Airtable MCP

# Release v3.2.4 - Complete XSS Security Fix ## 🔒 Security Release - OAuth2 XSS Vulnerabilities Fixed This release addresses Cross-Site Scripting (XSS) vulnerabilities in the OAuth2 authorization endpoint identified by GitHub Security Scanning. ## Vulnerability Details - **Type**: Cross-Site Scripting (XSS) - **Locations**: - `src/javascript/airtable_simple_production.js:710` (Alert #11) - `src/javascript/airtable_simple_production.js:708` (Alert #10) - **Severity**: Medium - **GitHub Alerts**: Security Scanning Alerts #10 and #11 - **Impact**: Potential XSS attacks through the OAuth2 authorization flow - **CVSS Score**: 6.1 (Medium) ## What's Fixed ### Complete XSS Prevention 1. **Unicode Escaping for JSON** - All special characters in JSON are now Unicode-escaped - Prevents script injection through `</script>` tags - Safe embedding of JSON data in script contexts 2. **Dynamic Content via textContent** - Changed from embedding variables in HTML to using `textContent` - Prevents HTML injection through user-controlled data - Client ID and Redirect URI are safely displayed 3. **Enhanced Character Encoding** - Explicit UTF-8 encoding: `res.end(htmlContent, 'utf8')` - Content-Type header: `'text/html; charset=utf-8'` - Consistent encoding throughout the response 4. **Multiple Escape Layers** - HTML escaping for display values - Unicode escaping for JavaScript contexts - URL encoding for query parameters - Defense in depth approach 5. **Security Headers** - Content-Security-Policy restricting script sources - X-XSS-Protection enabled - X-Content-Type-Options: nosniff - Cache-Control preventing sensitive data caching ## Installation ### Update Existing Installation ```bash npm update @rashidazarang/airtable-mcp ``` ### Fresh Installation ```bash npm install @rashidazarang/airtable-mcp@3.2.4 ``` ### Verify Installation ```bash npm list @rashidazarang/airtable-mcp # Should show: @rashidazarang/airtable-mcp@3.2.4 ``` ## Technical Details ### Before (Vulnerable) ```javascript res.writeHead(200, { 'Content-Type': 'text/html', // ... other headers }); // ... res.end(htmlContent); ``` ### After (Fixed) ```javascript res.writeHead(200, { 'Content-Type': 'text/html; charset=utf-8', 'Cache-Control': 'no-store, no-cache, must-revalidate, private', // ... other security headers }); // ... res.end(htmlContent, 'utf8'); ``` ## Testing The fix has been validated against common XSS attack vectors: - HTML injection attempts ❌ Blocked - JavaScript injection ❌ Blocked - Event handler injection ❌ Blocked - UTF-8 encoding bypass attempts ❌ Blocked ## Migration Guide This is a security fix with no breaking changes: 1. Update to v3.2.4 2. No code changes required 3. OAuth2 flow continues to work as expected 4. Enhanced security is automatic ## Version History - **v3.2.4** - XSS fix in OAuth2 endpoint - **v3.2.3** - Complete command injection fix - **v3.2.2** - Initial security patches - **v3.2.1** - TypeScript architecture fix ## Acknowledgments Thanks to GitHub Security Scanning for identifying this vulnerability. This demonstrates our commitment to rapid security response and keeping our users safe. ## Support - **Issues**: https://github.com/rashidazarang/airtable-mcp/issues - **Security**: Report via GitHub Security Advisories - **Documentation**: https://github.com/rashidazarang/airtable-mcp --- **⚠️ All users should update to v3.2.4 immediately for security protection.**