my-pal-mcp-server

Files

谢栋梁 9ed15f405a fix: path traversal vulnerability - use prefix matching in is_dangerous_path()

The is_dangerous_path() function only did exact string matching,
allowing attackers to bypass protection by accessing subdirectories:
- /etc was blocked but /etc/passwd was allowed
- C:\Windows was blocked but C:\Windows\System32\... was allowed

This minimal fix changes is_dangerous_path() to use PREFIX MATCHING:
- Now blocks dangerous directories AND all their subdirectories
- Paths like /etcbackup are still allowed (not under /etc)
- No changes to DANGEROUS_PATHS list

Security:
- Fixes CWE-22: Path Traversal vulnerability
- Reported by: Team off-course (K-Shield.Jr 15th)

Fixes #312
Fixes #293

2025-12-03 15:29:57 +08:00

gemini_cassettes

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

openai_cassettes

feat: enhance model support by adding GPT-5.1 to .gitignore and updating cassette maintenance documentation for dual-model testing

2025-11-14 01:40:49 -07:00

__init__.py

…

CASSETTE_MAINTENANCE.md

feat: enhance model support by adding GPT-5.1 to .gitignore and updating cassette maintenance documentation for dual-model testing

2025-11-14 01:40:49 -07:00

conftest.py

feat: enhance model support by adding GPT-5.1 to .gitignore and updating cassette maintenance documentation for dual-model testing

2025-11-14 01:40:49 -07:00

http_transport_recorder.py

feat: implement semantic cassette matching for o3 models

2025-10-01 18:53:30 +04:00

mock_helpers.py

refactor: removed method from provider, should use model capabilities instead

2025-10-02 11:08:56 +04:00

pii_sanitizer.py

fix: Resolve o3-pro test isolation issues and convert print to logging

2025-07-13 10:41:43 -06:00

sanitize_cassettes.py

fix: Resolve o3-pro response parsing and test execution issues

2025-07-12 20:24:34 -06:00

test_alias_target_restrictions.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_auto_mode_comprehensive.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_auto_mode_custom_provider_only.py

refactor: code cleanup

2025-10-02 08:09:44 +04:00

test_auto_mode_model_listing.py

feat: enhance model support by adding GPT-5.1 to .gitignore and updating cassette maintenance documentation for dual-model testing

2025-11-14 01:40:49 -07:00

test_auto_mode_provider_selection.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_auto_mode.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_auto_model_planner_fix.py

Improvements to consensus

2025-08-08 12:59:41 +05:00

test_azure_openai_provider.py

feat!: breaking change - OpenRouter models are now read from conf/openrouter_models.json while Custom / Self-hosted models are read from conf/custom_models.json

2025-10-04 21:10:56 +04:00

test_buggy_behavior_prevention.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_cassette_semantic_matching.py

feat: implement semantic cassette matching for o3 models

2025-10-01 18:53:30 +04:00

test_challenge.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_chat_codegen_integration.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_chat_cross_model_continuation.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_chat_openai_integration.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_chat_simple.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_clink_claude_agent.py

feat! Claude Code as a CLI agent now supported. Mix and match: spawn claude code from within claude code, or claude code from within codex.

2025-10-08 11:14:22 +04:00

test_clink_claude_parser.py

fix: handle claude's array style JSON https://github.com/BeehiveInnovations/zen-mcp-server/issues/295

2025-10-21 10:41:02 +04:00

test_clink_codex_agent.py

test: fix clink agent tests to mock shutil.which() for executable resolution

2025-10-07 17:39:41 +01:00

test_clink_gemini_agent.py

test: fix clink agent tests to mock shutil.which() for executable resolution

2025-10-07 17:39:41 +01:00

test_clink_gemini_parser.py

fix: handle 429 response https://github.com/BeehiveInnovations/zen-mcp-server/issues/273

2025-10-06 23:32:04 +04:00

test_clink_integration.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_clink_parsers.py

feat: support for codex as external CLI

2025-10-06 00:39:00 +04:00

test_clink_tool.py

fix: regression https://github.com/BeehiveInnovations/zen-mcp-server/issues/338

2025-11-21 09:31:34 +04:00

test_collaboration.py

fix: listmodels to always honor restricted models

2025-10-04 13:46:22 +04:00

test_config.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_consensus_integration.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_consensus_schema.py

fix: consensus now advertises a short list of models to avoid the CLI getting the names wrong

2025-10-03 22:41:28 +04:00

test_consensus.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_conversation_continuation_integration.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_conversation_field_mapping.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_conversation_file_features.py

fix: external model name now recorded properly in responses

2025-10-03 11:29:06 +04:00

test_conversation_memory.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_conversation_missing_files.py

…

test_custom_openai_temperature_fix.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_custom_provider.py

feat!: breaking change - OpenRouter models are now read from conf/openrouter_models.json while Custom / Self-hosted models are read from conf/custom_models.json

2025-10-04 21:10:56 +04:00

test_debug.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_deploy_scripts.py

feat: Add comprehensive tests for Docker integration, security, and volume persistence

2025-06-29 00:01:35 +02:00

test_dial_provider.py

refactor: cleanup provider base class; cleanup shared responsibilities; cleanup public contract

2025-10-02 12:59:45 +04:00

test_directory_expansion_tracking.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_disabled_tools.py

…

test_docker_claude_desktop_integration.py

feat: Add comprehensive tests for Docker integration, security, and volume persistence

2025-06-29 00:01:35 +02:00

test_docker_config_complete.py

refactor: Update environment and Docker configuration files; remove unused MCP configuration tests

