DollhouseMCP

# SEC-001 Implementation: Prompt Injection Protection ## Overview This document describes the implementation of security controls for SEC-001 (GitHub MCP Indirect Prompt Injection vulnerability) that was merged in PR #156. ## Implementation Summary ### Components Implemented #### 1. ContentValidator (`src/security/contentValidator.ts`) - **Purpose**: Detects and blocks malicious prompt injection patterns - **Patterns Detected**: 20+ injection types including: - System prompt overrides: `[SYSTEM:]`, `[ADMIN:]`, `[ASSISTANT:]` - Instruction manipulation: "ignore previous instructions" - Data exfiltration: "export all files", "send all tokens" - Command execution: curl, wget, eval, exec - Token exposure: GitHub token patterns - Path traversal: ../../../ - YAML injection: !!python/object, !!exec #### 2. SecurityMonitor (`src/security/securityMonitor.ts`) - **Purpose**: Centralized security event logging and alerting - **Features**: - Real-time security event logging - Critical event alerting - Security report generation - Circular buffer for last 1000 events #### 3. SecurityError (`src/errors/SecurityError.ts`) - **Purpose**: Specialized error handling for security violations - **Features**: - Severity levels (low/medium/high/critical) - Contextual error information - Factory methods for common scenarios ### Integration Points All marketplace operations now include security validation: 1. **install_persona**: Validates and sanitizes content before installation 2. **get_marketplace_persona**: Warns users about potentially malicious content 3. **submit_persona**: Prevents submission of personas with security threats 4. **create_persona**: Validates all inputs for injection patterns 5. **edit_persona**: Validates new values before applying changes ### Testing Coverage 32 comprehensive tests were added covering: - All injection pattern types - YAML security validation - Metadata validation - Security monitoring functionality - Edge cases (unicode, empty content, case sensitivity) ## Security Architecture ``` User Input → ContentValidator → Pattern Detection → Sanitization ↓ SecurityMonitor → Event Logging → Alerts ↓ SecurityError → User Feedback ``` ## Effectiveness The implementation uses pattern-based detection rather than AI-based approaches for reliability: - Cannot be manipulated or persuaded - Consistent detection across all scenarios - No dependency on external services - Immediate blocking of threats ## Related Files Changed - `src/security/contentValidator.ts` (new) - `src/security/securityMonitor.ts` (new) - `src/errors/SecurityError.ts` (new) - `src/tools/marketplace/installPersona.ts` (updated) - `src/tools/marketplace/getMarketplacePersona.ts` (updated) - `src/tools/marketplace/submitPersona.ts` (updated) - `src/tools/persona-management/createPersona.ts` (updated) - `src/tools/persona-management/editPersona.ts` (updated) - `__tests__/security/` (32 new tests) ## Audit Compliance This implementation fully addresses SEC-001 from the security audit: - **Vulnerability**: GitHub MCP Indirect Prompt Injection (CVSS 9.1) - **Status**: ✅ Mitigated - **Method**: Content validation and sanitization at all entry points ## Next Steps 1. Monitor security events for new attack patterns 2. Consider implementing SEC-003 (YAML parsing security) 3. Add security dashboard for visualization 4. Regular pattern updates based on threat intelligence ## References - Original PR: #156 - Security Audit: `/Users/mick/Developer/MCP-Servers/Notes/audit-July-9th-2025/dollhousemcp_security_audit.md` - Related Issue: #152