Airtable MCP

# Release Summary: v3.2.1 - v3.2.4 ## Major Security & Architecture Updates This document summarizes all releases from v3.2.1 to v3.2.4, representing a comprehensive overhaul of the Airtable MCP server with critical security fixes and architectural improvements. --- ## 📦 v3.2.4 - Complete XSS Security Fix **Released:** September 9, 2025 **Type:** 🔒 Security Release **GitHub Alerts:** #10 & #11 Resolved ### What's Fixed - **XSS Vulnerabilities** in OAuth2 endpoint (`airtable_simple_production.js:708-710`) - ✅ Unicode escaping for all special characters in JSON - ✅ Using `textContent` instead of `innerHTML` for dynamic content - ✅ Multiple layers of character escaping - ✅ Defense-in-depth XSS prevention ### Technical Details ```javascript // Before (Vulnerable) var config = ${JSON.stringify(data)}; <p>Client ID: ${clientId}</p> // After (Secure) var config = ${safeJsonConfig}; // Unicode-escaped document.getElementById('client-id').textContent = clientId; ``` --- ## 📦 v3.2.3 - Command Injection Complete Fix **Released:** September 9, 2025 **Type:** 🔒 Security Release **GitHub Alert:** #10 (Python) Resolved ### What's Fixed - **Command Injection** in Python test client (`test_client.py`) - ✅ BASE_ID validation at startup - ✅ Eliminated string interpolation vulnerabilities - ✅ Path traversal protection - ✅ Token format validation - ✅ Complete input sanitization ### Security Improvements ```python # Before (Vulnerable) result = api_call(f"meta/bases/{BASE_ID}/tables") # After (Secure) # BASE_ID validated at startup if not all(c.isalnum() or c in '-_' for c in BASE_ID): print(f"Error: Invalid BASE_ID format") sys.exit(1) endpoint = "meta/bases/" + BASE_ID + "/tables" ``` --- ## 📦 v3.2.2 - Initial Security Patches **Released:** September 9, 2025 **Type:** 🔒 Security Release **GitHub Alert:** #10 Partial Fix ### What's Fixed - **Initial command injection fixes** in `test_client.py` - ✅ Added input validation for API endpoints - ✅ Removed unused subprocess import - ✅ Basic endpoint sanitization ### Note This was a partial fix. Complete resolution came in v3.2.3. --- ## 📦 v3.2.1 - TypeScript Architecture Fix & Project Restructure **Released:** September 9, 2025 **Type:** 🏗️ Major Architecture Update ### Critical Fix - **TypeScript Compilation Issue** completely resolved - ✅ Fixed `.d.ts` files containing runtime code - ✅ Proper separation of types and implementation ### New Files Created ``` src/typescript/ ├── errors.ts # Runtime error classes ├── tools-schemas.ts # Tool schema constants └── prompt-templates.ts # AI prompt templates ``` ### Project Restructure ``` airtable-mcp/ ├── src/ │ ├── index.js # Main entry point │ ├── typescript/ # TypeScript implementation │ ├── javascript/ # JavaScript implementation │ └── python/ # Python implementation ├── dist/ # Compiled output ├── docs/ │ ├── guides/ # User guides │ └── releases/ # Release notes ├── tests/ # All test files └── types/ # TypeScript definitions ``` ### What Changed - ✅ World-class project organization - ✅ TypeScript now compiles successfully - ✅ Proper build system with npm scripts - ✅ ESLint and Prettier configurations - ✅ Jest testing framework setup - ✅ CI/CD pipeline structure --- ## 🎯 Combined Impact ### Security Fixes Summary | Alert | Type | File | Version | Status | |-------|------|------|---------|---------| | #10 | XSS | `airtable_simple_production.js:708` | v3.2.4 | ✅ Fixed | | #11 | XSS | `airtable_simple_production.js:710` | v3.2.4 | ✅ Fixed | | #10 | Command Injection | `test_client.py` | v3.2.3 | ✅ Fixed | ### Architecture Improvements - ✅ TypeScript compilation working - ✅ Proper file organization - ✅ Clean separation of concerns - ✅ Professional build system - ✅ Comprehensive testing setup ### Backwards Compatibility ✅ **No breaking changes** across all versions - All existing functionality preserved - API endpoints unchanged - Both JS and TS implementations working --- ## 📥 Installation ### New Installation ```bash npm install @rashidazarang/airtable-mcp@3.2.4 ``` ### Update from Any Previous Version ```bash npm update @rashidazarang/airtable-mcp ``` ### Verify Installation ```bash npm list @rashidazarang/airtable-mcp # Should show: @rashidazarang/airtable-mcp@3.2.4 ``` --- ## 🚀 Quick Start ### JavaScript ```bash AIRTABLE_TOKEN=your_token AIRTABLE_BASE_ID=your_base \ node node_modules/@rashidazarang/airtable-mcp/src/javascript/airtable_simple_production.js ``` ### TypeScript ```bash # Build first npm run build # Then run AIRTABLE_TOKEN=your_token AIRTABLE_BASE_ID=your_base \ node node_modules/@rashidazarang/airtable-mcp/dist/typescript/airtable-mcp-server.js ``` --- ## 📋 Migration Guide ### From v3.0.x or earlier 1. Update to v3.2.4: `npm update @rashidazarang/airtable-mcp` 2. If using TypeScript, rebuild: `npm run build` 3. No code changes required ### From v3.1.x 1. Update to v3.2.4: `npm update @rashidazarang/airtable-mcp` 2. No changes required - security patches only ### From v3.2.1-3.2.3 1. Update to v3.2.4: `npm update @rashidazarang/airtable-mcp` 2. Get latest security fixes --- ## ⚠️ Important Security Notice **All users should update to v3.2.4 immediately** to get: - Complete XSS protection in OAuth2 flows - Full command injection prevention - Path traversal protection - Comprehensive input validation --- ## 📊 Version Comparison | Feature | v3.2.1 | v3.2.2 | v3.2.3 | v3.2.4 | |---------|--------|--------|--------|--------| | TypeScript Compilation | ✅ Fixed | ✅ | ✅ | ✅ | | Project Structure | ✅ New | ✅ | ✅ | ✅ | | Command Injection Fix | ❌ | ⚠️ Partial | ✅ Complete | ✅ | | XSS Protection | ❌ | ❌ | ❌ | ✅ Complete | | Production Ready | ✅ | ✅ | ✅ | ✅ | --- ## 🙏 Acknowledgments - GitHub Security Scanning for identifying vulnerabilities - Community for patience during rapid security updates - Contributors to the TypeScript architecture improvements --- ## 📚 Resources - **Repository:** https://github.com/rashidazarang/airtable-mcp - **Issues:** https://github.com/rashidazarang/airtable-mcp/issues - **NPM:** https://www.npmjs.com/package/@rashidazarang/airtable-mcp - **Changelog:** [CHANGELOG.md](./CHANGELOG.md) --- **Current Version: v3.2.4** **Status: Fully Secure & Production Ready** **Last Updated: September 9, 2025**