feat: comprehensive security hardening

- Add ReDoS prevention for regex patterns in symbol/AST search
- Fix UNC extended-length path bypass on Windows
- Fix symlink attack vulnerability in ctags temp file creation
- Add 30-second timeout to external process calls
- Add 100MB file size limit for AST parsing
- Add recursion depth limits (100) for AST traversal
- Sanitize error messages to prevent path leakage
- Add 61 new security tests across 3 test suites

Author: GhostTypes

.claude/commands/new-command.md

@@ -0,0 +1,9 @@
+Generate a new command
+
+You must assist the user with creating a new command, based on their input: #$ARGUMENTS
+
+If the user specifies it needs an input, you must use #$ ARGUMENTS (without the space). This is how you provide the user's input to yourself (when this command you're making is ran)
+
+Commands are located here : .claude\commands
+
+You must create them like command-name.md, and structure them like optimized instructions for yourself

.claude/commands/security-audit.md

@@ -0,0 +1,137 @@
+# Security Audit Command for Code Search MCP
+
+You are performing a comprehensive security audit of the Code Search MCP server - a Node.js application that provides code search capabilities via the Model Context Protocol. This is a security-sensitive tool that accepts path inputs and spawns external processes.
+
+## Project Context
+
+This project:
+- Is a Node.js MCP server accepting workspace paths from external clients
+- Spawns external processes (ctags, ripgrep) via `child_process.execFile`
+- Writes temporary files to user-controlled directories
+- Implements an allow-list-based workspace access control system
+- Caches symbol indices to disk in `~/.code-search-mcp-cache/`
+
+## Phase 1: Parallel Exploration
+
+Launch multiple Explore agents in parallel to review different focused security areas:
+
+### Agent 1: Path Traversal & Workspace Access Control
+Focus: `src/utils/workspace-path.ts`, `src/mcp/server.ts`
+- Check for path traversal bypasses in `validateAllowedPath()`
+- Look for symlink-based escape vulnerabilities
+- Verify Windows vs Unix path separator handling
+- Check if `..` or path separator edge cases are handled
+- Look for cases where workspace validation is bypassed
+
+### Agent 2: Command Injection & Process Spawning
+Focus: `src/symbol-search/ctags-integration.ts`, `src/symbol-search/text-search-service.ts`, `src/ast-search/`
+- Verify all `execFile` calls use safe argument passing
+- Check if workspace paths passed as `cwd` are properly validated
+- Look for shell command injection via pattern/regex inputs
+- Verify ripgrep glob patterns can't escape the workspace
+
+### Agent 3: Temporary File & Symlink Attacks
+Focus: `src/symbol-search/ctags-integration.ts`, `src/cache/cache-manager.ts`
+- Check `.code-search-tags` file creation for symlink vulnerabilities
+- Verify cache directory creation is safe from TOCTOU races
+- Check if temporary files use secure permissions
+- Look for arbitrary file write vulnerabilities
+
+### Agent 4: Input Validation & Injection
+Focus: `src/mcp/server.ts` - all tool handlers
+- Verify all MCP tool inputs are validated before use
+- Check regex/pattern injection points (ripgrep, AST search)
+- Verify glob pattern sanitization in file/text search
+- Look for unsafe JSON parsing
+
+### Agent 5: Cache Security & Information Disclosure
+Focus: `src/cache/cache-manager.ts`
+- Check if cached data contains sensitive file contents
+- Verify cache files are not world-readable
+- Check for information disclosure in error messages
+- Look for workspace path leakage in responses
+
+### Agent 6: Dependency Vulnerabilities
+Focus: `package.json`, all `src/dependency-analysis/parsers/*.ts`
+- Check for known vulnerabilities in dependencies
+- Verify dependency manifests are parsed safely
+- Look for malicious package detection capabilities
+- Check if `analyze_dependencies` has network exposure
+
+### Agent 7: Denial of Service & Resource Limits
+Focus: All services
+- Check for missing timeout constraints on operations
+- Verify search result limits are enforced
+- Look for memory exhaustion via large file inputs
+- Check if unbounded loops exist in parsers
+
