),
+    status: z.enum(['publish', 'draft', 'private', 'pending']).optional(),
+    slug: SecuritySchemas.slug.optional(),
+    categories: z.array(SecuritySchemas.wpId).optional(),
+    tags: z.array(SecuritySchemas.wpId).optional()
+  }),
+
+  // User creation/update
+  userData: z.object({
+    site: SecuritySchemas.siteId.optional(),
+    username: SecuritySchemas.slug,
+    email: SecuritySchemas.email,
+    password: SecuritySchemas.safeString.optional(),
+    roles: z.array(z.string()).optional(),
+    firstName: SecuritySchemas.safeString.optional(),
+    lastName: SecuritySchemas.safeString.optional()
+  }),
+
+  // Search parameters
+  searchParams: z.object({
+    site: SecuritySchemas.siteId.optional(),
+    query: SecuritySchemas.searchQuery,
+    type: z.enum(['post', 'page', 'any']).optional(),
+    limit: z.number().int().min(1).max(100).optional()
+  }),
+
+  // Media upload
+  mediaUpload: z.object({
+    site: SecuritySchemas.siteId.optional(),
+    filename: SecuritySchemas.filePath,
+    title: SecuritySchemas.safeString.optional(),
+    caption: SecuritySchemas.safeString.optional(),
+    description: SecuritySchemas.safeString.optional()
+  }),
+
+  // Site settings
+  siteSettings: z.object({
+    site: SecuritySchemas.siteId.optional(),
+    title: SecuritySchemas.safeString.optional(),
+    description: SecuritySchemas.safeString.optional(),
+    url: SecuritySchemas.url.optional(),
+    adminEmail: SecuritySchemas.email.optional()
+  }),
+
+  // Generic list parameters
+  listParams: z.object({
+    site: SecuritySchemas.siteId.optional(),
+    page: z.number().int().min(1).max(1000).optional(),
+    perPage: z.number().int().min(1).max(100).optional(),
+    search: SecuritySchemas.searchQuery.optional(),
+    orderBy: z.string().max(50).optional(),
+    order: z.enum(['asc', 'desc']).optional()
+  }),
+
+  // ID-based operations
+  idParams: z.object({
+    site: SecuritySchemas.siteId.optional(),
+    id: SecuritySchemas.wpId
+  })
+};
+
+/**
+ * Rate limiting and DoS protection
+ */
+export class SecurityLimiter {
+  private static requestCounts = new Map<string, { count: number; resetTime: number }>();
+  private static readonly RATE_LIMIT = 1000; // requests per window
+  private static readonly WINDOW_MS = 60 * 1000; // 1 minute
+
+  /**
+   * Check if request is within rate limits
+   */
+  static checkRateLimit(identifier: string): boolean {
+    const now = Date.now();
+    const key = identifier;
+    const current = this.requestCounts.get(key);
+
+    if (!current || now > current.resetTime) {
+      this.requestCounts.set(key, { count: 1, resetTime: now + this.WINDOW_MS });
+      return true;
+    }
+
+    if (current.count >= this.RATE_LIMIT) {
+      return false;
+    }
+
+    current.count++;
+    return true;
+  }
+
+  /**
+   * Clean up expired rate limit entries
+   */
+  static cleanup(): void {
+    const now = Date.now();
+    for (const [key, data] of this.requestCounts.entries()) {
+      if (now > data.resetTime) {
+        this.requestCounts.delete(key);
+      }
+    }
+  }
+}
+
+// Start cleanup interval
+setInterval(() => SecurityLimiter.cleanup(), 60000); // Clean up every minute

package/src/security/SecurityConfig.ts

@@ -0,0 +1,301 @@
+/**
+ * Security configuration and constants for MCP WordPress
+ */
+
+import { randomBytes } from 'crypto';
+
+export const SecurityConfig = {
+  // Rate limiting
+  rateLimiting: {
+    default: {
+      windowMs: 60 * 1000, // 1 minute
+      maxRequests: 60
+    },
+    authentication: {
+      windowMs: 5 * 60 * 1000, // 5 minutes
+      maxAttempts: 5
+    },
+    upload: {
+      windowMs: 60 * 1000, // 1 minute
+      maxRequests: 10
+    }
+  },
+
+  // File upload restrictions
+  fileUpload: {
+    maxSizeMB: 10,
+    allowedMimeTypes: [
+      'image/jpeg',
+      'image/png',
+      'image/gif',
+      'image/webp',
+      'image/svg+xml',
+      'application/pdf',
+      'application/msword',
+      'application/vnd.openxmlformats-officedocument.wordprocessingml.document',
+      'application/vnd.ms-excel',
+      'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet',
+      'text/plain',
+      'text/csv'
+    ],
+    // Dangerous file extensions to block
+    blockedExtensions: [
+      '.exe',
+      '.bat',
+      '.cmd',
+      '.com',
+      '.pif',
+      '.scr',
+      '.vbs',
+      '.js',
+      '.jar',
+      '.zip',
+      '.rar',
+      '.tar',
+      '.php',
+      '.php3',
+      '.php4',
+      '.php5',
+      '.phtml',
+      '.sh',
+      '.bash',
+      '.zsh',
