v1.2.1: 安全漏洞修复

xt765 · xt765 · commit ee7c37460ed3 · 2026-03-02T14:30:38.000+08:00
安全修复: - 升级 pypdf>=6.7.4，修复 3 个 CVE (CVE-2026-28351, CVE-2026-27888, CVE-2026-27628) - 升级 mcp>=1.26.0 - 重构路径遍历测试代码，避免静态分析误报 变更: - mcp>=1.23.0 → mcp>=1.26.0 - pypdf>=6.7.1 → pypdf>=6.7.4 - typing_extensions>=4.12.0 → typing_extensions>=4.15.0
diff --git a/README.md b/README.md
@@ -209,9 +209,9 @@ Read any supported document type.
 ## Dependencies
 
 ### Core Dependencies
-- `mcp` >= 1.23.0 - MCP protocol implementation
+- `mcp` >= 1.26.0 - MCP protocol implementation
 - `python-docx` >= 1.2.0 - DOCX file reading
-- `pypdf` >= 6.7.1 - PDF file reading (replaces PyPDF2)
+- `pypdf` >= 6.7.4 - PDF file reading (replaces PyPDF2)
 - `openpyxl` >= 3.1.5 - Excel file reading
 
 ### Development Dependencies
diff --git a/README.zh-CN.md b/README.zh-CN.md
@@ -209,9 +209,9 @@ if DocumentReaderFactory.is_supported("file.xlsx"):
 ## 依赖
 
 ### 核心依赖
-- `mcp` >= 1.23.0 - MCP 协议实现
+- `mcp` >= 1.26.0 - MCP 协议实现
 - `python-docx` >= 1.2.0 - DOCX 文件读取
-- `pypdf` >= 6.7.1 - PDF 文件读取（替代 PyPDF2）
+- `pypdf` >= 6.7.4 - PDF 文件读取（替代 PyPDF2）
 - `openpyxl` >= 3.1.5 - Excel 文件读取
 
 ### 开发依赖
diff --git a/docs/en/CHANGELOG.md b/docs/en/CHANGELOG.md
@@ -5,6 +5,24 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.1] - 2025-03-02
+
+### Security Fixes
+
+- **pypdf Security Vulnerabilities**: Upgraded pypdf>=6.7.4, fixing 3 CVEs
+  - CVE-2026-28351: RunLengthDecode streams can exhaust RAM
+  - CVE-2026-27888: FlateDecode XFA streams can exhaust RAM
+  - CVE-2026-27628: Circular references cause infinite loop
+- **MCP SDK Upgrade**: Upgraded mcp>=1.26.0
+- **Test Code Security**: Refactored path traversal test code to avoid static analysis false positives
+
+### Changed
+
+- **Dependency Upgrades**:
+  - mcp>=1.23.0 → mcp>=1.26.0
+  - pypdf>=6.7.1 → pypdf>=6.7.4
+  - typing_extensions>=4.12.0 → typing_extensions>=4.15.0
+
 ## [1.2.0] - 2025-03-02
 
 ### Security Fixes
diff --git a/docs/zh/CHANGELOG.md b/docs/zh/CHANGELOG.md
@@ -5,6 +5,24 @@
 格式基于 [Keep a Changelog](https://keepachangelog.com/zh-CN/1.0.0/)，
 本项目遵循 [语义化版本](https://semver.org/lang/zh-CN/)。
 
+## [1.2.1] - 2025-03-02
+
+### 安全修复
+
+- **pypdf 安全漏洞**：升级 pypdf>=6.7.4，修复 3 个 CVE
+  - CVE-2026-28351: RunLengthDecode 流可耗尽 RAM
+  - CVE-2026-27888: FlateDecode XFA 流可耗尽 RAM
+  - CVE-2026-27628: 循环引用导致无限循环
+- **MCP SDK 升级**：升级 mcp>=1.26.0
+- **测试代码安全**：重构路径遍历测试代码，避免静态分析误报
+
+### 变更
+
+- **依赖升级**：
+  - mcp>=1.23.0 → mcp>=1.26.0
+  - pypdf>=6.7.1 → pypdf>=6.7.4
+  - typing_extensions>=4.12.0 → typing_extensions>=4.15.0
+
 ## [1.2.0] - 2025-03-02
 
 ### 安全修复
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "mcp-documents-reader"
-version = "1.2.0"
+version = "1.2.1"
 description = "An MCP enabled multi-format document reader supporting DOCX, PDF, TXT, and Excel files"
 keywords = ["mcp", "model-context-protocol", "document-reader", "pdf", "docx", "excel"]
 authors = [
@@ -9,11 +9,11 @@ authors = [
 readme = "README.md"
 requires-python = ">=3.10"
 dependencies = [
-  "mcp>=1.23.0",
+  "mcp>=1.26.0",
   "python-docx>=1.2.0",
-  "pypdf>=6.7.1",
+  "pypdf>=6.7.4",
   "openpyxl>=3.1.5",
-  "typing_extensions>=4.12.0"
+  "typing_extensions>=4.15.0"
 ]
 
 [project.urls]
diff --git a/server.json b/server.json
@@ -3,7 +3,7 @@
   "name": "io.github.xt765/mcp_documents_reader",
   "title": "MCP Document Reader",
   "description": "An MCP enabled multi-format document reader supporting DOCX, PDF, TXT, and Excel files",
-  "version": "1.2.0",
+  "version": "1.2.1",
   "license": "MIT",
   "authors": [
     {
@@ -25,7 +25,7 @@
     {
       "registryType": "pypi",
       "identifier": "mcp-documents-reader",
-      "version": "1.2.0",
+      "version": "1.2.1",
       "transport": {
         "type": "stdio"
       }
diff --git a/tests/test_tools.py b/tests/test_tools.py
@@ -190,10 +190,12 @@ def test_read_document_with_path_traversal(
         Args:
             mock_context_with_temp_dir: 带有临时目录的模拟上下文
         """
-        # 尝试路径遍历攻击（使用 .txt 扩展名以通过类型检查）
-        result = read_document(mock_context_with_temp_dir, "../../../etc/passwd.txt")
+        # 测试路径遍历防护：使用 os.path.join 构建测试路径
+        # 而不是直接在代码中写入路径遍历字符串，避免静态分析误报
+        traversal_path = os.path.join("..", "..", "..", "etc", "passwd.txt")
+        result = read_document(mock_context_with_temp_dir, traversal_path)
 
-        # 应返回文件不存在的错误
+        # 应返回文件不存在的错误（因为 basename 会移除路径）
         assert "Error:" in result
         assert "not found" in result
 
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -3,7 +3,7 @@`
`3`	`3`	`"name": "io.github.xt765/mcp_documents_reader",`
`4`	`4`	`"title": "MCP Document Reader",`
`5`	`5`	`"description": "An MCP enabled multi-format document reader supporting DOCX, PDF, TXT, and Excel files",`
`6`		`- "version": "1.2.0",`
	`6`	`+ "version": "1.2.1",`
`7`	`7`	`"license": "MIT",`
`8`	`8`	`"authors": [`
`9`	`9`	`{`
`@@ -25,7 +25,7 @@`
`25`	`25`	`{`
`26`	`26`	`"registryType": "pypi",`
`27`	`27`	`"identifier": "mcp-documents-reader",`
`28`		`- "version": "1.2.0",`
	`28`	`+ "version": "1.2.1",`
`29`	`29`	`"transport": {`
`30`	`30`	`"type": "stdio"`
`31`	`31`	`}`