+### Agent 8: Access Control Bypasses
+Focus: `src/mcp/server.ts`, `src/utils/workspace-path.ts`
+- Verify all file operations go through workspace validation
+- Check for direct file reads bypassing `validateAllowedPath()`
+- Look for cases where `normalizeSearchPathFilters` can be bypassed
+- Verify cache operations can't access arbitrary workspaces
+
+## Phase 2: Collect and Analyze
+
+Wait for all agents to complete. Organize findings by severity:
+- **Critical**: Path traversal, arbitrary file read/write, command execution
+- **High**: Symlink attacks, significant DoS vectors, information disclosure
+- **Medium**: DoS resource exhaustion, minor injection risks
+- **Low**: Best practice violations, minor issues
+- **Info**: Security considerations
+
+For each finding, gather:
+- File path and line number
+- Vulnerability type (e.g., CWE-22, CWE-78, CWE-20)
+- Severity level
+- Brief description with exploit scenario
+- Recommended fix with code snippet
+
+## Phase 3: Present Results
+
+If NO issues are found:
+```
+╔══════════════════════════════════════════════════════════════╗
+║              SECURITY AUDIT PASSED                          ║
+║                                                              ║
+║  No critical security issues detected in code-search-mcp.   ║
+╚══════════════════════════════════════════════════════════════╝
+```
+
+If issues are found, present an ASCII table:
+```
+╔══════════════════╤════════════════════════════╤═══════════════════════════╤════════════╗
+║ Severity         │ Issue Type (CWE)          │ Location                  │ Description ║
+╠══════════════════╪════════════════════════════╪═══════════════════════════╪════════════╣
+║ CRITICAL         │ Path Traversal (CWE-22)   │ workspace-path.ts:68      │ Symlink    ║
+║                  │                          │                           │ bypass via  ║
+║                  │                          │                           │ junction    ║
+╠══════════════════╪════════════════════════════╪═══════════════════════════╪════════════╣
+║ HIGH             │ Symlink Attack (CWE-59)   │ ctags-integration.ts:19   │ .code-     ║
+║                  │                          │                           │ search-tags ║
+║                  │                          │                           │ link target ║
+╚══════════════════╧════════════════════════════╧═══════════════════════════╧════════════╝
+```
+
+## Phase 4: Remediation Planning
+
+After presenting findings, gather fix details ahead of time, then use AskUserQuestion to confirm:
+
+1. **Fix scope**: Critical only? Critical+High? All issues?
+2. **Fix approach**: Implement fixes directly, create PR, or review together?
+3. **Testing**: Add security tests? Verify existing tests pass?
+
+Proceed with implementation based on user responses.
+
+## Key Security Considerations for This Project
+
+1. **Path Validation is Critical**: This tool's primary security boundary is `validateAllowedPath()`. Any bypass allows reading arbitrary files.
+
+2. **Process Spinning**: Every `execFile` call with user-controlled `cwd` is a potential vulnerability.
+
+3. **MCP Protocol**: The server accepts input from external MCP clients - assume all input is hostile.
+
+4. **Temporary Files**: Files written to user-controlled directories are symlink attack targets.
+
+5. **Workspace Enumeration**: Error messages should not leak valid workspace paths.

.claude/settings.local.json

@@ -15,7 +15,10 @@
       "mcp__code-search-mcp__search_ast_rule",
       "Bash(npm test:*)",
       "Skill(readme-generator)",
-      "Skill(repo-sweep)"
+      "Skill(repo-sweep)",
+      "Bash(gh pr view:*)",
+      "Bash(gh pr diff:*)",
+      "Bash(npx jest:*)"
     ],
     "deny": [],
     "ask": []

src/ast-search/ast-search-service.ts

@@ -22,6 +22,11 @@ import langYaml = require('@ast-grep/lang-yaml');
 import { promises as fs } from 'fs';
 import path from 'path';
 import fastGlob from 'fast-glob';
+import {
+  safeRegex,
+  MAX_AST_FILE_SIZE,
+  MAX_AST_RECURSION_DEPTH,
+} from '../utils/security.js';
 import type {
   ASTPatternSearchOptions,
   ASTRuleSearchOptions,
@@ -154,6 +159,28 @@ export class ASTSearchService {
     }
   }
 
