UNPKG

mcp-sanitizer

Version:

Comprehensive security sanitization library for Model Context Protocol (MCP) servers with trusted security libraries

github.com/starman69/mcp-sanitizer

starman69/mcp-sanitizer

79 lines (61 loc) 2.74 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
/** * Simple tests for Security Enhancements - focusing on functionality */ const { detectDirectionalOverrides, detectNullBytes, detectMultipleUrlEncoding, detectPostgresDollarQuotes, detectCyrillicHomographs, handleEmptyStrings, DIRECTIONAL_OVERRIDES } = require('../src/utils/security-enhancements'); describe('Security Enhancements - Core Functions', () => { test('should detect directional overrides', () => { const maliciousText = `test${DIRECTIONAL_OVERRIDES.RLO}attack`; const result = detectDirectionalOverrides(maliciousText); expect(result.detected).toBe(true); expect(result.warnings.length).toBeGreaterThan(0); expect(result.warnings[0].type).toBe('DIRECTIONAL_OVERRIDE_ATTACK'); }); test('should detect null bytes', () => { const maliciousPath = '/path\x00/../etc/passwd'; const result = detectNullBytes(maliciousPath); expect(result.detected).toBe(true); expect(result.warnings[0].type).toBe('NULL_BYTE_DETECTED'); expect(result.sanitized).not.toContain('\x00'); }); test('should detect multiple URL encoding', () => { const doubleEncoded = '%252E%252E%252F'; const result = detectMultipleUrlEncoding(doubleEncoded); expect(result.detected).toBe(true); expect(result.metadata.encodingDepth).toBe(2); expect(result.decoded).toBe('../'); }); test('should detect PostgreSQL dollar quotes', () => { const sqlWithDollarQuotes = 'SELECT $$content$$'; const result = detectPostgresDollarQuotes(sqlWithDollarQuotes); expect(result.detected).toBe(true); expect(result.metadata.dollarQuotes.some(q => q.quote === '$$')).toBe(true); }); test('should detect Cyrillic homographs', () => { const spoofedDomain = 'аpple.com'; // Cyrillic 'а' const result = detectCyrillicHomographs(spoofedDomain); expect(result.detected).toBe(true); expect(result.normalized).toBe('apple.com'); expect(result.metadata.homographs.length).toBeGreaterThan(0); }); test('should handle empty strings with context', () => { const result = handleEmptyStrings('', { required: true, fieldName: 'test' }); expect(result.isEmpty).toBe(true); expect(result.isValid).toBe(false); expect(result.warnings[0].type).toBe('REQUIRED_FIELD_EMPTY'); }); // Timing attack prevention tests removed - not applicable for middleware sanitization test('should integrate with existing validators', () => { const { enhancedStringValidation } = require('../src/utils/string-utils'); const result = enhancedStringValidation(`test${DIRECTIONAL_OVERRIDES.RLO}content`); expect(result.warnings.length).toBeGreaterThan(0); expect(result.sanitized).not.toContain(DIRECTIONAL_OVERRIDES.RLO); }); });