feat(mcp): integrate mcp cat #3086
Conversation
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| // Add enhanced user identification with session tracking | ||
| if (config.enableSessionTracking) { | ||
| options.identify = async (request: any, extra?: any) => { | ||
| const sessionId = extra?.sessionId || generateSessionId(); |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, you should replace the use of Math.random() in generateSessionId() with a cryptographically secure random generator. In Node.js, the recommended method is to use the crypto module's randomBytes() function. The crypto.randomBytes() function generates cryptographically secure random bytes, which can then be used to build unpredictable, secure session IDs.
Specifically, you should:
- Import the Node.js
cryptomodule. - Replace the
Math.random().toString(36).substr(2, 9)portion with a base64- or hex-encoded value generated fromcrypto.randomBytes(), of suitable length (for more than 9 random characters, 12 random bytes encoded in base64 or hex is a good choice). - Retain the other session ID format (
sess_${Date.now()}_...) if desired, but ensure that the random component is now secure.
Edit only within the definition of generateSessionId() and add the required import at the top of the file.
| @@ -1,5 +1,6 @@ | ||
| import { track } from "mcpcat"; | ||
| import { server } from "./server/index.js"; | ||
| import { randomBytes } from "crypto"; | ||
|
|
||
| export interface MCPcatConfig { | ||
| projectId: string | null; | ||
| @@ -444,7 +445,9 @@ | ||
|
|
||
| // Helper function to generate session IDs | ||
| function generateSessionId(): string { | ||
| return `sess_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`; | ||
| // Use cryptographically secure random bytes instead of Math.random | ||
| const randomPart = randomBytes(12).toString("base64url"); | ||
| return `sess_${Date.now()}_${randomPart}`; | ||
| } | ||
|
|
||
| /** |
| inputSchema: ComponentNameParamsSchema.shape, | ||
| execute: async (input: z.infer<typeof ComponentNameParamsSchema>): Promise<any> => { | ||
| const { componentName } = input; | ||
| const sessionId = generateSessionId(); |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix this problem, we need to generate session IDs using a cryptographically secure random value, instead of Math.random(). In Node.js, the crypto module provides the correct API for secure random bytes. The best approach is to patch the generateSessionId function in packages/mcp/src/mcpcat-config.ts to replace the non-secure .${Math.random().toString(36).substr(2, 9)} with a securely generated random string, e.g., using crypto.randomBytes(9).toString('base64url'), ensuring URL-safe encoding (or hex). The function should be updated to import crypto if not already present.
No other regions need change, as all sessionId consumers will now benefit from securely generated IDs.
| @@ -1,5 +1,6 @@ | ||
| import { track } from "mcpcat"; | ||
| import { server } from "./server/index.js"; | ||
| import { randomBytes } from "crypto"; | ||
|
|
||
| export interface MCPcatConfig { | ||
| projectId: string | null; | ||
| @@ -444,7 +445,9 @@ | ||
|
|
||
| // Helper function to generate session IDs | ||
| function generateSessionId(): string { | ||
| return `sess_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`; | ||
| // Use cryptographically secure random bytes for the random part | ||
| const secureRandomStr = randomBytes(9).toString('base64url'); // 9 bytes ≈ 12 chars base64url | ||
| return `sess_${Date.now()}_${secureRandomStr}`; | ||
| } | ||
|
|
||
| /** |
| inputSchema: SearchIconsParamsSchema.shape, | ||
| execute: async (input: z.infer<typeof SearchIconsParamsSchema>): Promise<any> => { | ||
| const { query, category, limit, includeUsageExamples = false } = input; | ||
| const sessionId = generateSessionId(); |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, we need to make generateSessionId use cryptographically secure randomness. In Node.js projects, this is typically achieved using crypto.randomBytes. We will import Node's built-in crypto module and use crypto.randomBytes to generate a secure random value for the session ID, replacing the use of Math.random(). In concrete terms, in packages/mcp/src/mcpcat-config.ts:
- Import the
cryptomodule. - Update
generateSessionIdto use both the timestamp and a securely generated random value (e.g., 8 bytes, hex encoded).
All calls to generateSessionId elsewhere (such as in list-vibe-icons.ts) will automatically benefit from the improved randomness, and no changes are needed in their code.
| @@ -1,5 +1,6 @@ | ||
| import { track } from "mcpcat"; | ||
| import { server } from "./server/index.js"; | ||
| import * as crypto from "crypto"; | ||
|
|
||
| export interface MCPcatConfig { | ||
| projectId: string | null; | ||
| @@ -444,7 +445,9 @@ | ||
|
|
||
| // Helper function to generate session IDs | ||
| function generateSessionId(): string { | ||
| return `sess_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`; | ||
| // Use cryptographically secure randomness for the session portion | ||
| const randomHex = crypto.randomBytes(8).toString("hex"); // 16 characters | ||
| return `sess_${Date.now()}_${randomHex}`; | ||
| } | ||
|
|
||
| /** |
| "Get a list of all public @vibe/core & @vibe/core/next components names. Use this tool to get the names of components to use in the get-vibe-component-metadata tool.", | ||
| inputSchema: {}, | ||
| execute: async () => { | ||
| const sessionId = generateSessionId(); |
Check failure
Code scanning / CodeQL
Insecure randomness High
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
To fix the problem, replace the use of Math.random() in generateSessionId() with a cryptographically secure random string generator. In Node.js, the native crypto module provides a secure way to generate random values, e.g., via crypto.randomBytes. We'll import crypto and implement the secure generation within generateSessionId(), replacing the random part with a string generated from cryptographically secure random bytes, base36-encoded for compactness.
Required changes:
- In
packages/mcp/src/mcpcat-config.ts:- Import the native
cryptomodule. - Change the implementation of
generateSessionId()to usecrypto.randomBytesinstead ofMath.random(). - Review that no other lines in the snippet use insecure randomness.
- Import the native
- No changes are required in
list-vibe-public-components.ts—the function is simply called there.
| @@ -1,5 +1,6 @@ | ||
| import { track } from "mcpcat"; | ||
| import { server } from "./server/index.js"; | ||
| import crypto from "crypto"; | ||
|
|
||
| export interface MCPcatConfig { | ||
| projectId: string | null; | ||
| @@ -444,7 +445,9 @@ | ||
|
|
||
| // Helper function to generate session IDs | ||
| function generateSessionId(): string { | ||
| return `sess_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`; | ||
| // Use 9 bytes to match previous entropy, and base36 for compactness | ||
| const randomPart = crypto.randomBytes(9).toString("base36"); | ||
| return `sess_${Date.now()}_${randomPart}`; | ||
| } | ||
|
|
||
| /** |
|
A new prerelease version of this PR has been published! 🎉 To update Or with npm: To update Or with npm: |
No description provided.