Google Calendar MCP Server

by takumi0706
Verified
Calendar Management
TypeScript
MIT License
690
Reddit Discord
Overview InspectNew Schema Related Servers Reviews Score
Need Help?View Source Code Report Issue
google-calendar-mcp
# Security Policy

## Supported Versions

We currently provide security updates for the following versions:

| Version | Supported          |
| ------- |--------------------|
| 0.6.x   | :white_check_mark: |
| 0.5.x   | :x:                |
| 0.4.x   | :x:                |
| 0.3.x   | :x:                |
| 0.2.7   | :x:                |
| < 0.2.7 | :x:                |

## Reporting a Vulnerability

We take the security of Google Calendar MCP seriously. If you believe you've found a security vulnerability, please follow these steps:

1. **Do not disclose the vulnerability publicly**
2. **Email us directly** at [ganndamu0706@gmail.com](mailto:ganndamu0706@gmail.com) with details about the vulnerability
3. Include the following information:
   - Description of the vulnerability
   - Steps to reproduce
   - Potential impact
   - Suggestions for mitigation (if any)

## What to Expect

- We will acknowledge receipt of your vulnerability report within 48 hours
- We will provide a more detailed response within 7 days, indicating next steps
- We will work with you to understand and address the issue
- We will keep you informed about our progress

## Security Mechanisms

The Google Calendar MCP handles OAuth tokens and calendar data, which may contain sensitive information. We've implemented the following security measures:

### Security Features Added in Version 0.6.x

1. **Enhanced XSS Protection**:
   - Implementation of HTML sanitization to prevent cross-site scripting vulnerabilities
   - Addition of escapeHtml utility function to safely handle user-controlled data in HTML responses
   - Comprehensive test suite for HTML sanitization functionality
   - Fixing of potential XSS vulnerabilities in OAuth error handling
   - Improved overall security posture against injection attacks

### Security Features Added in Version 0.4.x

1. **Enhanced Token Management**:
   - AES-256-GCM encryption for protecting tokens
   - Proper token expiration management
   - In-memory storage only (no persistent file storage)

2. **Enhanced OAuth Authentication Flow**:
   - Implementation of state parameter for CSRF attack prevention
   - PKCE (Proof Key for Code Exchange) implementation for authentication strengthening
   - Strict validation of authentication requests

3. **Security Headers and Middleware**:
   - Secure HTTP headers setup using Helmet.js
   - Content Security Policy (CSP) implementation
   - Rate limiting to prevent brute force attacks
   - XSS protection

4. **Input Validation**:
   - Strict schema validation using Zod
   - Rigorous format checking for dates, times, email addresses, etc.
   - Length limitations and sanitization processing

### Existing Security Features

- Local-only server operation
- Secure handling of OAuth credentials
- Regular security updates

## Best Practices for Users

To ensure secure usage of Google Calendar MCP:

1. Keep your environment variables secure and do not expose them in public repositories
2. Always use the latest version of the package
3. Regularly review your Google Cloud Console for any suspicious activities
4. Limit the OAuth scopes to only what's necessary for your use case
5. Set appropriate rate limits for your project
6. When extending the application, always sanitize user input before including it in HTML responses
7. Follow the example of using the escapeHtml utility function for any user-controlled data in your custom code

## Details of Security Measures

### 1. HTML Sanitization and XSS Protection

Protection against cross-site scripting (XSS) attacks:
- Implementation of escapeHtml utility function that escapes HTML special characters (&, <, >, ", ')
- Sanitization of all user-controlled data before inclusion in HTML responses
- Comprehensive test suite to ensure proper sanitization in various scenarios
- Secure handling of error messages in OAuth flows to prevent reflected XSS

### 2. Token Encryption

Refresh tokens are protected using AES-256-GCM encryption:
- Unique initialization vector (IV) for each token
- Integrity verification with authentication tag
- Use of encryption key from environment variable or randomly generated

### 3. OAuth 2.0 Authentication Flow

Implementation of OAuth 2.0 best practices:
- Use of unique state parameter for protection against CSRF attacks
- PKCE extension to protect against code interception attacks
- Strict validation during authentication code exchange
- Authentication sessions with expiration

### 4. Rate Limiting and Protection

Protection against denial of service attacks:
- Rate limiting for API endpoints
- Special rate limiting for OAuth authentication endpoints
- Temporary blocking and gradual back-off

## Security Updates

Security updates will be announced through:
- GitHub repository releases
- npm package updates
- Release notes documentation

Thank you for helping keep Google Calendar MCP and its users safe!