vcluster-yaml-mcp-server 1.0.0 → 1.0.1

package/README.md

@@ -71,7 +71,7 @@ The package also provides a standalone CLI for quick queries and validation with
 
 ```bash
 # Quick start with npx (no installation)
-npx -y vcluster-yaml-mcp-server vcluster-yaml query sync --format table
+npx -p vcluster-yaml-mcp-server vcluster-yaml query sync --format table
 
 # Or install globally
 npm install -g vcluster-yaml-mcp-server

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "vcluster-yaml-mcp-server",
-  "version": "1.0.0",
+  "version": "1.0.1",
   "description": "MCP server for querying vcluster YAML configurations using jq",
   "main": "src/index.js",
   "type": "module",
@@ -32,6 +32,7 @@
     "cli-table3": "^0.6.5",
     "commander": "^13.0.0",
     "express": "^4.18.2",
+    "express-rate-limit": "^8.1.0",
     "js-yaml": "^4.1.0",
     "node-fetch": "^3.3.2",
     "node-jq": "^6.0.1"
@@ -46,7 +47,6 @@
     "jsonschema": "^1.5.0",
     "strip-ansi": "^7.1.0",
     "supertest": "^7.1.4",
-    "vitest": "^3.2.4",
-    "z-schema": "^6.0.2"
+    "vitest": "^3.2.4"
   }
 }

package/src/github.js

@@ -75,6 +75,16 @@ class GitHubClient {
 
   // Get file content from GitHub
   async getFileContent(path, ref = 'main') {
+    // Validate path - prevent path traversal
+    if (path.includes('..') || path.startsWith('/')) {
+      throw new Error('Invalid path: path traversal not allowed');
+    }
+
+    // Validate ref format (branch, tag, or commit SHA)
+    if (!/^[\w.\/-]+$/.test(ref)) {
+      throw new Error('Invalid ref format');
+    }
+
     const actualRef = ref;
     const cacheKey = `file:${actualRef}:${path}`;
     const cached = this.getFromCache(cacheKey);

package/src/http-server.js

@@ -3,16 +3,48 @@
 import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp.js';
 import { createServer } from './server.js';
 import express from 'express';
+import rateLimit from 'express-rate-limit';
 import { requireApiKey } from './middleware/auth.js';
 
 const PORT = process.env.PORT || 3000;
 const REQUIRE_AUTH = process.env.REQUIRE_AUTH === 'true';
 
 const app = express();
-app.use(express.json());
+
+// Security headers
+app.use((req, res, next) => {
+  res.setHeader('X-Content-Type-Options', 'nosniff');
+  res.setHeader('X-Frame-Options', 'DENY');
+  res.removeHeader('X-Powered-By');
+  next();
+});
+
+// Request size limiting
+app.use(express.json({
+  limit: '1mb',
+  strict: true
+}));
+
+// Rate limiting for general endpoints
+const apiLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 500,
+  message: { error: 'Too many requests, please try again later' },
+  standardHeaders: true,
+  legacyHeaders: false
+});
+
+// Rate limiting for MCP endpoint (allows for interactive sessions)
+const mcpLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 1000,
+  message: { error: 'Too many requests to MCP endpoint, please try again later' },
+  standardHeaders: true,
+  legacyHeaders: false
+});
 
 // Health check endpoint
-app.get('/health', (_req, res) => {
+app.get('/health', apiLimiter, (_req, res) => {
   res.json({
     status: 'ok',
     name: 'vcluster-yaml-mcp-server',
@@ -56,8 +88,8 @@ const mcpHandler = async (req, res) => {
 };
 
 // Support both GET and POST for MCP endpoint
-app.get('/mcp', REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
-app.post('/mcp', REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
+app.get('/mcp', mcpLimiter, REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
+app.post('/mcp', mcpLimiter, REQUIRE_AUTH ? requireApiKey : (req, res, next) => next(), mcpHandler);
 
 app.listen(PORT, () => {
   console.log(`vcluster-yaml-mcp-server HTTP running on port ${PORT}`);

package/src/middleware/auth.js

@@ -1,4 +1,16 @@
-// Simple API key authentication middleware
+import crypto from 'crypto';
+
+// Timing-safe string comparison
+function secureCompare(a, b) {
+  if (!a || !b || a.length !== b.length) return false;
+  try {
+    return crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b));
+  } catch {
+    return false;
+  }
+}
+
+// API key authentication middleware with timing-safe comparison
 export function requireApiKey(req, res, next) {
   const authHeader = req.headers['authorization'];
 
@@ -10,9 +22,14 @@ export function requireApiKey(req, res, next) {
   }
 
   const token = authHeader.substring(7);
-  const validTokens = (process.env.VALID_API_KEYS || '').split(',');
+  const validTokens = (process.env.VALID_API_KEYS || '').split(',').filter(t => t.length > 0);
+
+  // Use timing-safe comparison to prevent timing attacks
+  const isValid = validTokens.some(validToken =>
+    validToken.length === token.length && secureCompare(validToken, token)
+  );
 
-  if (!validTokens.includes(token)) {
+  if (!isValid) {
     return res.status(403).json({
       error: 'Forbidden',
       message: 'Invalid API key'

package/src/server.js

@@ -1,7 +1,6 @@
 import { Server } from '@modelcontextprotocol/sdk/server/index.js';
 import { ListToolsRequestSchema, CallToolRequestSchema } from '@modelcontextprotocol/sdk/types.js';
 import yaml from 'js-yaml';
-import jq from 'node-jq';
 import { githubClient } from './github.js';
 import { validateSnippet } from './snippet-validator.js';
 
@@ -591,77 +590,6 @@ export function createServer() {
           };
         }
 
-        case 'query-config': {
-          const version = args.version || 'main';
-          let yamlData;
