npm - suparank - Versions diffs - 1.2.4 → 1.2.5 - Mend

suparank 1.2.4 → 1.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/mcp-client.js +121 -9
package/package.json +1 -1

package/mcp-client.js CHANGED Viewed

@@ -35,6 +35,17 @@ const projectSlug = process.argv[2]
 const apiKey = process.argv[3]
 const apiUrl = process.env.SUPARANK_API_URL || 'https://api.suparank.io'
+// ============================================================================
+// EXTERNAL API ENDPOINTS - Configurable via environment variables
+// ============================================================================
+const API_ENDPOINTS = {
+  // Image generation providers
+  fal: process.env.FAL_API_URL || 'https://fal.run/fal-ai/nano-banana-pro',
+  gemini: process.env.GEMINI_API_URL || 'https://generativelanguage.googleapis.com/v1beta/models',
+  wiro: process.env.WIRO_API_URL || 'https://api.wiro.ai/v1',
+  wiroTaskDetail: process.env.WIRO_TASK_URL || 'https://api.wiro.ai/v1/Task/Detail'
+}
 if (!projectSlug) {
   console.error('Error: Project slug is required')
   console.error('Usage: node mcp-client.js <project-slug> <api-key>')
@@ -160,7 +171,9 @@ function loadStats() {
     if (fs.existsSync(file)) {
       return JSON.parse(fs.readFileSync(file, 'utf-8'))
     }
-  } catch (e) {}
+  } catch (e) {
+    log(`Warning: Could not load stats: ${e.message}`)
+  }
   return { tool_calls: 0, images_generated: 0, articles_created: 0, words_written: 0 }
 }
@@ -196,6 +209,46 @@ function slugify(text) {
     .substring(0, 50)
 }
+// ============================================================================
+// PATH SANITIZATION - Prevents path traversal attacks
+// ============================================================================
+/**
+ * Sanitize and validate a path to prevent traversal attacks
+ * @param {string} userPath - User-provided path segment
+ * @param {string} allowedBase - Base directory that paths must stay within
+ * @returns {string} - Resolved safe path
+ * @throws {Error} - If path would escape the allowed base
+ */
+function sanitizePath(userPath, allowedBase) {
+  // Remove any null bytes (common attack vector)
+  const cleanPath = userPath.replace(/\0/g, '')
+  // Resolve to absolute path
+  const resolved = path.resolve(allowedBase, cleanPath)
+  // Ensure the resolved path starts with the allowed base
+  // Adding path.sep ensures we don't match partial directory names
+  const normalizedBase = path.normalize(allowedBase + path.sep)
+  const normalizedResolved = path.normalize(resolved + path.sep)
+  if (!normalizedResolved.startsWith(normalizedBase)) {
+    throw new Error(`Path traversal detected: "${userPath}" would escape allowed directory`)
+  }
+  return resolved
+}
+/**
+ * Get content folder path safely
+ * @param {string} folderName - Folder name (article ID or title slug)
+ * @returns {string} - Safe path to content folder
+ */
+function getContentFolderSafe(folderName) {
+  const contentDir = path.join(getSuparankDir(), 'content')
+  return sanitizePath(folderName, contentDir)
+}
 /**
  * Atomic file write - prevents corruption on concurrent writes
  */
@@ -356,9 +409,56 @@ function loadSession() {
   return false
 }
+// ============================================================================
+// SESSION MUTEX - Prevents race conditions on concurrent session writes
+// ============================================================================
+let sessionLock = false
+const sessionLockQueue = []
+/**
+ * Acquire session lock for safe concurrent access
+ * @returns {Promise<void>}
+ */
+async function acquireSessionLock() {
+  if (!sessionLock) {
+    sessionLock = true
+    return
+  }
+  return new Promise(resolve => {
+    sessionLockQueue.push(resolve)
+  })
+}
+/**
+ * Release session lock, allowing next queued operation
+ */