2025-06-25 17:42:58 +02:00

test_docker_healthcheck.py

feat: Add comprehensive tests for Docker integration, security, and volume persistence

2025-06-29 00:01:35 +02:00

test_docker_implementation.py

refactor: Update environment and Docker configuration files; remove unused MCP configuration tests

2025-06-25 17:42:58 +02:00

test_docker_mcp_validation.py

feat: Add comprehensive tests for Docker integration, security, and volume persistence

2025-06-29 00:01:35 +02:00

test_docker_security.py

feat: Add comprehensive tests for Docker integration, security, and volume persistence

2025-06-29 00:01:35 +02:00

test_docker_volume_persistence.py

feat: Add comprehensive tests for Docker integration, security, and volume persistence

2025-06-29 00:01:35 +02:00

test_file_protection.py

…

test_gemini_token_usage.py

…

test_image_support_integration.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_image_validation.py

refactor: moved image related code out of base provider into a separate utility

2025-10-02 11:23:15 +04:00

test_integration_utf8.py

…

test_intelligent_fallback.py

feat: enhance model support by adding GPT-5.1 to .gitignore and updating cassette maintenance documentation for dual-model testing

2025-11-14 01:40:49 -07:00

test_issue_245_simple.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_large_prompt_handling.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_line_numbers_integration.py

…

test_listmodels_restrictions.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_listmodels.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_mcp_error_handling.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_model_enumeration.py

feat!: breaking change - OpenRouter models are now read from conf/openrouter_models.json while Custom / Self-hosted models are read from conf/custom_models.json

2025-10-04 21:10:56 +04:00

test_model_metadata_continuation.py

fix: listmodels to always honor restricted models

2025-10-04 13:46:22 +04:00

test_model_resolution_bug.py

fix: failing test for gemini 3.0 pro open router

2025-11-18 20:50:42 +04:00

test_model_restrictions.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_o3_pro_output_text_fix.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_o3_temperature_fix_simple.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_openai_compatible_token_usage.py

refactor: moved temperature method from base provider to model capabilities

2025-10-02 10:25:41 +04:00

test_openai_provider.py

feat: enhance model support by adding GPT-5.1 to .gitignore and updating cassette maintenance documentation for dual-model testing

2025-11-14 01:40:49 -07:00

test_openrouter_provider.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_openrouter_registry.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_parse_model_option.py

feat: Update Claude models to Opus 4.1 and Sonnet 4.1

2025-08-17 16:08:52 +00:00

test_path_traversal_security.py

fix: path traversal vulnerability - use prefix matching in is_dangerous_path()

2025-12-03 15:29:57 +08:00

test_per_tool_model_defaults.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_pii_sanitizer.py

test: Enhance o3-pro test to verify model metadata and response parsing

2025-07-13 06:09:31 -06:00

test_pip_detection_fix.py

fix:sed usage https://github.com/BeehiveInnovations/zen-mcp-server/issues/287

2025-10-21 11:06:18 +04:00

test_planner.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_precommit_workflow.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_prompt_regression.py

fix: telemetry option no longer available in gemini 0.11

2025-10-22 17:53:10 +04:00

test_prompt_size_limit_bug_fix.py

test: fixed integration tests, removed magicmock

2025-10-02 23:47:44 +04:00

test_provider_retry_logic.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_provider_routing_bugs.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_provider_utf8.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_providers.py

feat: enhance model support by adding GPT-5.1 to .gitignore and updating cassette maintenance documentation for dual-model testing

2025-11-14 01:40:49 -07:00

test_rate_limit_patterns.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_refactor.py

feat: refactored and tweaked model descriptions / schema to use fewer tokens at launch (average reduction per field description: 60-80%) without sacrificing tool effectiveness

2025-08-22 09:23:59 +04:00

test_secaudit.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_server.py

Fixed linebreaks

2025-06-27 14:29:10 +04:00

test_supported_models_aliases.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_thinking_modes.py

fix: configure codex with a longer timeout

2025-10-21 10:35:44 +04:00

test_tools.py

feat: gemini 3.0 pro preview added (as default gemini pro model)

2025-11-18 20:28:27 +04:00

test_tracer.py

feat: refactored and tweaked model descriptions / schema to use fewer tokens at launch (average reduction per field description: 60-80%) without sacrificing tool effectiveness

2025-08-22 09:23:59 +04:00

test_utf8_localization.py

refactor: remove obsolete localization test files and update UTF-8 tests for improved mock handling

2025-06-24 18:48:31 +02:00

test_utils.py

refactor: fixed test

2025-10-05 08:55:50 +04:00

test_uvx_resource_packaging.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

test_uvx_support.py

fix: CI test

2025-10-04 14:32:47 +04:00

test_workflow_file_embedding.py

…

test_workflow_metadata.py

fix: improved error reporting; codex cli would at times fail to figure out how to handle plain-text / JSON errors

2025-10-17 23:42:32 +04:00

test_workflow_prompt_size_validation_simple.py

fix: improved error reporting; codex cli would at times fail to figure out how to handle plain-text / JSON errors

2025-10-17 23:42:32 +04:00

test_workflow_utf8.py

refactor: removed method from provider, should use model capabilities instead

2025-10-02 11:08:56 +04:00

test_xai_provider.py

feat!: breaking change - OpenRouter models are now read from conf/openrouter_models.json while Custom / Self-hosted models are read from conf/custom_models.json

2025-10-04 21:10:56 +04:00

transport_helpers.py

refactor: moved registries into a separate module and code cleanup

2025-10-07 12:59:09 +04:00

triangle.png

…