security-mcp 1.0.2 → 1.0.4

package/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2024 security-mcp contributors
+Copyright (c) 2024-2026 security-mcp contributors
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/dist/ci/pr-gate.js

@@ -1,7 +1,17 @@
 import { runPrGate } from "../gate/policy.js";
+// Allowlist refs to the same safe character set enforced in diff.ts. CWE-88.
+const SAFE_REF_RE = /^[a-zA-Z0-9_.\-/]+$/;
+function safeEnvRef(envVar, defaultValue) {
+    const val = process.env[envVar] || defaultValue;
+    if (!SAFE_REF_RE.test(val)) {
+        console.error(`Invalid value for ${envVar}: "${val}". Using default: "${defaultValue}".`);
+        return defaultValue;
+    }
+    return val;
+}
 async function main() {
-    const baseRef = process.env.SECURITY_GATE_BASE_REF || "origin/main";
-    const headRef = process.env.SECURITY_GATE_HEAD_REF || "HEAD";
+    const baseRef = safeEnvRef("SECURITY_GATE_BASE_REF", "origin/main");
+    const headRef = safeEnvRef("SECURITY_GATE_HEAD_REF", "HEAD");
     const policyPath = process.env.SECURITY_GATE_POLICY || ".mcp/policies/security-policy.json";
     const result = await runPrGate({ baseRef, headRef, policyPath });
     // Print result for Actions logs

package/dist/cli/install.js

@@ -3,13 +3,14 @@
  *
  * Auto-detects installed editors and writes MCP server config + Claude Code skill.
  */
-import { readFileSync, writeFileSync, mkdirSync, existsSync, copyFileSync } from "fs";
-import { dirname, join, resolve } from "path";
-import { homedir, platform } from "os";
-import { fileURLToPath } from "url";
+import { readFileSync, writeFileSync, mkdirSync, existsSync, copyFileSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+import { homedir, platform } from "node:os";
+import { fileURLToPath } from "node:url";
 const __dirname = dirname(fileURLToPath(import.meta.url));
 const PKG_ROOT = resolve(__dirname, "../..");
 const MCP_ENTRY = {
+    type: "stdio",
     command: "npx",
     args: ["-y", "security-mcp", "serve"]
 };
@@ -27,7 +28,7 @@ function getVsCodeSettingsPath() {
     return join(homedir(), ".config", "Code", "User", "settings.json");
 }
 function getEditorTargets(opts) {
-    const claudeCodePath = resolveHome("~/.claude/settings.json");
+    const claudeCodePath = resolveHome("~/.claude.json");
     const cursorGlobalPath = resolveHome("~/.cursor/mcp.json");
     const cursorLocalPath = ".cursor/mcp.json";
     const vscodePath = getVsCodeSettingsPath();

package/dist/gate/checks/secrets.js

@@ -4,16 +4,23 @@ export async function checkSecrets(_) {
     const findings = [];
     const patterns = [
         "-----BEGIN PRIVATE KEY-----",
-        "AKIA", // AWS
+        "AKIA", // AWS access key prefix
         "AIza", // Google API key prefix
         "xoxb-", // Slack bot token
-        "sk-", // common LLM key prefix
+        "sk-", // common LLM key prefix (OpenAI etc.)
         "SECRET_KEY",
         "PRIVATE_KEY"
     ];
-    const { stdout } = await execa("git", ["grep", "-n", "--untracked", "--no-index", "-I", "-e", patterns.join("|"), "."], {
-        reject: false
-    });
+    // Each pattern must be passed as a separate -e flag.
+    // Joining with | and using a single -e flag relies on ERE alternation, but
+    // git grep defaults to BRE where | is a literal character, not alternation —
+    // causing all patterns to be silently missed (false-negative). CWE-688.
+    const eFlags = patterns.flatMap((p) => ["-e", p]);
+    const { stdout } = await execa("git", 
+    // --no-index: search working tree without git index (covers untracked files)
+    // -l: list files with matches (reduce noise); -n: show line numbers
+    // -I: skip binary files
+    ["grep", "-n", "--no-index", "-I", ...eFlags, "."], { reject: false });
     if (stdout.trim()) {
         findings.push({
             id: "POSSIBLE_SECRET",

