Skip to main content
Glama

ClipSense MCP Server

by clipsense
OverviewInspectSchemaRelated ServersScoreDiscussions
TypeScript
Remote
461
SECURITY_FINDINGS_QUICK_REFERENCE.mdā€¢6.3 kB
# ClipSense Security Audit - Quick Reference Guide ## Findings by OWASP Category ### A01:2021 - Broken Access Control - **Issue #3**: Path Traversal in `analyzeVideo()` - HIGH - **Issue #7**: Unsafe Error Messages exposing paths - MEDIUM ### A02:2021 - Cryptographic Failures - **Issue #1**: Hardcoded API Keys - CRITICAL - **Issue #2**: Database URL in plaintext - CRITICAL - **Issue #6**: Plaintext config file storage - MEDIUM - **Issue #9**: Missing HTTPS validation - LOW ### A03:2021 - Injection - **Issue #5**: No input validation on question parameter - HIGH ### A04:2021 - Insecure Deserialization - **Issue #4**: Unrestricted content-type - HIGH - **Issue #8**: No rate limiting (DoS) - MEDIUM ### A09:2021 - Logging and Monitoring Failures - **Issue #10**: No audit logging - LOW --- ## Findings by File ### `/Users/jerlitaburanday/clipsense-mcp-server/src/client.ts` | Line | Issue | Severity | Fix Complexity | |------|-------|----------|-----------------| | 32-40 | Path Traversal | HIGH | Medium | | 110-118 | No file type validation | HIGH | Medium | | 27-79 | No rate limiting | MEDIUM | High | | 20-26 | Missing HTTPS config | LOW | Low | | Overall | No audit logging | LOW | Medium | ### `/Users/jerlitaburanday/clipsense-mcp-server/src/auth.ts` | Line | Issue | Severity | Fix Complexity | |------|-------|----------|-----------------| | 43-52 | Plaintext credential storage | MEDIUM | High | ### `/Users/jerlitaburanday/clipsense-mcp-server/src/index.ts` | Line | Issue | Severity | Fix Complexity | |------|-------|----------|-----------------| | 76-79 | No input validation | HIGH | Low | | 93-102 | Unsafe error handling | MEDIUM | Low | ### `/Users/jerlitaburanday/clipsense-mcp-server/test_api.py` | Line | Issue | Severity | Fix Complexity | |------|-------|----------|-----------------| | 9 | Hardcoded API key | CRITICAL | Low | ### `/Users/jerlitaburanday/clipsense-mcp-server/test_video_analysis.py` | Line | Issue | Severity | Fix Complexity | |------|-------|----------|-----------------| | 8 | Hardcoded API key | CRITICAL | Low | ### `/Users/jerlitaburanday/clipsense-mcp-server/reset_usage_direct.py` | Line | Issue | Severity | Fix Complexity | |------|-------|----------|-----------------| | 18-19, 33, 43 | DB URL + API key exposure | CRITICAL | Low | --- ## One-Liner Fixes ### CRITICAL #1: Remove Hardcoded Keys ```bash # Find all hardcoded keys grep -r "cs_sk_" --include="*.py" --exclude-dir=node_modules . # Fix: Replace with environment variable # Before: API_KEY = "cs_sk_pNQhgId_0X8P-gt010CkRfZ4cgVVAejH9JQj_LpPmYg" # After: API_KEY = os.environ.get("CLIPSENSE_API_KEY") ``` ### CRITICAL #2: Remove Database URLs ```bash # Find exposed database URLs grep -r "postgresql://" --include="*.py" . grep -r "DATABASE_URL" --include="*.py" . # Fix: Move to environment variables only ``` ### HIGH #3: Add Path Validation ```typescript // Add to client.ts import { resolve } from "path"; const allowedDirs = [ resolve(process.cwd()), resolve(process.env.HOME!, "Desktop"), resolve(process.env.HOME!, "Downloads"), ]; const isAllowed = allowedDirs.some(dir => resolvedPath.startsWith(dir)); if (!isAllowed) throw new Error("Access denied"); ``` ### HIGH #4: Validate File Type ```typescript // Add magic byte validation const magicBytes = fs.readSync(fd, Buffer.alloc(8), 0, 8, 0); if (!magicBytes.toString().includes("ftyp")) { throw new Error("Invalid video file"); } ``` ### HIGH #5: Add Input Validation ```typescript import { z } from "zod"; const schema = z.object({ question: z.string().max(1000).regex(/^[a-zA-Z0-9\s.,!?'-]+$/) }); const validated = schema.parse({ question }); ``` ### MEDIUM #6: Secure Config Storage ```typescript // Add file permissions import { chmod } from "fs/promises"; await chmod(CONFIG_FILE, 0o600); // rw------- await chmod(CONFIG_DIR, 0o700); // rwx------ ``` ### MEDIUM #7: Sanitize Errors ```typescript const sanitized = error.message .replace(/\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/g, "[IP]") .replace(/\/Users\/\w+/g, "[HOME]") .substring(0, 200); ``` ### MEDIUM #8: Add Rate Limiting ```typescript npm install p-limit import pLimit from "p-limit"; const limiter = pLimit(1); // 1 concurrent request return limiter(() => analyzeVideo(videoPath, question)); ``` --- ## Pre-Commit Hook to Prevent Secrets Create `.git/hooks/pre-commit`: ```bash #!/bin/bash # Prevent commits containing secrets PATTERNS=( "cs_sk_" "DATABASE_URL" "postgresql://" "Bearer sk_" "api_key =" ) for pattern in "${PATTERNS[@]}"; do if git diff --cached | grep -q "$pattern"; then echo "ERROR: Potential secret detected: $pattern" exit 1 fi done exit 0 ``` Make executable: ```bash chmod +x .git/hooks/pre-commit ``` --- ## Testing the Fixes ### Test Path Traversal Protection ```bash # Should fail curl -X POST http://localhost/analyze \ -d '{"videoPath": "/etc/passwd"}' # Should succeed curl -X POST http://localhost/analyze \ -d '{"videoPath": "~/Desktop/video.mp4"}' ``` ### Test File Type Validation ```bash # Should fail (non-video) cp /etc/passwd test.mp4 ./analyze test.mp4 # Should succeed # (actual mp4 file) ``` ### Test Input Validation ```bash # Should fail (invalid chars) node -e " const schema = z.string().regex(/^[a-zA-Z0-9\s.,!?'-]+$/); schema.parse('DROP TABLE videos;--'); // Error " # Should succeed node -e " const schema = z.string().regex(/^[a-zA-Z0-9\s.,!?'-]+$/); schema.parse('What is this bug?'); // OK " ``` --- ## Verification Checklist After implementing fixes: - [ ] All hardcoded API keys removed - [ ] All database URLs removed - [ ] Path traversal protection in place - [ ] File type validation working - [ ] Input validation with Zod schemas - [ ] Config file permissions set to 0o600 - [ ] Error messages sanitized - [ ] Rate limiting implemented - [ ] HTTPS validation documented - [ ] Audit logging in place - [ ] Pre-commit hooks installed - [ ] No secrets in git history - [ ] npm audit passes - [ ] All tests pass --- ## References - OWASP Top 10 2021: https://owasp.org/Top10/ - CWE Top 25: https://cwe.mitre.org/top25/ - Node.js Security Best Practices: https://nodejs.org/en/docs/guides/security/ - Zod Validation: https://zod.dev/ - Pre-commit Hooks: https://git-scm.com/book/en/v2/Customizing-Git-Git-Hooks

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/clipsense/-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server