+      '.fish',
+      '.ps1',
+      '.psm1'
+    ]
+  },
+
+  // Input validation
+  validation: {
+    maxStringLength: 1000,
+    maxTitleLength: 200,
+    maxContentLength: 50000,
+    maxExcerptLength: 500,
+    maxUrlLength: 2048,
+    maxUsernameLength: 60,
+    minUsernameLength: 3,
+    maxPasswordLength: 128,
+    minPasswordLength: 8
+  },
+
+  // Request timeouts (milliseconds)
+  timeouts: {
+    default: 30000, // 30 seconds
+    upload: 600000, // 10 minutes
+    auth: 10000 // 10 seconds
+  },
+
+  // Security headers
+  headers: {
+    'X-Content-Type-Options': 'nosniff',
+    'X-Frame-Options': 'DENY',
+    'X-XSS-Protection': '1; mode=block',
+    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains',
+    'Content-Security-Policy': 'default-src \'self\''
+  },
+
+  // Error messages (generic to avoid information disclosure)
+  errorMessages: {
+    authentication: 'Authentication failed. Please check your credentials.',
+    authorization: 'You do not have permission to perform this action.',
+    validation: 'Invalid input provided.',
+    rateLimit: 'Too many requests. Please try again later.',
+    serverError: 'An error occurred processing your request.',
+    notFound: 'The requested resource was not found.'
+  },
+
+  // Logging configuration
+  logging: {
+    // Fields to exclude from logs
+    excludeFields: [
+      'password',
+      'appPassword',
+      'app_password',
+      'token',
+      'secret',
+      'authorization',
+      'cookie',
+      'session',
+      'key',
+      'apiKey',
+      'api_key'
+    ],
+    // Patterns to redact in log messages
+    redactPatterns: [
+      /password["\s:=]+["']?([^"'\s]+)["']?/gi,
+      /token["\s:=]+["']?([^"'\s]+)["']?/gi,
+      /secret["\s:=]+["']?([^"'\s]+)["']?/gi,
+      /key["\s:=]+["']?([^"'\s]+)["']?/gi
+    ]
+  },
+
+  // Cache configuration
+  cache: {
+    // Default cache settings
+    enabled: true,
+    maxSize: 1000, // Maximum number of cached entries
+    defaultTTL: 15 * 60 * 1000, // 15 minutes default TTL
+    enableLRU: true,
+    enableStats: true,
+
+    // TTL presets by data type (milliseconds)
+    ttlPresets: {
+      static: 4 * 60 * 60 * 1000, // 4 hours - site settings, user roles
+      semiStatic: 2 * 60 * 60 * 1000, // 2 hours - categories, tags, user profiles
+      dynamic: 15 * 60 * 1000, // 15 minutes - posts, pages, comments
+      session: 30 * 60 * 1000, // 30 minutes - authentication, current user
+      realtime: 60 * 1000 // 1 minute - real-time data
+    },
+
+    // Cache-Control headers by data type
+    cacheHeaders: {
+      static: 'public, max-age=14400', // 4 hours
+      semiStatic: 'public, max-age=7200', // 2 hours
+      dynamic: 'public, max-age=900', // 15 minutes
+      session: 'private, max-age=1800', // 30 minutes
+      realtime: 'public, max-age=60' // 1 minute
+    },
+
+    // Invalidation settings
+    invalidation: {
+      enabled: true,
+      batchSize: 100, // Max events to process in one batch
+      queueTimeout: 5000, // Max time to wait before processing queue (ms)
+      enableCascading: true // Allow cascading invalidations
+    },
+
+    // Memory management
+    cleanup: {
+      interval: 60 * 1000, // Cleanup interval in milliseconds (1 minute)
+      maxMemoryMB: 50, // Maximum memory usage for cache
+      evictionThreshold: 0.8 // Start evicting when 80% full
+    }
+  }
+};
+
+/**
+ * Security utility functions
+ */
+export class SecurityUtils {
+  /**
+   * Redact sensitive information from objects
+   */
+  static redactSensitiveData(obj: any): any {
+    if (typeof obj !== 'object' || obj === null) {
+      return obj;
+    }
+
+    const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+
+    for (const key in redacted) {
+      if (
+        SecurityConfig.logging.excludeFields.some((field) =>
+          key.toLowerCase().includes(field.toLowerCase())
+        )
+      ) {
+        redacted[key] = '[REDACTED]';
+      } else if (typeof redacted[key] === 'object') {
+        redacted[key] = SecurityUtils.redactSensitiveData(redacted[key]);
+      }
+    }
+
+    return redacted;
+  }
+
+  /**
+   * Redact sensitive patterns from strings
+   */
+  static redactString(str: string): string {
+    let redacted = str;
+    for (const pattern of SecurityConfig.logging.redactPatterns) {
+      redacted = redacted.replace(pattern, (match, value) => {
+        return match.replace(value, '[REDACTED]');
+      });
+    }
+    return redacted;
+  }
+
+  /**
+   * Generate secure random strings
+   */
