Canvas MCP Server

Overview Schema Related Servers Score Discussions

canvas-mcp
docs

SECURITY_TESTING_PLAN.md•26.2 KiB

# Security Testing Plan for Canvas MCP Server ## Table of Contents 1. [Overview](#overview) 2. [Testing Objectives](#testing-objectives) 3. [Testing Scope](#testing-scope) 4. [Testing Methodology](#testing-methodology) 5. [Test Categories](#test-categories) 6. [Test Cases](#test-cases) 7. [Automated Testing](#automated-testing) 8. [Manual Testing](#manual-testing) 9. [Security Testing Tools](#security-testing-tools) 10. [Test Schedule](#test-schedule) 11. [Reporting](#reporting) ## Overview This document outlines a comprehensive security testing plan for the Canvas MCP server to ensure compliance with UIUC security requirements and industry best practices. The plan includes both automated and manual testing procedures. ## Testing Objectives 1. **Verify FERPA Compliance**: Ensure student data is properly protected 2. **Validate Authentication**: Test token security and client authentication 3. **Assess Code Execution Security**: Verify sandboxing and isolation 4. **Test Data Privacy**: Confirm anonymization and PII protection 5. **Evaluate Audit Logging**: Verify security events are properly logged 6. **Check Input Validation**: Test for injection vulnerabilities 7. **Verify Secrets Management**: Ensure credentials are properly secured 8. **Assess Network Security**: Test HTTPS enforcement and rate limiting 9. **Test Incident Response**: Verify security monitoring and alerting ## Testing Scope ### In Scope - All MCP tools and endpoints - Code execution environment (`execute_typescript`) - Authentication and authorization mechanisms - Data anonymization system - API token handling and storage - Input validation and sanitization - Error handling and logging - Network communications - Dependency vulnerabilities - Configuration security ### Out of Scope - Canvas LMS platform security (external system) - Client application security (Claude Desktop, etc.) - Operating system security - Network infrastructure security ## Testing Methodology ### 1. Static Analysis Security Testing (SAST) - Code review for security vulnerabilities - Automated code scanning - Dependency vulnerability scanning - Configuration review ### 2. Dynamic Application Security Testing (DAST) - Runtime security testing - Fuzzing and injection testing - Authentication bypass testing - API security testing ### 3. Manual Security Testing - Penetration testing - Code review - Configuration review - Documentation review ### 4. Compliance Testing - FERPA compliance verification - Security policy compliance - Audit logging verification - Data retention policy testing ## Test Categories ### TC-1: FERPA Compliance Testing **Objective**: Verify protection of student educational records and PII. **Priority**: Critical **Test Areas**: - PII anonymization - Data access controls - Audit logging - Data retention - PII in logs and errors ### TC-2: Authentication and Authorization Testing **Objective**: Validate authentication mechanisms and access controls. **Priority**: High **Test Areas**: - API token storage and handling - Token validation - MCP client authentication - Authorization checks - Session management ### TC-3: Code Execution Security Testing **Objective**: Assess security of TypeScript code execution. **Priority**: Critical **Test Areas**: - Sandbox escape attempts - Resource exhaustion - File system access - Network access restrictions - Credential access - Malicious code execution ### TC-4: Data Privacy Testing **Objective**: Verify data privacy and anonymization features. **Priority**: High **Test Areas**: - Anonymization effectiveness - PII detection - Data transmission security - Error message sanitization - Log sanitization ### TC-5: Input Validation Testing **Objective**: Test input validation and sanitization. **Priority**: High **Test Areas**: - Parameter validation - SQL injection (if applicable) - Command injection - XSS attacks - Path traversal - File upload validation ### TC-6: Secrets Management Testing **Objective**: Verify secure handling of credentials. **Priority**: High **Test Areas**: - Credential storage - Credential transmission - Temporary credential handling - Credential rotation - File