package/dist/gate/diff.js

@@ -1,5 +1,15 @@
 import { execa } from "execa";
+// Allowlist for git ref strings. Blocks option injection (e.g. --upload-pack=…)
+// and git pathspec magic characters. CWE-88 / MITRE ATT&CK T1059.
+const SAFE_REF_RE = /^[a-zA-Z0-9_.\-/]+$/;
+function validateRef(name, value) {
+    if (!value || !SAFE_REF_RE.test(value)) {
+        throw new Error(`Invalid git ref for ${name}: must contain only alphanumerics, _, ., -, /`);
+    }
+}
 export async function getChangedFiles(opts) {
+    validateRef("baseRef", opts.baseRef);
+    validateRef("headRef", opts.headRef);
     // Uses git diff in CI. Assumes checkout has full history for baseRef.
     const { stdout } = await execa("git", ["diff", "--name-only", `${opts.baseRef}...${opts.headRef}`], {
         stdio: ["ignore", "pipe", "pipe"]

package/dist/mcp/server.js

@@ -1,8 +1,8 @@
 import { McpServer } from "@modelcontextprotocol/sdk/server/mcp.js";
 import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
-import { readFileSync, existsSync } from "fs";
-import { dirname, join, resolve } from "path";
-import { fileURLToPath } from "url";
+import { readFileSync, existsSync } from "node:fs";
+import { dirname, join, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
 import { z } from "zod";
 import { runPrGate } from "../gate/policy.js";
 import { readFileSafe } from "../repo/fs.js";
@@ -33,6 +33,22 @@ function asTextResponse(data) {
     const text = typeof data === "string" ? data : JSON.stringify(data, null, 2);
     return { content: [{ type: "text", text }] };
 }
+/**
+ * Wraps a tool handler so that unhandled exceptions never leak internal paths,
+ * stack traces, or system details back to the MCP caller. CWE-209.
+ */
+function safeTool(handler) {
+    return async (args, extra) => {
+        try {
+            return await handler(args, extra);
+        }
+        catch (err) {
+            // Return only the sanitized message — never the stack or internal path.
+            const msg = err instanceof Error ? err.message : "An internal error occurred";
+            return asTextResponse(`[security-mcp error] ${msg}`);
+        }
+    };
+}
 // ---------------------------------------------------------------------------
 // Existing tools (unchanged)
 // ---------------------------------------------------------------------------
@@ -42,7 +58,7 @@ const RunPrGateParams = {
     policyPath: z.string().optional().describe("Override policy path. Default: .mcp/policies/security-policy.json")
 };
 const RunPrGateSchema = z.object(RunPrGateParams);
-tool("security.run_pr_gate", "Run the security policy gate against the current workspace. Returns PASS/FAIL plus findings and required actions.", RunPrGateParams, async (args, _extra) => {
+tool("security.run_pr_gate", "Run the security policy gate against the current workspace. Returns PASS/FAIL plus findings and required actions.", RunPrGateParams, safeTool(async (args, _extra) => {
     const { baseRef, headRef, policyPath } = RunPrGateSchema.parse(args);
     const result = await runPrGate({
         baseRef,
@@ -50,27 +66,27 @@ tool("security.run_pr_gate", "Run the security policy gate against the current w
         policyPath: policyPath ?? ".mcp/policies/security-policy.json"
     });
     return asTextResponse(result);
-});
+}));
 const ReadFileParams = {
     path: z.string().describe("Relative path in the repo.")
 };
 const ReadFileSchema = z.object(ReadFileParams);
-tool("repo.read_file", "Read a file from the repo workspace.", ReadFileParams, async (args, _extra) => {
+tool("repo.read_file", "Read a file from the repo workspace.", ReadFileParams, safeTool(async (args, _extra) => {
     const { path } = ReadFileSchema.parse(args);
     const data = await readFileSafe(path);
     return asTextResponse(data);
-});
+}));
 const SearchParams = {
     query: z.string().describe("Plain string or regex pattern."),
     isRegex: z.boolean().optional().describe("Treat query as regex. Default false."),
     maxMatches: z.number().int().min(1).max(500).optional().describe("Default 200.")
 };
 const SearchSchema = z.object(SearchParams);
-tool("repo.search", "Search the repo for a regex or string. Returns matches with file + line numbers.", SearchParams, async (args, _extra) => {
+tool("repo.search", "Search the repo for a regex or string. Returns matches with file + line numbers.", SearchParams, safeTool(async (args, _extra) => {
     const { query, isRegex, maxMatches } = SearchSchema.parse(args);
     const matches = await searchRepo({ query, isRegex: !!isRegex, maxMatches: maxMatches ?? 200 });
     return asTextResponse(matches);
-});
+}));
 // ---------------------------------------------------------------------------
 // New tool: security.get_system_prompt
 // ---------------------------------------------------------------------------
@@ -81,7 +97,7 @@ const GetSystemPromptParams = {
     payment_processor: z.string().optional().describe("Payment processor in use, e.g. 'Stripe', 'Braintree', 'Adyen', or 'none'.")
 };
 const GetSystemPromptSchema = z.object(GetSystemPromptParams);