+function releaseSessionLock() {
+  if (sessionLockQueue.length > 0) {
+    const next = sessionLockQueue.shift()
+    next()
+  } else {
+    sessionLock = false
+  }
+}
+/**
+ * Safe session save with mutex - use this for concurrent operations
+ * @returns {Promise<void>}
+ */
+async function saveSessionSafe() {
+  await acquireSessionLock()
+  try {
+    saveSession()
+  } finally {
+    releaseSessionLock()
+  }
+}
 /**
  * Save session state to file (persists across MCP restarts)
  * Uses atomic write to prevent corruption
+ * NOTE: For concurrent operations, use saveSessionSafe() instead
  */
 function saveSession() {
   try {
@@ -457,11 +557,13 @@ function saveContentToFolder() {
   try {
     ensureContentDir()
-    // Create folder name: YYYY-MM-DD-slug
+    // Create folder name: YYYY-MM-DD-slug (slugify removes dangerous characters)
     const date = new Date().toISOString().split('T')[0]
     const slug = slugify(sessionState.title)
     const folderName = `${date}-${slug}`
-    const folderPath = path.join(getContentDir(), folderName)
+    // Use safe path function to prevent any path traversal
+    const folderPath = getContentFolderSafe(folderName)
     // Create folder if doesn't exist
     if (!fs.existsSync(folderPath)) {
@@ -2558,8 +2660,18 @@ Once loaded, you can run optimization tools:
         }
       }
-      const contentDir = getContentDir()
-      const folderPath = path.join(contentDir, folder_name)
+      // Sanitize folder_name to prevent path traversal attacks
+      let folderPath
+      try {
+        folderPath = getContentFolderSafe(folder_name)
+      } catch (error) {
+        return {
+          content: [{
+            type: 'text',
+            text: `❌ Invalid folder name: ${error.message}`
+          }]
+        }
+      }
       if (!fs.existsSync(folderPath)) {
         return {
@@ -2705,7 +2817,7 @@ async function executeImageGeneration(args) {
   switch (provider) {
     case 'fal': {
       // fal.ai Nano Banana Pro (gemini-3-pro-image)
-      const response = await fetchWithRetry('https://fal.run/fal-ai/nano-banana-pro', {
+      const response = await fetchWithRetry(API_ENDPOINTS.fal, {
         method: 'POST',
         headers: {
           'Authorization': `Key ${config.api_key}`,
@@ -2766,7 +2878,7 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
       // Google Gemini 3 Pro Image (Nano Banana Pro) - generateContent API
       const model = config.model || 'gemini-3-pro-image-preview'
       const response = await fetch(
-        `https://generativelanguage.googleapis.com/v1beta/models/${model}:generateContent`,
+        `${API_ENDPOINTS.gemini}/${model}:generateContent`,
         {
           method: 'POST',
           headers: {
@@ -2837,7 +2949,7 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
       // Submit task
       log(`Submitting wiro.ai task for model: ${model}`)
-      const submitResponse = await fetch(`https://api.wiro.ai/v1/Run/${model}`, {
+      const submitResponse = await fetch(`${API_ENDPOINTS.wiro}/Run/${model}`, {
         method: 'POST',
         headers: {
           'Content-Type': 'application/json',
@@ -2880,7 +2992,7 @@ ${imageNumber < totalImages ? `\n**Next:** Generate ${totalImages - imageNumber}
           .update(pollSignatureData)
           .digest('hex')
-        const pollResponse = await fetch('https://api.wiro.ai/v1/Task/Detail', {
+        const pollResponse = await fetch(API_ENDPOINTS.wiroTaskDetail, {
           method: 'POST',
           headers: {
             'Content-Type': 'application/json',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "suparank",
-  "version": "1.2.4",
+  "version": "1.2.5",
   "description": "AI-powered SEO content creation MCP - generate and publish optimized blog posts with Claude, ChatGPT, or Cursor",
   "main": "mcp-client.js",
   "type": "module",