UNPKG

mcp-quiz-server

Version:

🧠 AI-Powered Quiz Management via Model Context Protocol (MCP) - Create, manage, and take quizzes directly from VS Code, Claude, and other AI agents.

github.com/GSejas/mcp-quiz-oss

GSejas/mcp-quiz-oss

180 lines (179 loc) • 6.34 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
"use strict"; /** * @moduleName: Input Sanitization Middleware * @version: 1.0.0 * @since: 2025-01-23 * @lastUpdated: 2025-01-23 * @projectSummary: Input sanitization and validation middleware for security * @techStack: Express.js, DOMPurify, TypeScript * @dependency: express, dompurify, jsdom * @interModuleDependency: None * @requirementsTraceability: * {@link Requirements.REQ_SEC_001} (Input Validation Security) * {@link Requirements.REQ_SEC_002} (XSS Prevention) * {@link Requirements.REQ_SEC_003} (Injection Attack Prevention) * @briefDescription: Middleware to sanitize user input and prevent XSS/injection attacks * @methods: sanitizeInput, validateInputSchema, preventInjection * @contributors: GitHub Copilot * @examples: app.use(sanitizeMiddleware) * @vulnerabilitiesAssessment: Prevents XSS, SQL injection, script injection attacks */ Object.defineProperty(exports, "__esModule", { value: true }); exports.sanitizeInput = sanitizeInput; exports.validateInputLength = validateInputLength; const audit_logger_1 = require("./audit-logger"); // Simple HTML tag removal for basic XSS prevention function stripHtmlTags(str) { if (typeof str !== 'string') return str; return str.replace(/<[^>]*>/g, ''); } // Basic SQL injection pattern detection function containsSqlInjection(str) { if (typeof str !== 'string') return false; const sqlPatterns = [ /(\b(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER|EXEC|UNION|SCRIPT)\b)/i, /(;|\s)(--|#)/i, /('\s*(OR|AND)\s*')/i, /('\s*=\s*')/i, /(EXEC\s*\()/i, /(\bOR\b\s+\d+\s*=\s*\d+)/i, /(\bUNION\b.*\bSELECT\b)/i, ]; return sqlPatterns.some(pattern => pattern.test(str)); } // Basic XSS pattern detection function containsXssPayload(str) { if (typeof str !== 'string') return false; const xssPatterns = [ /<script[^>]*>.*?<\/script>/gi, /javascript:/gi, /on\w+\s*=/gi, /<iframe[^>]*>/gi, /<object[^>]*>/gi, /<embed[^>]*>/gi, /<link[^>]*>/gi, /<meta[^>]*>/gi, /vbscript:/gi, /data:text\/html/gi, ]; return xssPatterns.some(pattern => pattern.test(str)); } // Recursively sanitize object properties function sanitizeObject(obj) { if (obj === null || obj === undefined) return obj; if (typeof obj === 'string') { // Check for malicious patterns if (containsSqlInjection(obj)) { throw new Error('Potential SQL injection detected in input'); } if (containsXssPayload(obj)) { throw new Error('Potential XSS payload detected in input'); } // Basic sanitization - strip HTML tags return stripHtmlTags(obj.trim()); } if (typeof obj === 'number' || typeof obj === 'boolean') { return obj; } if (Array.isArray(obj)) { return obj.map(sanitizeObject); } if (typeof obj === 'object') { const sanitized = {}; for (const [key, value] of Object.entries(obj)) { // Sanitize both key and value const sanitizedKey = typeof key === 'string' ? stripHtmlTags(key) : key; sanitized[sanitizedKey] = sanitizeObject(value); } return sanitized; } return obj; } // Input sanitization middleware function sanitizeInput(req, res, next) { try { // Sanitize request body if (req.body && typeof req.body === 'object') { req.body = sanitizeObject(req.body); } // Sanitize query parameters if (req.query && typeof req.query === 'object') { req.query = sanitizeObject(req.query); } // Sanitize URL parameters if (req.params && typeof req.params === 'object') { req.params = sanitizeObject(req.params); } next(); } catch (error) { // Log security event for blocked malicious input const auditLogger = (0, audit_logger_1.getAuditLogger)(); auditLogger.logSecurityEvent('MALICIOUS_INPUT_BLOCKED', { ipAddress: req.ip || req.connection.remoteAddress, userAgent: req.get('User-Agent'), threat_type: 'INPUT_VALIDATION', severity: 'HIGH', blocked: true, metadata: { url: req.url, method: req.method, errorMessage: error instanceof Error ? error.message : 'Unknown error', bodySize: JSON.stringify(req.body || {}).length, }, }); // Return 400 for malicious input res.status(400).json({ error: { code: 'MALICIOUS_INPUT', message: error instanceof Error ? error.message : 'Malicious input detected', details: 'Request contains potentially harmful content', }, }); } } // Length validation middleware function validateInputLength(maxLength = 10000) { return (req, res, next) => { const bodySize = JSON.stringify(req.body || {}).length; if (bodySize > maxLength) { // Log security event for oversized input const auditLogger = (0, audit_logger_1.getAuditLogger)(); auditLogger.logSecurityEvent('OVERSIZED_INPUT_BLOCKED', { ipAddress: req.ip || req.connection.remoteAddress, userAgent: req.get('User-Agent'), threat_type: 'INPUT_SIZE_LIMIT', severity: 'MEDIUM', blocked: true, metadata: { url: req.url, method: req.method, maxLength, actualSize: bodySize, exceedsBy: bodySize - maxLength, }, }); res.status(400).json({ error: { code: 'INPUT_TOO_LARGE', message: `Request body exceeds maximum size of ${maxLength} characters`, details: `Current size: ${bodySize} characters`, }, }); return; } next(); }; } // Export middleware functions exports.default = { sanitizeInput, validateInputLength, stripHtmlTags, containsSqlInjection, containsXssPayload, };