Skip to main content
Glama

DollhouseMCP

by DollhouseMCP
npmGitHub
TypeScript
359
9
  • Apple
  • Linux
OverviewInspectNewEndpointsSchemaRelated ServersReviewsScore
Need Help?View Source CodeReport Issue
SESSION_NOTES_SECURITY_FIX_206.md2.43 kB
# Session Notes - Security Fix Issue #206 (July 23, 2025) ## What We Accomplished 1. Created `SecureErrorHandler` class in `src/security/errorHandler.ts` - Sanitizes error messages to prevent path disclosure - Different behavior for production vs development - Comprehensive path/IP/port sanitization - Maps system errors to user-friendly messages 2. Created comprehensive tests in `test/__tests__/unit/security/errorHandler.test.ts` - Tests for all sanitization scenarios - Production vs development mode tests - Error code mapping tests 3. Started fixing error handling in `src/index.ts` - Added import for SecureErrorHandler - Fixed 9 instances of `${error}` interpolation: - browseCollection (line 463) - searchCollection (line 492) - getCollectionContent (line 518) - installContent (line 564) - validatePersona (line 636) - setUserIdentity (line 710) - createPersona (line 960) - createPersona outer catch (line 973) - editPersona (line 1190) ## Still Need to Fix ### In src/index.ts: 1. Logger.error calls that expose raw errors: - Line 120: `logger.error(\`Failed to initialize portfolio: ${error}\`)` - Line 249: `logger.error(\`Error loading persona ${file}: ${error}\`)` - Line 253: `logger.error(\`Error reading personas directory: ${error}\`)` 2. Error.message usage that might expose paths: - Lines 1497, 1601, 1627, 1662, 1704, 1758: Uses `error.message` ### Other Files to Check: 1. PersonaLoader.ts - logs errors with file names 2. PathValidator.ts - throws errors with user paths 3. PersonaElementManager.ts - throws errors with file paths 4. AgentManager.ts - throws error with path 5. PortfolioManager.ts - logs stack traces 6. MigrationManager.ts - logs stack traces 7. GitHubClient.ts - preserves stack traces ## Next Steps 1. Continue fixing remaining error handlers in index.ts 2. Update other files to use SecureErrorHandler 3. Create a wrapper for logger.error that sanitizes 4. Run tests to ensure nothing breaks 5. Create PR for issue #206 ## Branch: fix/security-error-disclosure ## Key Pattern to Apply ```typescript // Replace this: } catch (error) { logger.error(`Operation failed: ${error}`); throw error; } // With this: } catch (error) { const sanitized = SecureErrorHandler.sanitizeError(error); logger.error(`Operation failed: ${sanitized.message}`); throw new Error(sanitized.message); } ```

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DollhouseMCP/DollhouseMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server