+  /**
+   * Read file with size limit to prevent memory exhaustion.
+   * Throws if file exceeds maximum size.
+   */
+  private async readFileWithSizeLimit(filePath: string): Promise<string> {
+    const stats = await fs.stat(filePath);
+    if (stats.size > MAX_AST_FILE_SIZE) {
+      throw new Error(
+        `File ${path.basename(filePath)} exceeds size limit (${Math.round(stats.size / 1024 / 1024)}MB > ${Math.round(MAX_AST_FILE_SIZE / 1024 / 1024)}MB)`
+      );
+    }
+    return fs.readFile(filePath, 'utf-8');
+  }
+
+  /**
+   * Validate regex pattern for security (prevent ReDoS).
+   * Returns null if pattern is unsafe.
+   */
+  private validatePattern(pattern: string): RegExp | null {
+    return safeRegex(pattern);
+  }
+
   /**
    * Search using a simple pattern
    */
@@ -184,14 +211,19 @@ export class ASTSearchService {
     // Search each file
     for (const file of files) {
       try {
-        const content = await fs.readFile(file, 'utf-8');
+        const content = await this.readFileWithSizeLimit(file);
         const ast = parse(astLang, content);
         const root = ast.root();
 
-        // Find all matches
+        // Find all matches with iteration limit
         const nodes = root.findAll(options.pattern);
-
+        let matchCount = 0;
         for (const node of nodes) {
+          if (matchCount >= MAX_AST_RECURSION_DEPTH) {
+            break;
+          }
+          matchCount++;
+
           const range = node.range();
           const fullText = node.text();
           const { truncated, totalLines } = this.truncateText(fullText, options.maxLines ?? 3);
@@ -267,14 +299,19 @@ export class ASTSearchService {
     // Search each file
     for (const file of files) {
       try {
-        const content = await fs.readFile(file, 'utf-8');
+        const content = await this.readFileWithSizeLimit(file);
         const ast = parse(astLang, content);
         const root = ast.root();
 
-        // Apply rule
+        // Apply rule with iteration limit
         const nodes = this.applyRule(root, options.rule);
-
+        let matchCount = 0;
         for (const node of nodes) {
+          if (matchCount >= MAX_AST_RECURSION_DEPTH) {
+            break;
+          }
+          matchCount++;
+
           const range = node.range();
           const fullText = node.text();
           const { truncated, totalLines } = this.truncateText(fullText, options.maxLines ?? 3);

src/cache/cache-manager.ts

@@ -8,6 +8,7 @@ import path from 'path';
 import os from 'os';
 import type { SymbolIndex, SymbolResult, SupportedLanguage } from '../types/index.js';
 import { createHash } from 'crypto';
+import { CACHE_DIR_PERMISSIONS, CACHE_FILE_PERMISSIONS } from '../utils/security.js';
 
 const CACHE_VERSION = '1.0.0';
 const CACHE_DIR_NAME = '.code-search-mcp-cache';
@@ -55,15 +56,18 @@ export class CacheManager {
   }
 
   /**
-   * Initialize the cache directory.
+   * Initialize the cache directory with secure permissions.
    */
   async initialize(): Promise<void> {
     if (!this.enableCache) {
       return;
     }
 
     try {
-      await fs.mkdir(this.cacheDir, { recursive: true });
+      await fs.mkdir(this.cacheDir, {
+        recursive: true,
+        mode: CACHE_DIR_PERMISSIONS,
+      });
     } catch {
       this.enableCache = false;
     }
@@ -281,7 +285,11 @@ export class CacheManager {
       };
 
       const cacheFilePath = this.getCacheFilePath(workspaceId);
-      await fs.writeFile(cacheFilePath, JSON.stringify(cached, null, 2), 'utf-8');
+      await fs.writeFile(
+        cacheFilePath,
+        JSON.stringify(cached, null, 2),
+        { mode: CACHE_FILE_PERMISSIONS }
+      );
     } catch {
       // Don't throw - caching is optional
     }

