vibe-guard
Version:
🛡️ Vibe-Guard Security Scanner - 25 essential security rules to catch vulnerabilities before they catch you! Zero dependencies, instant setup, works everywhere, optimized performance. Detects SQL injection, XSS, exposed secrets, CSRF, CORS issues, and mo
96 lines • 4.15 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.McpServerSecurityRule = void 0;
const types_1 = require("../types");
class McpServerSecurityRule extends types_1.BaseRule {
constructor() {
super(...arguments);
this.name = 'mcp-server-security';
this.description = 'Detects insecure Model Context Protocol (MCP) server configurations';
this.severity = 'high';
this.insecurePatterns = [
{ pattern: /(?:^|\s)(?:allow|enable|permit)\s*[:=]\s*["']?\s*(?:all|true|yes|1|any|everyone|public|unrestricted)\s*["']?/gi, type: 'Insecure MCP configuration' },
{ pattern: /(?:^|\s)(?:deny|disable|block|restrict)\s*[:=]\s*["']?\s*(?:false|no|0|none|empty)\s*["']?/gi, type: 'Disabled MCP security' },
{ pattern: /(?:^|\s)(?:auth|authentication|authorization)\s*[:=]\s*["']?\s*(?:none|false|disabled|off)\s*["']?/gi, type: 'Disabled MCP authentication' },
{ pattern: /(?:^|\s)(?:cors|origin)\s*[:=]\s*["']?\s*\*\s*["']?/gi, type: 'Open CORS in MCP' },
{ pattern: /(?:^|\s)(?:token|key|secret)\s*[:=]\s*["']?\s*(?:test|demo|example|placeholder|123|abc|xyz)\s*["']?/gi, type: 'Weak MCP credentials' }
];
this.contextPatterns = [
/context\s*[:=]/gi,
/contexts\s*[:=]/gi,
/contextFile\s*[:=]/gi,
/contextFiles\s*[:=]/gi,
/contextPath\s*[:=]/gi,
/contextDir\s*[:=]/gi,
/contextDirectory\s*[:=]/gi
];
this.falsePositivePatterns = [
/example/i,
/demo/i,
/test/i,
/sample/i,
/placeholder/i,
/development/i,
/dev/i,
/staging/i,
/localhost/i,
/127\.0\.0\.1/i,
/console\.log/i,
/console\.warn/i,
/console\.error/i,
/logger\.(?:log|warn|error|info)/i,
/print/i,
/echo/i,
/printf/i,
/System\.out\.println/i,
/puts/i,
/Console\.WriteLine/i,
/comment/i,
/note/i,
/todo/i,
/fixme/i,
/\/\/.*(?:mcp|context)/i,
/#.*(?:mcp|context)/i,
/\/\*.*(?:mcp|context).*\*\//i,
/<!--.*(?:mcp|context).*-->/i
];
}
check(fileContent) {
const issues = [];
if (fileContent.path.includes('test') || fileContent.path.includes('spec') ||
fileContent.path.includes('mock') || fileContent.path.includes('example')) {
return issues;
}
const lines = fileContent.content.split('\n');
let contextFileCount = 0;
let contextContentCount = 0;
let securityIssueCount = 0;
for (let i = 0; i < lines.length; i++) {
const line = lines[i];
if (!line)
continue;
const trimmedLine = line.trim();
if (this.contextPatterns.some(pattern => pattern.test(trimmedLine))) {
contextFileCount++;
}
if (trimmedLine.includes('context') && !this.falsePositivePatterns.some(pattern => pattern.test(trimmedLine))) {
contextContentCount++;
}
for (const { pattern, type } of this.insecurePatterns) {
if (pattern.test(trimmedLine)) {
securityIssueCount++;
issues.push(this.createIssue(fileContent.path, i + 1, line.indexOf(trimmedLine) + 1, line, `Insecure MCP configuration: ${type}`, `Review and secure your MCP server configuration. Implement proper authentication, authorization, and access controls.`));
}
}
}
if (contextFileCount > 0 && contextContentCount > 0 && securityIssueCount === 0) {
const contextRatio = contextContentCount / lines.length;
if (contextRatio > 0.3) {
return issues;
}
}
return issues;
}
}
exports.McpServerSecurityRule = McpServerSecurityRule;
//# sourceMappingURL=mcp-server-security.js.map