Scryfall MCP Server

# Security and Code Quality Fixes This document summarizes the security and code quality issues that were systematically identified and resolved in the Scryfall MCP server codebase. ## Issues Addressed ### 1. Memory Leak Prevention (RateLimiter) **Issue**: Potential memory leak from uncleared setTimeout in RateLimiter reset method. **Fix**: Added tracking of active timeouts and proper cleanup in the reset method. **Files Modified**: `src/services/rate-limiter.ts` ### 2. Error Handling Consistency (ScryfallClient) **Issue**: Inconsistent JSON parsing error handling that could lose debugging context. **Fix**: Improved error handling to preserve original error context while providing response debugging information. **Files Modified**: `src/services/scryfall-client.ts` ### 3. Input Sanitization **Issue**: Missing input sanitization for user-controlled query strings. **Fix**: Created comprehensive input sanitization utility with query validation and character filtering. **Files Modified**: - `src/utils/query-sanitizer.ts` (new) - `src/tools/search-cards.ts` - `src/tools/get-card.ts` - `src/tools/build-scryfall-query.ts` ### 4. Validation System Consistency **Issue**: Inconsistent error handling between sync and async validation functions. **Fix**: Consolidated validation logic into unified approach with consistent error reporting. **Files Modified**: `src/utils/validators.ts` ### 5. Resource Exhaustion Prevention (Cache) **Issue**: Unbounded cache growth could lead to memory exhaustion. **Fix**: Implemented LRU eviction policy with configurable size and memory limits. **Files Modified**: - `src/services/cache-service.ts` - `.env.example` ### 6. Configuration Security **Issue**: Hardcoded sensitive information in User-Agent header. **Fix**: Made User-Agent fully configurable through environment variables only. **Files Modified**: - `src/types/mcp-types.ts` - `src/services/scryfall-client.ts` - `.env.example` ### 7. Race Condition Prevention (RateLimiter) **Issue**: Potential race condition in queue processing logic. **Fix**: Added proper atomic operations and exception handling. **Files Modified**: `src/services/rate-limiter.ts` ### 8. Environment Variable Validation **Issue**: Missing validation for numeric conversion of environment variables. **Fix**: Created safe environment variable parsing utility with validation and fallbacks. **Files Modified**: - `src/utils/env-parser.ts` (new) - Multiple service files updated to use safe parsing ### 9. Enhanced Error Context **Issue**: Insufficient error context in generic error handlers. **Fix**: Added comprehensive error context with debugging information and correlation IDs. **Files Modified**: - `src/tools/search-cards.ts` - `src/tools/get-card.ts` ### 10. Prototype Pollution Prevention **Issue**: Potential prototype pollution in error class constructors. **Fix**: Added sanitization of details objects to prevent prototype pollution attacks. **Files Modified**: `src/types/mcp-errors.ts` ## Security Improvements 1. **Input Validation**: All user inputs are now sanitized and validated 2. **Resource Limits**: Implemented bounds on cache size and memory usage 3. **Error Safety**: Enhanced error handling with secure context preservation 4. **Configuration Security**: Removed hardcoded sensitive values 5. **Memory Safety**: Fixed potential memory leaks and unbounded growth ## Code Quality Improvements 1. **Consistent Error Handling**: Unified error handling patterns across the codebase 2. **Environment Safety**: Safe parsing of environment variables with validation 3. **Type Safety**: Enhanced TypeScript usage with proper type validation 4. **Testing**: All fixes validated with comprehensive test suite 5. **Logging**: Improved error context and debugging information ## Configuration Changes New environment variables added for better security and configurability: - `CACHE_MAX_SIZE`: Maximum number of cache entries - `CACHE_MAX_MEMORY_MB`: Maximum cache memory usage in MB - Enhanced validation for all existing environment variables ## Verification All fixes have been: - ✅ Type-checked with TypeScript - ✅ Linted with ESLint (warnings only, no errors) - ✅ Tested with comprehensive test suite (146 tests passing) - ✅ Verified for backwards compatibility