Skip to main content
Glama

DollhouseMCP

by DollhouseMCP
SECURITY_FIXES_SUMMARY.mdโ€ข2.84 kB
# Security Fixes Summary - Export/Import/Sharing Feature ## Critical Vulnerabilities Fixed ### 1. Polynomial Regex ReDoS Attack (HIGH SEVERITY) โœ… **Location**: PersonaSharer.ts:251 **Vulnerable Pattern**: `/#dollhouse-persona=(.+)$/` **Attack Vector**: Input like `#dollhouse-persona=` + 'a'.repeat(100000) **Fix Applied**: `/#dollhouse-persona=([A-Za-z0-9+/=]+)$/` **Test Coverage**: ReDoS protection tests verify no exponential backtracking ### 2. Server-Side Request Forgery (SSRF) (HIGH SEVERITY) โœ… **Location**: PersonaSharer.ts:114 **Issue**: Direct fetch without validation **Attack Vectors**: - http://localhost/internal - http://192.168.1.1/admin - http://169.254.169.254/metadata - file:///etc/passwd **Fixes Applied**: ```typescript private validateShareUrl(url: string): boolean { const parsed = new URL(url); // Only allow http/https if (!['https:', 'http:'].includes(parsed.protocol)) { return false; } // Block private networks const hostname = parsed.hostname.toLowerCase(); if (hostname === 'localhost' || hostname.startsWith('127.') || hostname.startsWith('10.') || hostname.startsWith('192.168.') || hostname.startsWith('172.') || hostname.startsWith('169.254.') || hostname === '0.0.0.0' || hostname.includes(':')) { // IPv6 localhost return false; } return true; } ``` ### 3. Denial of Service via Timeouts โœ… **Issue**: No timeouts on fetch operations **Fix Applied**: - 5 second timeout for general URLs - 10 second timeout for GitHub API - AbortController implementation ### 4. GitHub API Abuse โœ… **Issue**: No rate limiting **Fix Applied**: - Token bucket rate limiting - 100 requests/hour (authenticated) - 30 requests/hour (unauthenticated) - 1 second minimum between requests ### 5. Memory Exhaustion โœ… **Issue**: No size limits **Fixes Applied**: - MAX_PERSONA_SIZE: 100KB - MAX_BUNDLE_SIZE: 1MB - MAX_PERSONAS_PER_BUNDLE: 50 ## Additional Security Measures ### Input Validation - Base64 format validation - JSON structure validation - Path traversal prevention - Content sanitization via ContentValidator ### Error Handling - No sensitive data in error messages - Graceful degradation - Security event logging ### Test Coverage - 20 security-focused tests - Attack pattern validation - Edge case handling - Performance under attack ## Security Score Improvement - **Before**: 6/10 (vulnerabilities present) - **After**: 9/10 (comprehensive protections) ## Remaining Considerations 1. Hard-coded domain (low risk) 2. Base64 validation edge cases (low risk) 3. No audit logging (future enhancement) ## Validation Commands ```bash # Run security tests npm test -- __tests__/unit/PersonaSharer.test.ts # Check for vulnerabilities npm audit # Verify TypeScript compilation npm run build ```

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/DollhouseMCP/DollhouseMCP'

If you have feedback or need assistance with the MCP directory API, please join our Discord server