-
-          // Load YAML data from GitHub or content
-          if (args.content) {
-            yamlData = yaml.load(args.content);
-          } else if (args.file) {
-            yamlData = await githubClient.getYamlContent(args.file, version);
-          } else {
-            // Default to chart/values.yaml
-            yamlData = await githubClient.getYamlContent('chart/values.yaml', version);
-          }
-          
-          // Convert YAML to JSON for jq processing
-          const jsonData = JSON.stringify(yamlData);
-          
-          // Run jq query
-          const options = {
-            input: 'string',
-            output: args.raw ? 'string' : 'json'
-          };
-          
-          const result = await jq.run(args.query, jsonData, options);
-          
-          return {
-            content: [
-              {
-                type: 'text',
-                text: typeof result === 'string' ? result : JSON.stringify(result, null, 2)
-              }
-            ]
-          };
-        }
-
-        case 'get-config-value': {
-          const version = args.version || 'main';
-          let yamlData;
-
-          // Load YAML data from GitHub or content
-          if (args.content) {
-            yamlData = yaml.load(args.content);
-          } else if (args.file) {
-            yamlData = await githubClient.getYamlContent(args.file, version);
-          } else {
-            yamlData = await githubClient.getYamlContent('config/values.yaml', version);
-          }
-          
-          // Convert dot notation to jq query
-          const jqQuery = '.' + args.path.split('.').map(part => {
-            // Handle array indices
-            if (/^\d+$/.test(part)) {
-              return `[${part}]`;
-            }
-            // Handle special characters in keys
-            return `["${part}"]`;
-          }).join('');
-          
-          const jsonData = JSON.stringify(yamlData);
-          const result = await jq.run(jqQuery, jsonData, { input: 'string', output: 'json' });
-          
-          return {
-            content: [
-              {
-                type: 'text',
-                text: `Value at ${args.path}: ${JSON.stringify(result, null, 2)}`
-              }
-            ]
-          };
-        }
-
         case 'extract-validation-rules': {
           const version = args.version || 'main';
           const fileName = args.file || 'chart/values.yaml';
@@ -756,67 +684,6 @@ export function createServer() {
           }
         }
 
-        case 'search-config': {
-          const version = args.version || 'main';
-          let yamlData;
-
-          // Load YAML data from GitHub or content
-          if (args.content) {
-            yamlData = yaml.load(args.content);
-          } else if (args.file) {
-            yamlData = await githubClient.getYamlContent(args.file, version);
-          } else {
-            yamlData = await githubClient.getYamlContent('config/values.yaml', version);
-          }
-
-          const searchTerm = args.search.toLowerCase();
-          const matches = [];
-
-          // Recursive search function
-          function searchObject(obj, path = '') {
-            if (obj && typeof obj === 'object') {
-              for (const [key, value] of Object.entries(obj)) {
-                const currentPath = path ? `${path}.${key}` : key;
-
-                // Check if key matches
-                if (key.toLowerCase().includes(searchTerm)) {
-                  if (args.keysOnly) {
-                    matches.push(`Key: ${currentPath}`);
-                  } else {
-                    matches.push(`Key: ${currentPath} = ${JSON.stringify(value)}`);
-                  }
-                }
-
-                // Check if value matches (if not keysOnly)
-                if (!args.keysOnly && value !== null && value !== undefined) {
-                  const valueStr = JSON.stringify(value).toLowerCase();
-                  if (valueStr.includes(searchTerm)) {
-                    matches.push(`Value at ${currentPath}: ${JSON.stringify(value)}`);
-                  }
-                }
-
-                // Recurse into objects
-                if (typeof value === 'object' && value !== null && !Array.isArray(value)) {
-                  searchObject(value, currentPath);
-                }
-              }
-            }
-          }
-
-          searchObject(yamlData);
-
-          return {
-            content: [
-              {
-                type: 'text',
-                text: matches.length > 0
-                  ? `Found ${matches.length} match(es):\n${matches.join('\n')}`
-                  : `No matches found for "${args.search}"`
-              }
-            ]
-          };
-        }
-
         default:
           throw new Error(`Unknown tool: ${name}`);
       }

package/src/snippet-validator.js

@@ -190,6 +190,18 @@ function createAjvInstance() {
  */
 export function validateSnippet(snippetYaml, fullSchema, version, sectionHint = null) {
   const startTime = Date.now();
+  const MAX_YAML_SIZE = 1024 * 1024; // 1MB
+
+  // Check YAML size limit
+  if (snippetYaml.length > MAX_YAML_SIZE) {
+    return {
+      valid: false,
+      error: 'YAML exceeds 1MB limit',
+      size_bytes: snippetYaml.length,
+      max_size_bytes: MAX_YAML_SIZE,
+      elapsed_ms: Date.now() - startTime
+    };
+  }
 
   // Parse YAML
   let parsedSnippet;