permissions ### TC-7: Network Security Testing **Objective**: Test network communications security. **Priority**: Medium **Test Areas**: - HTTPS enforcement - TLS version and cipher strength - Certificate validation - Rate limiting - API security ### TC-8: Audit and Logging Testing **Objective**: Verify security event logging and monitoring. **Priority**: High **Test Areas**: - Security event logging - Access logging - Log integrity - Log retention - PII in logs ### TC-9: Dependency Security Testing **Objective**: Identify vulnerable dependencies. **Priority**: Medium **Test Areas**: - Known vulnerabilities (CVEs) - Outdated dependencies - License compliance - Supply chain security ### TC-10: Incident Response Testing **Objective**: Test incident detection and response. **Priority**: Medium **Test Areas**: - Security monitoring - Alerting mechanisms - Incident response procedures - Vulnerability remediation ## Test Cases ### TC-1: FERPA Compliance Testing #### TC-1.1: PII Anonymization **Test Case ID**: TC-1.1.1 **Description**: Verify student names are anonymized when `ENABLE_DATA_ANONYMIZATION=true` **Priority**: Critical **Steps**: 1. Enable data anonymization in `.env` 2. Call `list_submissions` for an assignment 3. Verify student names are replaced with anonymous IDs 4. Verify anonymization is consistent across multiple calls **Expected Result**: All student names replaced with consistent anonymous identifiers **Automated**: Yes --- **Test Case ID**: TC-1.1.2 **Description**: Verify student emails are anonymized **Priority**: Critical **Steps**: 1. Enable data anonymization 2. Call tools that return student email addresses 3. Verify emails are masked or anonymized **Expected Result**: Student emails are properly anonymized **Automated**: Yes --- **Test Case ID**: TC-1.1.3 **Description**: Verify PII not leaked in error messages **Priority**: High **Steps**: 1. Trigger various error conditions 2. Capture error messages 3. Scan for student names, emails, IDs **Expected Result**: No PII in error messages **Automated**: Yes --- **Test Case ID**: TC-1.1.4 **Description**: Verify PII not logged **Priority**: High **Steps**: 1. Enable logging (`LOG_API_REQUESTS=true`) 2. Perform various operations 3. Review log files for PII **Expected Result**: No student PII in log files **Automated**: Partial (manual review required) --- #### TC-1.2: Audit Logging **Test Case ID**: TC-1.2.1 **Description**: Verify PII access is logged **Priority**: High **Steps**: 1. Access student data via tools 2. Check audit logs for access events 3. Verify log entries contain: timestamp, user, resource, action **Expected Result**: All PII access logged with required fields **Automated**: Yes (if audit logging implemented) --- **Test Case ID**: TC-1.2.2 **Description**: Verify audit log integrity **Priority**: Medium **Steps**: 1. Generate audit log entries 2. Attempt to modify log files 3. Verify tampering detection **Expected Result**: Log tampering detected or prevented **Automated**: Partial --- ### TC-2: Authentication and Authorization Testing #### TC-2.1: API Token Security **Test Case ID**: TC-2.1.1 **Description**: Verify API token not exposed in logs **Priority**: Critical **Steps**: 1. Enable logging 2. Perform various operations 3. Search logs for `CANVAS_API_TOKEN` value **Expected Result**: Token value never appears in logs **Automated**: Yes --- **Test Case ID**: TC-2.1.2 **Description**: Verify API token not in error messages **Priority**: Critical **Steps**: 1. Trigger authentication errors 2. Capture error messages 3. Search for token value **Expected Result**: Token value not in error messages **Automated**: Yes --- **Test Case ID**: TC-2.1.3 **Description**: Verify API token validation on startup **Priority**: Medium **Steps**: 1. Configure invalid token 2. Start server 3. Verify error handling **Expected Result**: Server validates token and reports clear error **Automated**: Yes --- **Test Case ID**: TC-2.1.4 **Description**: Verify .env file permissions **Priority**: High **Steps**: 1. Check .env file permissions 2. Verify not world-readable **Expected Result**: File permissions 600 or more restrictive **Automated**: Yes (Unix/Linux only) --- #### TC-2.2: Authorization **Test Case ID**: TC-2.2.1 **Description**: Verify student tools only access own data **Priority**: Critical **Steps**: 1. Use student-specific tools 2. Verify only "self" endpoints called 3. Attempt to access other student data **Expected Result**: Cannot access other students' data **Automated**: Partial (requires API mocking) --- **Test Case ID**: TC-2.2.2 **Description**: Verify educator tools require proper permissions **Priority**: High **Steps**: 1. Use educator tools with student token 2. Verify appropriate error handling **Expected Result**: Clear permission denied errors **Automated**: Partial (requires multiple test accounts) --- ### TC-3: Code Execution Security Testing #### TC-3.1: Sandbox Security **Test Case ID**: TC-3.1.1 **Description**: Attempt file system access outside temp directory **Priority**: Critical **Steps**: 1. Execute TypeScript code attempting to read `/etc/passwd` 2. Execute code attempting to write to home directory 3. Verify access denied **Expected Result**: File system access restricted to temp directory **Automated**: Yes --- **Test Case ID**: TC-3.1.2 **Description**: Attempt network access to unauthorized hosts **Priority**: High **Steps**: 1. Execute code attempting to connect to external IPs 2. Verify only Canvas API accessible **Expected Result**: Network access restricted to Canvas API **Automated**: Yes --- **Test Case ID**: TC-3.1.3 **Description**: Attempt credential theft **Priority**: Critical **Steps**: 1. Execute code attempting to read environment variables 2. Execute code attempting to exfiltrate token 3. Verify credentials protected **Expected Result**: Credentials not accessible or exfiltration prevented **Automated**: Yes --- **Test Case ID**: TC-3.1.4 **Description**: Resource exhaustion testing **Priority**: High **Steps**: 1. Execute code with infinite loop 2. Execute code allocating excessive memory 3. Verify timeout and resource limits enforced **Expected Result**: Execution terminated, resources cleaned up **Automated**: Yes --- **Test Case ID**: TC-3.1.5 **Description**: Malicious code execution **Priority**: Critical **Steps**: 1. Execute code attempting to spawn shell 2. Execute code attempting to execute system commands 3. Verify execution blocked **Expected Result**: Dangerous operations blocked **Automated**: Yes --- #### TC-3.2: Code Execution Audit **Test Case ID**: TC-3.2.1 **Description**: Verify code execution is logged **Priority**: High **Steps**: 1. Execute TypeScript code 2. Check logs for execution events 3. Verify log contains: timestamp, code hash, result **Expected Result**: All code execution logged **Automated**: Yes (if implemented) --- ### TC-4: Data Privacy Testing #### TC-4.1: Anonymization **Test Case ID**: TC-4.1.1 **Description**: Verify anonymization consistency **Priority**: High **Steps**: 1. Retrieve student data multiple times 2. Verify same student gets same anonymous ID **Expected Result**: Consistent anonymous IDs across calls **Automated**: Yes --- **Test Case ID**: TC-4.1.2 **Description**: Verify anonymization reversibility (for educators) **Priority**: Medium **Steps**: 1. Get anonymized student data 2. Use mapping file to reverse anonymization 3. Verify correct mapping **Expected Result**: Mapping file correctly maps IDs to names **Automated**: Yes --- **Test Case ID**: TC-4.1.3 **Description**: Verify anonymization mapping file security **Priority**: High **Steps**: 1. Check mapping file permissions 2. Verify file is encrypted or protected 3. Attempt unauthorized access **Expected Result**: Mapping file properly protected **Automated**: Yes (if encryption implemented) --- #### TC-4.2: PII Detection **Test Case ID**: TC-4.2.1 **Description**: Detect PII in submission content **Priority**: Medium **Steps**: 1. Submit content containing email addresses 2. Submit content containing phone numbers 3. Verify PII detection and masking **Expected Result**: PII detected and masked in output **Automated**: Yes (if implemented) --- ### TC-5: Input Validation Testing #### TC-5.1: Parameter Validation **Test Case ID**: TC-5.1.1 **Description**: Test invalid parameter types **Priority**: High **Steps**: 1. Call tools with wrong parameter types 2. Call tools with missing required parameters 3. Verify appropriate error handling **Expected Result**: Clear validation errors, no crashes **Automated**: Yes --- **Test Case ID**: TC-5.1.2 **Description**: Test boundary conditions **Priority**: Medium **Steps**: 1. Test with extremely large IDs 2. Test with negative numbers 3. Test with special characters **Expected Result**: Proper validation and error handling **Automated**: Yes --- #### TC-5.2: Injection Testing **Test Case ID**: TC-5.2.1 **Description**: Command injection testing **Priority**: Critical **Steps**: 1. Inject shell commands in parameters 2. Inject JavaScript in string parameters 3. Verify no command execution **Expected Result**: Injected commands not executed **Automated**: Yes --- **Test Case ID**: TC-5.2.2 **Description**: Path traversal testing **Priority**: High **Steps**: 1. Test `../` sequences in file paths 2. Test absolute paths 3. Verify path sanitization **Expected Result**: Path traversal prevented **Automated**: Yes --- **Test Case ID**: TC-5.2.3 **Description**: XSS testing **Priority**: Medium **Steps**: 1. Inject HTML/JavaScript in text fields 2. Verify sanitization on output 3. Test in discussion posts and comments **Expected Result**: HTML/JavaScript escaped or stripped **Automated**: Yes --- ### TC-6: Secrets Management Testing **Test Case ID**: TC-6.1.1 **Description**: Verify .env file not in version control **Priority**: Critical **Steps**: 1. Check .gitignore contains .env 2. Verify no .env in git history 3. Search repo for token patterns **Expected Result**: No credentials in version control **Automated**: Yes --- **Test Case ID**: TC-6.1.2 **Description**: Test credential rotation **Priority**: Medium **Steps**: 1. Generate new Canvas API token 2. Update .env file 3. Verify server uses new token **Expected Result**: Token rotation works without issues **Automated**: Manual --- **Test Case ID**: TC-6.1.3 **Description**: Test with expired token **Priority**: Medium **Steps**: 1. Configure expired token 2. Start server 3. Verify clear error message **Expected Result**: Expired token detected with helpful error **Automated**: Partial --- ### TC-7: Network Security Testing **Test Case ID**: TC-7.1.1 **Description**: Verify HTTPS enforcement **Priority**: High **Steps**: 1. Configure HTTP Canvas URL 2. Verify automatic upgrade to HTTPS 3. Attempt to disable HTTPS **Expected Result**: HTTPS always used, HTTP blocked or upgraded **Automated**: Yes --- **Test Case ID**: TC-7.1.2 **Description**: Test TLS version **Priority**: Medium **Steps**: 1. Monitor outgoing connections 2. Verify TLS 1.2 or higher used 3. Attempt to force TLS 1.0/1.1 **Expected Result**: Only TLS 1.2+ accepted **Automated**: Partial (requires network monitoring) --- **Test Case ID**: TC-7.1.3 **Description**: Certificate validation **Priority**: High **Steps**: 1. Test with invalid certificate 2. Test with self-signed certificate 3. Verify connection refused **Expected Result**: Invalid certificates rejected **Automated**: Partial --- **Test Case ID**: TC-7.2.1 **Description**: Rate limiting **Priority**: Medium **Steps**: 1. Make rapid requests to Canvas API 2. Verify rate limit handling 3. Test backoff behavior **Expected Result**: Rate limits respected, appropriate backoff **Automated**: Yes --- ### TC-8: Audit and Logging Testing **Test Case ID**: TC-8.1.1 **Description**: Security event logging **Priority**: High **Steps**: 1. Trigger various security events 2. Verify events logged with proper detail 3. Check log format and completeness **Expected Result**: All security events properly logged **Automated**: Yes (if implemented) --- **Test Case ID**: TC-8.1.2 **Description**: Log rotation and retention **Priority**: Medium **Steps**: 1. Generate large volume of logs 2. Verify rotation occurs 3. Verify old logs retained per policy **Expected Result**: Logs rotated and retained appropriately **Automated**: Partial --- **Test Case ID**: TC-8.1.3 **Description**: Log tampering detection **Priority**: Medium **Steps**: 1. Generate log entries 2. Modify log files 3. Verify tampering detected **Expected Result**: Log tampering detected **Automated**: Partial (if implemented) --- ### TC-9: Dependency Security Testing **Test Case ID**: TC-9.1.1 **Description**: Known vulnerability scan **Priority**: High **Steps**: 