修改后台权限

node_modules/@modelcontextprotocol/sdk/dist/cjs/server/middleware/hostHeaderValidation.d.ts

@@ -0,0 +1,32 @@
+import { RequestHandler } from 'express';
+/**
+ * Express middleware for DNS rebinding protection.
+ * Validates Host header hostname (port-agnostic) against an allowed list.
+ *
+ * This is particularly important for servers without authorization or HTTPS,
+ * such as localhost servers or development servers. DNS rebinding attacks can
+ * bypass same-origin policy by manipulating DNS to point a domain to a
+ * localhost address, allowing malicious websites to access your local server.
+ *
+ * @param allowedHostnames - List of allowed hostnames (without ports).
+ *   For IPv6, provide the address with brackets (e.g., '[::1]').
+ * @returns Express middleware function
+ *
+ * @example
+ * ```typescript
+ * const middleware = hostHeaderValidation(['localhost', '127.0.0.1', '[::1]']);
+ * app.use(middleware);
+ * ```
+ */
+export declare function hostHeaderValidation(allowedHostnames: string[]): RequestHandler;
+/**
+ * Convenience middleware for localhost DNS rebinding protection.
+ * Allows only localhost, 127.0.0.1, and [::1] (IPv6 localhost) hostnames.
+ *
+ * @example
+ * ```typescript
+ * app.use(localhostHostValidation());
+ * ```
+ */
+export declare function localhostHostValidation(): RequestHandler;
+//# sourceMappingURL=hostHeaderValidation.d.ts.map

node_modules/@modelcontextprotocol/sdk/dist/cjs/server/middleware/hostHeaderValidation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hostHeaderValidation.d.ts","sourceRoot":"","sources":["../../../../src/server/middleware/hostHeaderValidation.ts"],"names":[],"mappings":"AAAA,OAAO,EAAmC,cAAc,EAAE,MAAM,SAAS,CAAC;AAE1E;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,oBAAoB,CAAC,gBAAgB,EAAE,MAAM,EAAE,GAAG,cAAc,CA4C/E;AAED;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,IAAI,cAAc,CAExD"}

node_modules/@modelcontextprotocol/sdk/dist/cjs/server/middleware/hostHeaderValidation.js

@@ -0,0 +1,80 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.hostHeaderValidation = hostHeaderValidation;
+exports.localhostHostValidation = localhostHostValidation;
+/**
+ * Express middleware for DNS rebinding protection.
+ * Validates Host header hostname (port-agnostic) against an allowed list.
+ *
+ * This is particularly important for servers without authorization or HTTPS,
+ * such as localhost servers or development servers. DNS rebinding attacks can
+ * bypass same-origin policy by manipulating DNS to point a domain to a
+ * localhost address, allowing malicious websites to access your local server.
+ *
+ * @param allowedHostnames - List of allowed hostnames (without ports).
+ *   For IPv6, provide the address with brackets (e.g., '[::1]').
+ * @returns Express middleware function
+ *
+ * @example
+ * ```typescript
+ * const middleware = hostHeaderValidation(['localhost', '127.0.0.1', '[::1]']);
+ * app.use(middleware);
+ * ```
+ */
+function hostHeaderValidation(allowedHostnames) {
+    return (req, res, next) => {
+        const hostHeader = req.headers.host;
+        if (!hostHeader) {
+            res.status(403).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32000,
+                    message: 'Missing Host header'
+                },
+                id: null
+            });
+            return;
+        }
+        // Use URL API to parse hostname (handles IPv4, IPv6, and regular hostnames)
+        let hostname;
+        try {
+            hostname = new URL(`http://${hostHeader}`).hostname;
+        }
+        catch {
+            res.status(403).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32000,
+                    message: `Invalid Host header: ${hostHeader}`
+                },
+                id: null
+            });
+            return;
+        }
+        if (!allowedHostnames.includes(hostname)) {
+            res.status(403).json({
+                jsonrpc: '2.0',
+                error: {
+                    code: -32000,
+                    message: `Invalid Host: ${hostname}`
+                },
+                id: null
+            });
+            return;
+        }
+        next();
+    };
+}
+/**
+ * Convenience middleware for localhost DNS rebinding protection.
+ * Allows only localhost, 127.0.0.1, and [::1] (IPv6 localhost) hostnames.
+ *
+ * @example
+ * ```typescript
+ * app.use(localhostHostValidation());
+ * ```
+ */
+function localhostHostValidation() {
+    return hostHeaderValidation(['localhost', '127.0.0.1', '[::1]']);
+}
+//# sourceMappingURL=hostHeaderValidation.js.map

node_modules/@modelcontextprotocol/sdk/dist/cjs/server/middleware/hostHeaderValidation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"hostHeaderValidation.js","sourceRoot":"","sources":["../../../../src/server/middleware/hostHeaderValidation.ts"],"names":[],"mappings":";;AAqBA,oDA4CC;AAWD,0DAEC;AA5ED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,oBAAoB,CAAC,gBAA0B;IAC3D,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAE,EAAE;QACvD,MAAM,UAAU,GAAG,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;QACpC,IAAI,CAAC,UAAU,EAAE,CAAC;YACd,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACH,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,qBAAqB;iBACjC;gBACD,EAAE,EAAE,IAAI;aACX,CAAC,CAAC;YACH,OAAO;QACX,CAAC;QAED,4EAA4E;QAC5E,IAAI,QAAgB,CAAC;QACrB,IAAI,CAAC;YACD,QAAQ,GAAG,IAAI,GAAG,CAAC,UAAU,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC;QACxD,CAAC;QAAC,MAAM,CAAC;YACL,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACH,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,wBAAwB,UAAU,EAAE;iBAChD;gBACD,EAAE,EAAE,IAAI;aACX,CAAC,CAAC;YACH,OAAO;QACX,CAAC;QAED,IAAI,CAAC,gBAAgB,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YACvC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC;gBACjB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE;oBACH,IAAI,EAAE,CAAC,KAAK;oBACZ,OAAO,EAAE,iBAAiB,QAAQ,EAAE;iBACvC;gBACD,EAAE,EAAE,IAAI;aACX,CAAC,CAAC;YACH,OAAO;QACX,CAAC;QACD,IAAI,EAAE,CAAC;IACX,CAAC,CAAC;AACN,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,uBAAuB;IACnC,OAAO,oBAAoB,CAAC,CAAC,WAAW,EAAE,WAAW,EAAE,OAAO,CAAC,CAAC,CAAC;AACrE,CAAC"}