@socketsecurity/mcp
Advanced tools
@socketsecurity/mcp - npm Package Compare versions
+25
-7
@@ -238,11 +238,25 @@ #!/usr/bin/env -S node --experimental-strip-types | ||
| const origin = req.headers.origin; | ||
| const isLocalhostOrigin = (originUrl) => { | ||
| try { | ||
| const url = new URL(originUrl); | ||
| return url.hostname === 'localhost' || url.hostname === '127.0.0.1'; | ||
| } | ||
| catch { | ||
| return false; | ||
| } | ||
| }; | ||
| const allowedOrigins = [ | ||
| 'http://localhost:3000', | ||
| 'http://127.0.0.1:3000', | ||
| 'https://mcp.socket.dev', | ||
| 'https://mcp.socket-staging.dev' | ||
| ]; | ||
| const isValidOrigin = origin && allowedOrigins.includes(origin); | ||
| const host = req.headers.host || ''; | ||
| const isLocalhostHost = host === `localhost:${port}` || | ||
| host === `127.0.0.1:${port}` || | ||
| host === 'localhost' || | ||
| host === '127.0.0.1'; | ||
| const isValidOrigin = origin | ||
| ? (isLocalhostOrigin(origin) || allowedOrigins.includes(origin)) | ||
| : isLocalhostHost; | ||
| if (!isValidOrigin) { | ||
| logger.warn(`Rejected request from invalid origin: ${origin}`); | ||
| logger.warn(`Rejected request from invalid origin: ${origin || 'missing'} (host: ${host})`); | ||
| res.writeHead(403, { 'Content-Type': 'application/json' }); | ||
@@ -256,5 +270,7 @@ res.end(JSON.stringify({ | ||
| } | ||
| res.setHeader('Access-Control-Allow-Origin', origin); | ||
| res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS'); | ||
| res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Accept'); | ||
| if (origin) { | ||
| res.setHeader('Access-Control-Allow-Origin', origin); | ||
| res.setHeader('Access-Control-Allow-Methods', 'POST, OPTIONS'); | ||
| res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Accept'); | ||
| } | ||
| if (req.method === 'OPTIONS') { | ||
@@ -273,2 +289,4 @@ res.writeHead(200); | ||
| if (jsonData && jsonData.method === 'initialize') { | ||
| const clientInfo = jsonData.params?.clientInfo; | ||
| logger.info(`Client connected: ${clientInfo?.name || 'unknown'} v${clientInfo?.version || 'unknown'} from ${origin || host}`); | ||
| if (httpTransport) { | ||
@@ -275,0 +293,0 @@ try { |
+1
-1
| { | ||
| "name": "@socketsecurity/mcp", | ||
| "version": "0.0.14", | ||
| "version": "0.0.15", | ||
| "type": "module", | ||
@@ -5,0 +5,0 @@ "main": "./index.js", |
New alerts
Network access
Supply chain riskThis module accesses the network.
Found 2 instances in 1 package
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 6 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Fixed alerts
Network access
Supply chain riskThis module accesses the network.
Found 2 instances in 1 package
Shell access
Supply chain riskThis module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Found 1 instance in 1 package
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 6 instances in 1 package
Filesystem access
Supply chain riskAccesses the file system, and could potentially read sensitive data.
Found 1 instance in 1 package
URL strings
Supply chain riskPackage contains fragments of external URLs or IP addresses, which the package may be accessing at runtime.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
43030
1.93%- Lines of code
665
2.78%