1. Run `pip-audit` or similar tool 2. Scan for CVEs in dependencies 3. Verify no critical vulnerabilities **Expected Result**: No critical or high vulnerabilities **Automated**: Yes --- **Test Case ID**: TC-9.1.2 **Description**: Outdated dependency check **Priority**: Medium **Steps**: 1. Check for outdated packages 2. Verify update availability 3. Test with latest versions **Expected Result**: Dependencies reasonably up-to-date **Automated**: Yes --- **Test Case ID**: TC-9.1.3 **Description**: License compliance **Priority**: Low **Steps**: 1. List all dependency licenses 2. Verify license compatibility 3. Check for restrictive licenses **Expected Result**: All licenses compatible with MIT **Automated**: Yes --- ### TC-10: Incident Response Testing **Test Case ID**: TC-10.1.1 **Description**: Failed authentication detection **Priority**: High **Steps**: 1. Generate multiple failed auth attempts 2. Verify detection and alerting 3. Test threshold-based blocking **Expected Result**: Suspicious activity detected and alerted **Automated**: Partial (if implemented) --- **Test Case ID**: TC-10.1.2 **Description**: Unusual API usage detection **Priority**: Medium **Steps**: 1. Generate unusual API usage patterns 2. Verify anomaly detection 3. Test alerting mechanism **Expected Result**: Anomalies detected and reported **Automated**: Partial (if implemented) --- ## Automated Testing ### Test Implementation Create automated test suite in `tests/security/`: ``` tests/ └── security/ ├── __init__.py ├── test_ferpa_compliance.py ├── test_authentication.py ├── test_code_execution.py ├── test_data_privacy.py ├── test_input_validation.py ├── test_secrets_management.py ├── test_network_security.py ├── test_audit_logging.py ├── test_dependencies.py └── test_incident_response.py ``` ### Test Execution ```bash # Run all security tests pytest tests/security/ # Run specific test category pytest tests/security/test_ferpa_compliance.py # Run with coverage pytest tests/security/ --cov=src/canvas_mcp --cov-report=html # Run with verbose output pytest tests/security/ -v ``` ### Continuous Integration Add security testing to CI/CD pipeline: ```yaml # .github/workflows/security-testing.yml name: Security Testing on: push: branches: [ main, development ] pull_request: branches: [ main ] schedule: - cron: '0 0 * * 0' # Weekly jobs: security-tests: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v4 with: python-version: '3.11' - name: Install dependencies run: | pip install -e . pip install pytest pytest-asyncio pytest-cov pip install bandit safety pip-audit - name: Run security tests run: pytest tests/security/ -v - name: Run SAST scan run: bandit -r src/canvas_mcp/ - name: Check dependencies run: pip-audit - name: Upload results uses: actions/upload-artifact@v4 with: name: security-test-results path: htmlcov/ ``` ## Manual Testing ### Penetration Testing Checklist - [ ] Attempt privilege escalation - [ ] Test authentication bypass - [ ] Test authorization bypass - [ ] Attempt data exfiltration - [ ] Test for information disclosure - [ ] Attempt to execute arbitrary code - [ ] Test for race conditions - [ ] Test session management - [ ] Attempt credential theft - [ ] Test error handling edge cases ### Code Review Checklist - [ ] Review authentication logic - [ ] Review authorization checks - [ ] Review input validation - [ ] Review error handling - [ ] Review credential handling - [ ] Review logging statements - [ ] Review data anonymization - [ ] Review code execution sandboxing - [ ] Review network security - [ ] Review dependency security ### Configuration Review Checklist - [ ] Review .env.template for sensitive defaults - [ ] Verify .gitignore excludes sensitive files - [ ] Check file permissions on sensitive files - [ ] Review logging configuration - [ ] Review anonymization settings - [ ] Verify HTTPS enforcement - [ ] Check timeout settings - [ ] Review rate limiting configuration ## Security Testing Tools ### Static Analysis Tools 1. **Bandit** - Python security linter ```bash pip install bandit bandit -r src/canvas_mcp/ ``` 2. **Safety** - Dependency vulnerability scanner ```bash pip install safety safety check ``` 3. **pip-audit** - Python package vulnerability scanner ```bash pip install pip-audit