Skip to content

Refactor/security check and forlders workflow#2

Open
saktush wants to merge 19 commits into
madebyearth:mainfrom
saktush:refactor/security-check
Open

Refactor/security check and forlders workflow#2
saktush wants to merge 19 commits into
madebyearth:mainfrom
saktush:refactor/security-check

Conversation

@saktush

@saktush saktush commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

This branch covers two major workstreams: a security & performance hardening pass (audit-driven) and a folders feature addition, plus related fixes and tests.

Security hardening

  • Validate uploadId as a UUID before path.join() to prevent path traversal (S1)
  • Use timing-safe token comparison and unified 401 error messages to prevent timing attacks and config-state leakage
  • Wrap pino logger to automatically redact sensitive data (tokens, auth headers)
  • Evict session maps on transport close to prevent memory leaks
  • Introduce session token validation with secure storage (src/utils/session-auth.ts)
  • Bind default LISTEN_HOST to 127.0.0.1 when a token is set (prevents unintended network exposure)
  • Extract upload auth validation to src/utils/upload-auth.ts and remove the debug /uploads endpoint

Performance improvements

  • Add 30s timeout and HTTP keep-alive agents to the axios instance
  • Early-exit folder resolution loop on first match instead of always paginating 20 pages
  • Skip getTask() in createTimeEntry/listTimeEntries when taskId is already a UUID
  • Switch fs.readFileSync to fsPromises.readFile (async) in oob-upload.ts
  • Parallelize orphan upload file deletion with Promise.all

Folders feature

  • Implement list_folders, get_folder, get_folder_tree, and find_folder tools (src/tools/folders/)

Bug fixes & quality

  • Fix workitem creation flow
  • Fix lint errors across tool files (structured logger.info replacing console.error success logs)
  • Add unit tests for upload handler and auth utilities (src/tests/)
  • Add integration test skeleton (src/tests/integration/)

saktush and others added 19 commits June 19, 2026 16:54
- Move validateUploadAuth from src/index.ts to src/utils/upload-auth.ts to improve modularity and separation of concerns.
- Add comprehensive unit tests covering token validation, header parsing, case-insensitivity, and edge cases.
- Declare MIT license in package-lock.json.
Remove the listUploadsHandler function and its GET /uploads route registration. Update AGENTS.md to remove the corresponding endpoint documentation. This eliminates a debug-only feature no longer required for production.
Store a hash of the session token when initializing an MCP session.
Validate incoming requests against the stored hash to prevent
token mismatches and unauthorized access. Returns a 401 error
on validation failure and logs masked tokens for debugging.
Add comprehensive unit tests for the `parseUpload` utility to verify multipart file parsing behavior.

- Validate correct file writing and metadata generation for standard uploads
- Test multi-chunk transfer handling and guard against boundary byte leakage regression (D1)
- Verify proper rejection and 413 error response when files exceed the configured max size
Add LISTEN_HOST environment variable to .env.example with a default
of 127.0.0.1 when TEAMSTORM_API_TOKEN is configured, preventing
anonymous remote sessions. Update AGENTS.md and README.md to document
the new binding logic and provide override instructions for network
deployments.
Replace the direct Pino export with a redactedLogger wrapper that
applies the redact() function to the first argument of all log methods.
This ensures sensitive information is automatically sanitized before
being written to logs, preventing accidental exposure of credentials
or PII while maintaining the existing logger interface.
Replace direct string equality check with SHA-256 hashing and timingSafeEqual. This mitigates timing side-channel attacks by ensuring constant-time comparison during upload authentication.
Hook transport.onclose and onsessionclosed so that transports,
sessionClients, and sessionTokenHashes are deleted when a session ends,
preventing unbounded map growth in long-running servers.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
All failure paths in validateUploadAuth now return the same generic
'Unauthorized: valid token required for uploads' message, preventing
callers from distinguishing between a missing server token and a wrong
token.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Increase masking threshold from 8 to 16 characters to avoid partial token exposure
- Use timingSafeEqual for session validation to prevent timing-based side-channel attacks
- S1: validate uploadId as UUID before path.join() in oob-upload.ts to prevent path traversal
- S2+P3: add 30s timeout and HTTP keep-alive agents to axios instance in teamstorm.ts
- P1: early-exit folder resolution loop on first match instead of always paginating 20 pages
- P2: skip getTask() in createTimeEntry/listTimeEntries when taskId is already a UUID
- P4: switch fs.readFileSync to async fsPromises.readFile in oob-upload.ts
- P5: replace all console.error success logs with structured logger.info across 10 tool files
- P6: parallelize orphan upload file deletion with Promise.all in index.ts
- S3: document intentional absence of Access-Control-Allow-Origin in CORS middleware

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant