ReviewMCP

Instructions

Implementation Reference

• src/index.ts:643-715 (handler)

  Main execution handler for the tool. Loads security configuration, performs path validation, size check, reads and sanitizes the mapfile content, and returns structured validation results.

  case "review.security.validate-mapfile": {
    const config = await loadSecurityConfig(args.cwd as string);
    const pathValidation = validateMapfilePath(args.filepath as string, config);
    
    if (!pathValidation.valid) {
      return {
        content: [
          { 
            type: "text", 
            text: JSON.stringify({ 
              valid: false, 
              reason: pathValidation.reason,
              config: { source: config.source }
            }) 
          }
        ]
      };
    }
  
    const sizeValidation = await validateMapfileSize(
      args.filepath as string,
      args.cwd as string,
      config
    );
  
    if (!sizeValidation.valid) {
      return {
        content: [
          { 
            type: "text", 
            text: JSON.stringify({ 
              valid: false, 
              reason: sizeValidation.reason,
              size: sizeValidation.size,
              config: { source: config.source, maxFileSize: config.maxFileSize }
            }) 
          }
        ]
      };
    }
  
    const fullPath = path.join(args.cwd as string, args.filepath as string);
    try {
      const content = await fs.readFile(fullPath, "utf-8");
      const sanitization = await sanitizeMapfile(content, args.filepath as string, config);
      
      return {
        content: [
          { 
            type: "text", 
            text: JSON.stringify({ 
              valid: sanitization.safe,
              size: sizeValidation.size,
              issues: sanitization.issues,
              config: { source: config.source }
            }) 
          }
        ]
      };
    } catch (error: any) {
      return {
        content: [
          { 
            type: "text", 
            text: JSON.stringify({ 
              valid: false, 
              error: error.message 
            }) 
          }
        ]
      };
    }
  }

• src/index.ts:380-391 (schema)

  Tool schema definition including name, description, and input schema requiring 'cwd' and 'filepath'.

  {
    name: "review.security.validate-mapfile",
    description: "Validate mapfile path and content against security policy",
    inputSchema: {
      type: "object",
      properties: {
        cwd: { type: "string" },
        filepath: { type: "string" }
      },
      required: ["cwd", "filepath"]
    }
  },

• src/config/security.ts:147-180 (helper)

  Helper function to validate the filepath against security rules: blocks absolute paths, traversal, invalid extensions, and ensures path is in allowed directories.

  export function validateMapfilePath(
    filepath: string,
    config: SecurityConfig
  ): { valid: boolean; reason?: string } {
    
    if (config.blockAbsolutePaths && path.isAbsolute(filepath)) {
      return { valid: false, reason: "Absolute paths are not allowed" };
    }
  
    if (config.blockTraversal && (filepath.includes("../") || filepath.includes("..\\"))) {
      return { valid: false, reason: "Path traversal is not allowed" };
    }
  
    const ext = path.extname(filepath).toLowerCase();
    if (config.allowedExtensions.length > 0 && !config.allowedExtensions.includes(ext)) {
      return { 
        valid: false, 
        reason: `File extension '${ext}' is not allowed. Allowed: ${config.allowedExtensions.join(", ")}` 
      };
    }
  
    const normalizedPath = filepath.replace(/\\/g, "/");
    const isInAllowedPath = config.allowedPaths.length === 0 || 
      config.allowedPaths.some(allowed => normalizedPath.startsWith(allowed));
    
    if (!isInAllowedPath) {
      return { 
        valid: false, 
        reason: `Path must be within allowed directories: ${config.allowedPaths.join(", ")}` 
      };
    }
  
    return { valid: true };
  }

• src/config/security.ts:182-208 (helper)

  Helper function to check file size against the configured maximum.

  export async function validateMapfileSize(
    filepath: string,
    cwd: string,
    config: SecurityConfig
  ): Promise<{ valid: boolean; reason?: string; size?: number }> {
    
    const fullPath = path.join(cwd, filepath);
    
    try {
      const stats = await fs.stat(fullPath);
      
      if (stats.size > config.maxFileSize) {
        return {
          valid: false,
          reason: `File size (${stats.size} bytes) exceeds maximum allowed size (${config.maxFileSize} bytes)`,
          size: stats.size
        };
      }
      
      return { valid: true, size: stats.size };
    } catch (error: any) {
      return {
        valid: false,
        reason: `Cannot access file: ${error.message}`
      };
    }
  }

• src/config/security.ts:210-239 (helper)

  Helper function to sanitize mapfile content by scanning for suspicious patterns like eval, require, etc.

  export async function sanitizeMapfile(
    content: string,
    filepath: string,
    config: SecurityConfig
  ): Promise<{ safe: boolean; sanitized?: string; issues: string[] }> {
    
    const issues: string[] = [];
    
    const suspiciousPatterns = [
      /eval\s*\(/gi,
      /require\s*\(/gi,
      /import\s+/gi,
      /__import__/gi,
      /exec\s*\(/gi,
      /system\s*\(/gi,
      /`[^`]*`/g
    ];
    
    for (const pattern of suspiciousPatterns) {
      if (pattern.test(content)) {
        issues.push(`Suspicious pattern detected: ${pattern.source}`);
      }
    }
    
    if (issues.length > 0) {
      return { safe: false, issues };
    }
    
    return { safe: true, sanitized: content, issues: [] };
  }