-tool("security.get_system_prompt", "Return the full security engineering system prompt. Optionally customized with your stack, cloud provider, and payment processor. Use this as the system prompt to configure Claude as an elite security engineer for your project.", GetSystemPromptParams, async (args, _extra) => {
+tool("security.get_system_prompt", "Return the full security engineering system prompt. Optionally customized with your stack, cloud provider, and payment processor. Use this as the system prompt to configure Claude as an elite security engineer for your project.", GetSystemPromptParams, safeTool(async (args, _extra) => {
     const { stack, cloud, payment_processor } = GetSystemPromptSchema.parse(args);
     let prompt = SECURITY_PROMPT;
     // Append a project-specific scope section if any context was provided
@@ -103,7 +119,7 @@ tool("security.get_system_prompt", "Return the full security engineering system
         prompt = prompt + scopeLines.join("\n");
     }
     return asTextResponse(prompt);
-});
+}));
 // ---------------------------------------------------------------------------
 // New tool: security.threat_model
 // ---------------------------------------------------------------------------
@@ -113,7 +129,7 @@ const ThreatModelParams = {
     surfaces: z.array(z.enum(["web", "api", "mobile", "ai", "infra", "data"])).optional().describe("Attack surfaces involved. Defaults to all.")
 };
 const ThreatModelSchema = z.object(ThreatModelParams);
-tool("security.threat_model", "Generate a STRIDE + PASTA + ATT&CK threat model template for a described feature or component. Returns a structured Markdown document ready to fill in.", ThreatModelParams, async (args, _extra) => {
+tool("security.threat_model", "Generate a STRIDE + PASTA + ATT&CK threat model template for a described feature or component. Returns a structured Markdown document ready to fill in.", ThreatModelParams, safeTool(async (args, _extra) => {
     const { feature, surfaces } = ThreatModelSchema.parse(args);
     const surfaceList = surfaces ?? ["web", "api", "mobile", "ai", "infra", "data"];
     const template = `# Threat Model: ${feature}
@@ -226,7 +242,7 @@ Describe Level 0 (context) and Level 1 (process) flows in prose or embed a diagr
 - [ ] Compliance requirements addressed and documented
 `;
     return asTextResponse(template);
-});
+}));
 // ---------------------------------------------------------------------------
 // New tool: security.checklist
 // ---------------------------------------------------------------------------
@@ -317,7 +333,7 @@ Use before every production release. All items must be checked or explicitly ris
 - [ ] Payment-adjacent systems network-segmented from non-payment systems
 - [ ] Audit trail maintained for all payment operations
 `;
-tool("security.checklist", "Return the pre-release security checklist, optionally filtered by attack surface (web, api, mobile, ai, infra, payments, all).", ChecklistParams, async (args, _extra) => {
+tool("security.checklist", "Return the pre-release security checklist, optionally filtered by attack surface (web, api, mobile, ai, infra, payments, all).", ChecklistParams, safeTool(async (args, _extra) => {
     const { surface } = ChecklistSchema.parse(args);
     if (!surface || surface === "all") {
         return asTextResponse(CHECKLIST_ALL);
@@ -343,7 +359,7 @@ tool("security.checklist", "Return the pre-release security checklist, optionall
     const sectionEnd = lines.findIndex((l, i) => i > start + 1 && l.startsWith("## "));
     const section = lines.slice(start, sectionEnd === -1 ? undefined : sectionEnd).join("\n");
     return asTextResponse(`# Pre-Release Security Checklist (${surface})\n\n${allSurfaces}\n\n${section}`);
-});
+}));
 // ---------------------------------------------------------------------------
 // New tool: security.generate_policy
 // ---------------------------------------------------------------------------
@@ -353,7 +369,7 @@ const GeneratePolicyParams = {
         .describe("Primary cloud provider. Adjusts cloud-specific evidence expectations.")
 };
 const GeneratePolicySchema = z.object(GeneratePolicyParams);
-tool("security.generate_policy", "Generate a security-policy.json for your project based on your active surfaces and cloud provider. Save the output to .mcp/policies/security-policy.json.", GeneratePolicyParams, async (args, _extra) => {
+tool("security.generate_policy", "Generate a security-policy.json for your project based on your active surfaces and cloud provider. Save the output to .mcp/policies/security-policy.json.", GeneratePolicyParams, safeTool(async (args, _extra) => {
     const { surfaces, cloud } = GeneratePolicySchema.parse(args);
     const activeSurfaces = surfaces ?? ["web", "api", "infra"];
     const requirements = [
@@ -416,7 +432,7 @@ tool("security.generate_policy", "Generate a security-policy.json for your proje
     const comment = "// Save this to .mcp/policies/security-policy.json and customize as needed.\n" +
         "// See https://github.com/AbrahamOO/security-mcp for full documentation.\n\n";
     return asTextResponse(comment + JSON.stringify(policy, null, 2));
-});
+}));
 // ---------------------------------------------------------------------------
 // MCP Prompts capability
 // ---------------------------------------------------------------------------

