CodeWiki MCP Server

# Security Policy ## Supported Versions | Version | Supported | |---------|-------------------| | 1.x.x | :white_check_mark: | ## Reporting a Vulnerability If you discover a security vulnerability in this project, please report it privately before disclosing it publicly. ### How to Report - **Email**: cbuntingde@gmail.com - **Subject**: Security Vulnerability - CodeWiki MCP Server Please include: - Description of the vulnerability - Steps to reproduce - Potential impact - Any suggested mitigations (if known) ### Response Time - Initial response within 48 hours - Detailed assessment within 7 days - Patch timeline depends on severity ### What to Expect 1. **Acknowledgment**: We'll confirm receipt of your report 2. **Validation**: We'll investigate and validate the vulnerability 3. **Resolution**: We'll develop and test a fix 4. **Disclosure**: We'll coordinate public disclosure 5. **Credit**: We'll credit you in the security advisory (if desired) ## Security Best Practices ### For Users - Keep dependencies updated - Review cache permissions and locations - Monitor network traffic for unusual requests - Use in isolated environments when possible ### For Developers - Follow secure coding practices - Validate all inputs - Use parameterized queries - Keep dependencies updated - Review dependencies for known vulnerabilities ## Security Features This MCP server includes several security features: - **Input Validation**: All user inputs are validated and sanitized - **Safe Parsing**: HTML parsing is done safely to prevent XSS - **Cache Isolation**: Cached data is stored in isolated files - **Rate Limiting**: Built-in delays to prevent overwhelming CodeWiki servers - **Error Handling**: Sensitive information is not exposed in error messages ## Known Limitations - **Web Scraping**: Relies on web scraping which may break if CodeWiki changes - **Network Exposure**: Makes network requests to external services - **File Storage**: Stores cached data locally on disk ## Security Updates Security updates will be released as: - Patch versions (x.x.PATCH) for security fixes - Security advisories for critical vulnerabilities - Automated dependency updates for known security issues ## Threat Model ### Primary Threats 1. **Code Injection**: Through malicious repository names or content 2. **Cache Poisoning**: Through manipulated cached documentation 3. **Denial of Service**: Through excessive requests 4. **Information Disclosure**: Through error messages or logs ### Mitigations 1. **Input Sanitization**: All inputs are cleaned before processing 2. **Cache Validation**: Cached data is validated before use 3. **Rate Limiting**: Built-in delays prevent excessive requests 4. **Error Handling**: Errors are logged without sensitive data ## Additional Resources - [GitHub Security Best Practices](https://docs.github.com/en/code-security) - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [Node.js Security](https://nodejs.org/en/docs/guides/security/)