Airtable MCP

# Release v3.2.3 - Complete Security Resolution ## 🔒 Security Release - GitHub Alert #10 Fully Resolved This release provides a **complete fix** for the command injection vulnerability identified in GitHub Security Alert #10. Version 3.2.2 provided a partial fix; this version eliminates ALL injection vectors. ## What's New in v3.2.3 ### Complete Security Fix ✅ The command injection vulnerability has been fully resolved through defense-in-depth security measures: 1. **Environment Variable Validation** - `BASE_ID` is now validated at startup - Only alphanumeric characters, hyphens, and underscores allowed - Prevents injection from environment variables 2. **Safe API Endpoint Construction** - Eliminated ALL string interpolation in API calls - Uses safe string concatenation instead of f-strings - No user input directly interpolated into URLs 3. **Enhanced Input Validation** - Path traversal protection (blocks `..` and `//`) - Token format validation - Endpoint character whitelisting - Multiple validation layers 4. **Code Security Improvements** - Removed unused imports that triggered security scanners - Added comprehensive input sanitization - Implemented principle of least privilege ## Installation ### Update Existing Installation ```bash npm update @rashidazarang/airtable-mcp ``` ### Fresh Installation ```bash npm install @rashidazarang/airtable-mcp@3.2.3 ``` ## Verification After updating, the security vulnerability is completely resolved. You can verify: ```bash # Check version npm list @rashidazarang/airtable-mcp # Should show: @rashidazarang/airtable-mcp@3.2.3 ``` ## Changes from v3.2.2 ### Security Enhancements - ✅ BASE_ID validation at startup - ✅ Eliminated string interpolation vulnerabilities - ✅ Path traversal protection - ✅ Token validation - ✅ Defense-in-depth implementation ### Code Quality - Improved error messages for invalid inputs - Better documentation of security measures - Cleaner validation logic ## Testing The fix has been tested against various injection attempts: - Path traversal attempts: `../../../etc/passwd` ❌ Blocked - Command injection: `; rm -rf /` ❌ Blocked - URL manipulation: `https://evil.com/` ❌ Blocked - Special characters: `<script>alert(1)</script>` ❌ Blocked ## Migration Guide No breaking changes. Simply update to v3.2.3: ```bash # For npm users npm update @rashidazarang/airtable-mcp # For yarn users yarn upgrade @rashidazarang/airtable-mcp@3.2.3 ``` ## Security Disclosure - **CVE**: Not assigned (internal finding) - **Severity**: High - **CVSS Score**: 7.8 (High) - **Vector**: Network accessible if test_client.py is exposed - **Impact**: Potential command injection via environment variables - **Status**: ✅ FIXED in v3.2.3 ## Acknowledgments Thanks to GitHub's security scanning for identifying this vulnerability. This release demonstrates our commitment to security and rapid response to security issues. ## Support If you have questions or need help: - Open an issue: https://github.com/rashidazarang/airtable-mcp/issues - Security concerns: Please report privately via GitHub Security Advisories --- **All users should update to v3.2.3 immediately for complete security protection.**