+  static generateSecureToken(length: number = 32): string {
+    const chars =
+      'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
+    const array = new Uint8Array(length);
+
+    if (typeof crypto !== 'undefined' && crypto.getRandomValues) {
+      crypto.getRandomValues(array);
+    } else {
+      // Fallback for Node.js
+      const buffer = randomBytes(length);
+      array.set(buffer);
+    }
+
+    return Array.from(array, (byte) => chars[byte % chars.length]).join('');
+  }
+
+  /**
+   * Check if a file extension is allowed
+   */
+  static isFileExtensionAllowed(filename: string): boolean {
+    const ext = path.extname(filename).toLowerCase();
+    return !SecurityConfig.fileUpload.blockedExtensions.includes(ext);
+  }
+
+  /**
+   * Sanitize log output
+   */
+  static sanitizeForLog(data: any): any {
+    if (typeof data === 'string') {
+      return SecurityUtils.redactString(data);
+    }
+    if (typeof data === 'object') {
+      return SecurityUtils.redactSensitiveData(data);
+    }
+    return data;
+  }
+}
+
+/**
+ * Secure error handler that prevents information disclosure
+ */
+export function createSecureError(
+  error: any,
+  fallbackMessage: string = SecurityConfig.errorMessages.serverError
+): Error {
+  // Log the actual error for debugging (with sanitization)
+  if (process.env.NODE_ENV !== 'production') {
+    console.error('Secure Error:', SecurityUtils.sanitizeForLog(error));
+  }
+
+  // Return generic error to prevent information disclosure
+  const secureError = new Error(fallbackMessage);
+
+  // Preserve error code if it's safe
+  if (error && typeof error.code === 'string' && !error.code.includes('_')) {
+    (secureError as any).code = error.code;
+  }
+
+  return secureError;
+}
+
+// Import path for file extension checking
+import * as path from 'path';
+
+/**
+ * Environment-specific security settings
+ */
+export function getEnvironmentSecurity(): {
+  strictMode: boolean;
+  verboseErrors: boolean;
+  enforceHttps: boolean;
+  } {
+  const isProduction = process.env.NODE_ENV === 'production';
+
+  return {
+    strictMode: isProduction,
+    verboseErrors: !isProduction,
+    enforceHttps: isProduction
+  };
+}

package/src/server/ConnectionTester.ts

@@ -0,0 +1,74 @@
+import { WordPressClient } from '../client/api.js';
+import { getErrorMessage } from '../utils/error.js';
+
+/**
+ * Service for testing WordPress client connections
+ * Handles connection validation and health checks
+ */
+export class ConnectionTester {
+  /**
+   * Test connections to all configured WordPress sites
+   */
+  public static async testClientConnections(
+    wordpressClients: Map<string, WordPressClient>
+  ): Promise<void> {
+    console.error('INFO: Testing connections to all configured WordPress sites...');
+    
+    const connectionPromises = Array.from(wordpressClients.entries()).map(
+      async ([siteId, client]) => {
+        try {
+          await client.ping();
+          console.error(`SUCCESS: Connection to site '${siteId}' successful.`);
+        } catch (error) {
+          console.error(`ERROR: Failed to connect to site '${siteId}': ${getErrorMessage(error)}`);
+          
+          if (ConnectionTester.isAuthenticationError(error)) {
+            console.error(`Authentication may have failed for site '${siteId}'. Please check credentials.`);
+          }
+        }
+      }
+    );
+    
+    await Promise.all(connectionPromises);
+    console.error('INFO: Connection tests complete.');
+  }
+
+  /**
+   * Check if error is authentication-related
+   */
+  private static isAuthenticationError(error: any): boolean {
+    if (error?.response?.status && [401, 403].includes(error.response.status)) {
+      return true;
+    }
+    return error?.code === 'WORDPRESS_AUTH_ERROR';
+  }
+
+  /**
+   * Perform health check for a specific client
+   */
+  public static async healthCheck(client: WordPressClient): Promise<boolean> {
+    try {
+      await client.ping();
+      return true;
+    } catch (error) {
+      console.error(`Health check failed: ${getErrorMessage(error)}`);
+      return false;
+    }
+  }
+
+  /**
+   * Perform health checks for all clients
+   */
+  public static async healthCheckAll(
+    wordpressClients: Map<string, WordPressClient>
+  ): Promise<Map<string, boolean>> {
+    const results = new Map<string, boolean>();
+    
+    for (const [siteId, client] of wordpressClients.entries()) {
+      const isHealthy = await ConnectionTester.healthCheck(client);
+      results.set(siteId, isHealthy);
+    }
+    
+    return results;
+  }
+}