We provide security updates for the following versions of the Revive Adserver MCP server:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
If you discover a security vulnerability in the Revive Adserver MCP server, please report it responsibly:
- DO NOT open a public GitHub issue for security vulnerabilities
- Email the security team directly at: security@example.com
- Include detailed information about the vulnerability
- Allow reasonable time for investigation and resolution
When reporting a security vulnerability, please provide:
- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Affected versions of the MCP server
- Environment details (Node.js version, OS, etc.)
- Proof of concept code (if applicable)
- Suggested remediation (if known)
- Initial response: Within 24 hours of report
- Vulnerability assessment: Within 72 hours
- Resolution timeline: Provided within 1 week
- Public disclosure: After fix is available and deployed
# ✅ Use environment variables
export REVIVE_API_USERNAME="secure_user"
export REVIVE_API_PASSWORD="strong_password"
# ❌ Never hardcode in configuration files
{
"env": {
"REVIVE_API_USERNAME": "my_username", // Don't do this
"REVIVE_API_PASSWORD": "my_password" // Don't do this
}
}{
"mcpServers": {
"revive-adserver": {
"command": "node",
"args": ["/path/to/server.js"],
"env": {
"REVIVE_API_URL": "https://revive.example.com/api",
"LOG_LEVEL": "INFO"
}
}
}
}- Use HTTPS for all Revive API connections
- Implement firewall rules to restrict MCP server network access
- Use VPN or private networks for production deployments
- Regularly update Node.js and dependencies
# Create dedicated API user with minimal permissions
REVIVE_API_USERNAME="mcp_readonly_user"
# Use read-only credentials when possible
REVIVE_READONLY_MODE="true"
# Rotate credentials regularly
# Schedule: Every 90 days minimum- Input validation for all user-provided data
- Output sanitization to prevent injection attacks
- Error handling without exposing sensitive information
- Dependency scanning for known vulnerabilities
// ✅ Secure credential handling
const credentials = {
username: process.env.REVIVE_API_USERNAME,
password: process.env.REVIVE_API_PASSWORD,
};
// ✅ Automatic token refresh
if (this.tokenExpired()) {
await this.refreshToken();
}
// ❌ Never log credentials
logger.debug('Authenticating...', {
username: credentials.username,
// password: credentials.password // Don't log passwords
});// ✅ Request validation
export function validateCampaignArgs(args: CreateCampaignArgs): void {
if (!args.name || typeof args.name !== 'string') {
throw new ValidationError('Campaign name is required');
}
if (args.name.length > 255) {
throw new ValidationError('Campaign name too long');
}
// Sanitize inputs
args.name = args.name.trim();
}
// ✅ Rate limiting
const rateLimiter = new RateLimiter({
maxRequests: 100,
windowMs: 60000, // 1 minute
});- Automatic token refresh prevents expired credential issues
- Session management with secure token storage
- Retry logic with exponential backoff prevents brute force
- Connection pooling limits concurrent authentication attempts
- Parameter validation for all MCP tool inputs
- Type checking with TypeScript for compile-time safety
- Sanitization of user-provided strings
- Range validation for numeric inputs
- Safe error messages without credential exposure
- Stack trace sanitization in production
- Correlation IDs for secure debugging
- Rate limit handling with automatic backoff
// ✅ Secure logging patterns
logger.info('Campaign created', {
campaignId: result.campaignId,
advertiserId: args.advertiserId,
correlationId: this.correlationId,
});
// ❌ Don't log sensitive data
logger.debug('API response', {
// data: apiResponse, // May contain sensitive info
status: apiResponse.status,
correlationId: this.correlationId,
});# Required security environment variables
REVIVE_API_URL="https://secure-revive.example.com/api"
REVIVE_API_USERNAME="secure_api_user"
REVIVE_API_PASSWORD="strong_random_password"
# Optional security enhancements
REVIVE_API_TIMEOUT="10000" # Prevent long-running requests
REVIVE_MAX_CONNECTIONS="5" # Limit resource usage
REVIVE_ENABLE_CACHE="false" # Disable caching for sensitive data
LOG_LEVEL="WARN" # Reduce log verbosity in production# Secure file permissions
chmod 600 .env # Environment file readable by owner only
chmod 755 dist/server.js # Server executable by owner, readable by others
chmod 644 *.md # Documentation readable by all# Regular security audits
npm audit
# Fix known vulnerabilities
npm audit fix
# Check for outdated packages
npm outdated
# Update dependencies
npm update# GitHub Actions security workflow
name: Security Scan
on: [push, pull_request]
jobs:
security:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Run Security Audit
run: npm audit
- name: Run Vulnerability Scan
uses: securecodewarrior/github-action-add-sarif@v1// Security test examples
describe('Security Tests', () => {
it('should not expose credentials in error messages', async () => {
const invalidCredentials = {
username: 'invalid',
password: 'wrong',
};
try {
await client.authenticate(invalidCredentials);
} catch (error) {
expect(error.message).not.toContain('wrong');
expect(error.message).not.toContain('invalid');
}
});
it('should validate input parameters', () => {
expect(() => {
validateCampaignArgs({ name: '../../../etc/passwd' });
}).toThrow('Invalid campaign name');
});
});- Immediately isolate the affected system
- Stop the MCP server if compromise is suspected
- Collect logs for forensic analysis
- Change credentials for Revive API access
- Report the incident following the vulnerability reporting process
- Update to the latest patched version
- Rotate all credentials used by the MCP server
- Review logs for suspicious activity
- Verify configuration security settings
- Monitor for ongoing issues
- Security Team: security@example.com
- Primary Maintainer: maintainer@example.com
- Emergency Contact: emergency@example.com
- CONTRIBUTING.md - Development security guidelines
- TROUBLESHOOTING.md - Security-related troubleshooting
- MCP-CONFIG.md - Secure configuration examples
Note: This security policy is a living document and will be updated as the project evolves. Please check back regularly for updates.