WireMCP Secure

// config.js - Secure Configuration Management const path = require('path'); const os = require('os'); // Load environment variables require('dotenv').config(); const config = { // Server configuration server: { name: 'wiremcp-secure', version: '2.0.0', environment: process.env.NODE_ENV || 'production' }, // Security settings security: { // Maximum capture duration in seconds maxCaptureDuration: parseInt(process.env.MAX_CAPTURE_DURATION) || 60, // Minimum capture duration in seconds minCaptureDuration: parseInt(process.env.MIN_CAPTURE_DURATION) || 1, // Maximum file size for captures (100MB default) maxCaptureSize: parseInt(process.env.MAX_CAPTURE_SIZE) || 100 * 1024 * 1024, // Maximum output size for JSON responses (1MB default) maxOutputSize: parseInt(process.env.MAX_OUTPUT_SIZE) || 1024 * 1024, // Rate limiting rateLimit: { enabled: process.env.RATE_LIMIT_ENABLED !== 'false', maxRequests: parseInt(process.env.RATE_LIMIT_MAX) || 5, windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS) || 60000 }, // Concurrent capture limit maxConcurrentCaptures: parseInt(process.env.MAX_CONCURRENT_CAPTURES) || 3, // Allowed PCAP directories (whitelist) allowedPcapDirs: process.env.ALLOWED_PCAP_DIRS ? process.env.ALLOWED_PCAP_DIRS.split(',').map(d => path.resolve(d.trim())) : [ path.resolve(process.env.HOME || os.homedir(), 'wiremcp', 'pcaps'), path.resolve(os.tmpdir(), 'wiremcp') ], // Temp directory for captures tempDir: process.env.TEMP_DIR || path.join(os.tmpdir(), 'wiremcp'), // Enable credential extraction feature (disabled by default for security) enableCredentialExtraction: process.env.ENABLE_CREDENTIAL_EXTRACTION === 'true', // Sanitize sensitive data from outputs sanitizeSensitiveData: process.env.SANITIZE_DATA !== 'false' }, // Network interface validation network: { // Only allow specific interfaces (empty = allow all available) allowedInterfaces: process.env.ALLOWED_INTERFACES ? process.env.ALLOWED_INTERFACES.split(',').map(i => i.trim()) : [], // Empty means allow all system interfaces // Default interface defaultInterface: process.env.DEFAULT_INTERFACE || 'en0' }, // Threat intelligence threatIntel: { enabled: process.env.THREAT_INTEL_ENABLED !== 'false', sources: { urlhaus: { enabled: true, url: 'https://urlhaus.abuse.ch/downloads/text/', timeout: 10000, maxSize: 10 * 1024 * 1024 // 10MB } }, // Cache threat data for this many seconds cacheTTL: parseInt(process.env.THREAT_CACHE_TTL) || 3600 }, // Audit logging audit: { enabled: process.env.AUDIT_ENABLED !== 'false', logFile: process.env.AUDIT_LOG_FILE || path.join(os.tmpdir(), 'wiremcp-audit.log'), logLevel: process.env.AUDIT_LOG_LEVEL || 'info' }, // tshark configuration tshark: { // Path to tshark (auto-detected if not set) path: process.env.TSHARK_PATH || null, // Execution timeout (capture duration + buffer) timeoutBuffer: 30, // seconds // Fallback paths for tshark fallbackPaths: process.platform === 'win32' ? [ 'C:\\Program Files\\Wireshark\\tshark.exe', 'C:\\Program Files (x86)\\Wireshark\\tshark.exe' ] : [ '/usr/bin/tshark', '/usr/local/bin/tshark', '/opt/homebrew/bin/tshark', '/Applications/Wireshark.app/Contents/MacOS/tshark' ] } }; // Validation function validateConfig() { const errors = []; if (config.security.maxCaptureDuration < config.security.minCaptureDuration) { errors.push('maxCaptureDuration must be >= minCaptureDuration'); } if (config.security.maxCaptureDuration > 3600) { errors.push('maxCaptureDuration cannot exceed 1 hour for safety'); } if (config.security.maxConcurrentCaptures < 1) { errors.push('maxConcurrentCaptures must be at least 1'); } if (config.security.rateLimit.maxRequests < 1) { errors.push('rateLimit.maxRequests must be at least 1'); } if (errors.length > 0) { throw new Error(`Configuration validation failed:\n${errors.join('\n')}`); } } // Initialize configuration function init() { try { validateConfig(); console.error('[CONFIG] Configuration loaded and validated successfully'); console.error(`[CONFIG] Environment: ${config.server.environment}`); console.error(`[CONFIG] Rate limiting: ${config.security.rateLimit.enabled ? 'enabled' : 'disabled'}`); console.error(`[CONFIG] Audit logging: ${config.audit.enabled ? 'enabled' : 'disabled'}`); console.error(`[CONFIG] Credential extraction: ${config.security.enableCredentialExtraction ? 'enabled' : 'disabled'}`); return config; } catch (error) { console.error(`[CONFIG] Error: ${error.message}`); process.exit(1); } } module.exports = init();