src/symbol-search/ctags-integration.ts

@@ -6,19 +6,58 @@ import { execFile } from 'child_process';
 import { promisify } from 'util';
 import { promises as fs } from 'fs';
 import path from 'path';
+import os from 'os';
+import { createHash } from 'crypto';
 import { ctagsPath } from '@LLMTooling/universal-ctags-node';
 import type { CTagsTag, SupportedLanguage } from '../types/index.js';
+import { PROCESS_TIMEOUT } from '../utils/security.js';
 
 const execFileAsync = promisify(execFile);
 
+/**
+ * Generate a unique temp filename for ctags output.
+ * Uses a hash of the workspace path to ensure consistency.
+ */
+function getTagsFilePath(workspaceRoot: string): string {
+  const hash = createHash('sha256').update(workspaceRoot).digest('hex').substring(0, 16);
+  return path.join(os.tmpdir(), `code-search-tags-${hash}.tmp`);
+}
+
+/**
+ * Check if a file exists and is a symlink.
+ * Returns true if the path is a symlink.
+ */
+async function isSymlink(filePath: string): Promise<boolean> {
+  try {
+    const stats = await fs.lstat(filePath);
+    return stats.isSymbolicLink();
+  } catch {
+    return false;
+  }
+}
+
 /**
  * Run universal-ctags on a workspace directory.
+ * Uses a secure temporary file to prevent symlink attacks.
  */
 export async function runCTags(workspaceRoot: string): Promise<CTagsTag[]> {
-  // Create a temporary tags file path
-  const tagsFile = path.join(workspaceRoot, '.code-search-tags');
+  // Use system temp directory instead of workspace root to prevent symlink attacks
+  const tagsFile = getTagsFilePath(workspaceRoot);
 
   try {
+    // Ensure the tags file doesn't exist or is not a symlink (TOCTOU protection)
+    try {
+      const existingIsSymlink = await isSymlink(tagsFile);
+      if (existingIsSymlink) {
+        throw new Error('Security: Refusing to overwrite symlink at tags file location');
+      }
+    } catch (error) {
+      if ((error as NodeJS.ErrnoException).code !== 'ENOENT') {
+        throw error;
+      }
+      // File doesn't exist, which is fine
+    }
+
     // Run ctags with appropriate options
     const args = [
       '--languages=Java,Python,JavaScript,TypeScript,C#,Go,Rust,C,C++,PHP,Ruby,Kotlin',
@@ -34,6 +73,7 @@ export async function runCTags(workspaceRoot: string): Promise<CTagsTag[]> {
     await execFileAsync(ctagsPath, args, {
       cwd: workspaceRoot,
       maxBuffer: 50 * 1024 * 1024, // 50MB buffer for large projects
+      timeout: PROCESS_TIMEOUT, // Add timeout to prevent hangs
     });
 
     // Read and parse the tags file

src/symbol-search/symbol-search-service.ts

@@ -10,6 +10,7 @@ import type {
 } from '../types/index.js';
 import { SymbolIndexer } from './symbol-indexer.js';
 import { getDefaultKinds } from './language-profiles.js';
+import { safeRegex } from '../utils/security.js';
 
 export class SymbolSearchService {
   constructor(private indexer: SymbolIndexer) {}
@@ -86,13 +87,13 @@ export class SymbolSearchService {
       case 'substring':
         return symbolName.toLowerCase().includes(searchTerm.toLowerCase());
       case 'regex': {
-        try {
-          const regex = new RegExp(searchTerm);
+        // Use safeRegex to prevent ReDoS attacks
+        const regex = safeRegex(searchTerm);
+        if (regex) {
           return regex.test(symbolName);
-        } catch {
-          // Invalid regex, treat as literal substring
-          return symbolName.toLowerCase().includes(searchTerm.toLowerCase());
         }
+        // Invalid or unsafe regex, treat as literal substring
+        return symbolName.toLowerCase().includes(searchTerm.toLowerCase());
       }
       default: {
         const _exhaustive: never = mode;