pip-audit ``` 4. **Semgrep** - Static analysis for security patterns ```bash pip install semgrep semgrep --config=auto src/ ``` ### Dynamic Analysis Tools 1. **pytest** - Testing framework ```bash pip install pytest pytest-asyncio pytest tests/security/ ``` 2. **Hypothesis** - Property-based testing ```bash pip install hypothesis ``` ### Network Security Tools 1. **mitmproxy** - HTTPS proxy for traffic inspection ```bash pip install mitmproxy mitmproxy ``` 2. **nmap** - Network scanner (for rate limiting tests) ```bash nmap --script http-rate-limit ``` ### Compliance Tools 1. **trufflehog** - Secret scanning ```bash docker run --rm -it trufflesecurity/trufflehog:latest github --repo https://github.com/vishalsachdev/canvas-mcp ``` 2. **detect-secrets** - Prevent secrets in code ```bash pip install detect-secrets detect-secrets scan ``` ## Test Schedule ### Daily (Automated) - Run unit tests with security assertions - Dependency vulnerability scan - Code quality checks ### Weekly (Automated) - Full security test suite - SAST scanning - Dependency update check ### Monthly (Manual) - Security code review - Configuration review - Penetration testing (basic) - Compliance verification ### Quarterly (Manual) - Comprehensive penetration testing - Security architecture review - Threat model review - Incident response drill - Security documentation update ### Annually (Manual) - Third-party security audit - Compliance audit (FERPA) - Comprehensive security assessment - Security training and awareness ## Reporting ### Test Report Template ```markdown # Security Test Report **Date**: [Date] **Tester**: [Name] **Version**: [Canvas MCP Version] ## Executive Summary [Brief overview of testing performed and results] ## Test Results ### Critical Findings - [List critical security issues] ### High Priority Findings - [List high priority issues] ### Medium Priority Findings - [List medium priority issues] ### Low Priority Findings - [List low priority issues] ## Test Coverage | Category | Tests Planned | Tests Executed | Pass Rate | |----------|---------------|----------------|-----------| | FERPA | X | X | X% | | Auth | X | X | X% | | Code Exec| X | X | X% | | Privacy | X | X | X% | | Input Val| X | X | X% | | Secrets | X | X | X% | | Network | X | X | X% | | Logging | X | X | X% | | Depend | X | X | X% | | Incident | X | X | X% | ## Recommendations 1. [Prioritized list of recommendations] ## Appendix - Test logs - Tool outputs - Evidence screenshots ``` ### Metrics to Track 1. **Test Coverage** - Percentage of test cases executed - Code coverage for security-critical paths - Tool coverage 2. **Vulnerability Metrics** - Number of vulnerabilities by severity - Time to remediation - Vulnerability density 3. **Compliance Metrics** - FERPA compliance score - Audit findings - Policy violations 4. **Security Posture** - Security test pass rate - Dependency freshness - Configuration compliance ## Continuous Improvement 1. **Review and Update**: Review this plan quarterly 2. **Add New Tests**: Add tests for new features and threats 3. **Update Tools**: Keep security testing tools current 4. **Train Team**: Regular security training for developers 5. **Learn from Incidents**: Update tests based on findings ## Appendix A: Security Testing Resources - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) - [NIST 800-53 Security Controls](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf) - [SANS Security Testing](https://www.sans.org/security-resources/) - [Python Security Best Practices](https://python.readthedocs.io/en/stable/library/security_warnings.html) ## Appendix B: Emergency Response If critical security issue found: 1. **Immediate**: Stop testing, document issue 2. **Notify**: Alert maintainers immediately 3. **Isolate**: Disable affected functionality if possible 4. **Document**: Create detailed security advisory 5. **Fix**: Develop and test fix 6. **Deploy**: Release security patch 7. **Verify**: Re-test to confirm fix 8. **Communicate**: Notify users if necessary --- *Document Version: 1.0* *Last Updated: January 2026* *Next Review: April 2026*

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/vishalsachdev/canvas-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SECURITY_TESTING_PLAN.md•26.2 KiB