package/dist/repo/fs.js

@@ -1,9 +1,15 @@
 import { readFile } from "node:fs/promises";
 import path from "node:path";
 const ROOT = process.cwd();
+// ROOT_PREFIX ensures /home/u/project-adjacent doesn't pass a startsWith check for /home/u/project
+const ROOT_PREFIX = ROOT.endsWith(path.sep) ? ROOT : ROOT + path.sep;
 export async function readFileSafe(relPath) {
     const p = path.resolve(ROOT, relPath);
-    if (!p.startsWith(ROOT))
+    // Allow exact match to ROOT itself or any path strictly under it.
+    // Using ROOT_PREFIX prevents the classic prefix-collision bypass
+    // (e.g. /app-sibling matching /app as a prefix). CWE-22.
+    if (p !== ROOT && !p.startsWith(ROOT_PREFIX)) {
         throw new Error("Path traversal blocked");
+    }
     return await readFile(p, "utf8");
 }

package/dist/repo/search.js

@@ -1,5 +1,26 @@
 import fg from "fast-glob";
 import { readFileSafe } from "./fs.js";
+// Maximum allowed regex pattern length. Longer patterns significantly raise
+// the risk of catastrophic backtracking (ReDoS). CWE-1333.
+const MAX_REGEX_LEN = 256;
+// Detects nested quantifiers — the most common ReDoS trigger — without being
+// overly complex itself. Matches patterns like (a+)+, (a*)*, (\w+)+.
+const NESTED_QUANTIFIER_RE = /\([^)]*[+*][^)]*\)[+*?{]/;
+/**
+ * Validates and compiles a user-supplied regex string.
+ * Throws if the pattern is dangerously long, contains known ReDoS signatures,
+ * or is syntactically invalid. Returns the compiled RegExp on success.
+ * CWE-1333 / MITRE ATT&CK T1499 (resource exhaustion via ReDoS).
+ */
+function compileUserRegex(pattern) {
+    if (pattern.length > MAX_REGEX_LEN) {
+        throw new Error(`Regex pattern too long (max ${MAX_REGEX_LEN} chars)`);
+    }
+    if (NESTED_QUANTIFIER_RE.test(pattern)) {
+        throw new Error("Regex pattern contains nested quantifiers that risk catastrophic backtracking (ReDoS)");
+    }
+    return new RegExp(pattern, "i"); // throws SyntaxError on invalid patterns
+}
 const MAX_PREVIEW_LEN = 240;
 function isHit(line, query, re) {
     return re ? re.test(line) : line.includes(query);
@@ -23,7 +44,7 @@ export async function searchRepo(opts) {
         dot: true,
         ignore: ["**/node_modules/**", "**/.git/**", "**/dist/**"]
     });
-    const re = opts.isRegex ? new RegExp(opts.query, "i") : null;
+    const re = opts.isRegex ? compileUserRegex(opts.query) : null;
     const matches = [];
     for (const file of files) {
         if (matches.length >= opts.maxMatches)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "security-mcp",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "AI security MCP server and enforcement gate for Claude Code, Cursor, GitHub Copilot, Codex, Replit, and any MCP-compatible editor. Applies OWASP, MITRE ATT&CK, NIST, Zero Trust, PCI DSS, SOC 2, and ISO 27001.",
   "type": "module",
   "license": "MIT",