Only the latest release on main is actively supported with security fixes.
| Version | Supported |
|---|---|
1.2.x (current) |
✅ Yes |
1.1.x |
|
< 1.1.0 |
❌ No |
Agentic RSS Parser was designed from v1.0.8 onwards with an explicit security-first stance.
The custom XML engine (src/core/parser.js) is a non-recursive, character-by-character state machine:
- No DOCTYPE / ENTITY expansion — both are silently ignored, making XXE (XML External Entity) attacks structurally impossible.
- No recursive descent — deeply nested XML trees do not cause stack overflows.
- Billion Laughs immune — without entity expansion, recursive entity references cannot amplify into memory exhaustion.
src/core/http.js enforces several protections on all outbound requests:
- Protocol allowlist — only
http:andhttps:are accepted.file://,javascript://,ftp://, and all other schemes are rejected before any network call (prevents SSRF and local file inclusion). - Redirect cap — maximum 5 redirects followed; subsequent redirects throw an error (prevents redirect-loop amplification).
- Timeout — all requests time out after 10 seconds by default (configurable via
options.timeout). - Response size cap — feed responses are hard-capped at 5 MB. The cap is checked against
Content-Length(fast path) and re-checked after buffering chunked responses, preventing OOM via large or malicious payloads. - User-Agent override — the
userAgentoption (v1.2.0+) allows callers to override the default UA. This is intentional and documented; it is not a security bypass. - Deployment note — for multi-tenant or user-supplied URL workflows, place this library behind your own proxy or allowlist layer. The package validates schemes and common private/loopback targets, but DNS-rebinding defenses belong at the deployment boundary where you control DNS resolution and egress policy.
src/adapters/provider.js sanitises all feed content before interpolating it into LLM prompts:
- ASCII control characters (
\x00–\x1Fexcluding space) are stripped. - Newlines are collapsed to spaces, preventing role-boundary injection sequences such as
\nAssistant: ignore all previous instructions. - Titles are capped at 500 characters; snippets at 2,000 characters; expanded context at 3,000 characters.
src/core/parser.js strips the following tags from contentSnippet during HTML-to-text extraction:
<script>, <style>, <iframe>, <object>, <embed>, <form>, <input>, <button>.
This mitigates XSS if contentSnippet is rendered as HTML by a downstream consumer.
- API key validation — explicit check before any network call. An empty or missing key throws a clear error rather than sending a blank
Bearertoken. - Provider allowlist —
SUPPORTED_PROVIDERSinprovider.jsandALLOWED_PROVIDERSinmcp/server.jsreject unknown provider strings before they reach env-var access or network dispatch. - Response size cap — LLM API responses are capped at 1 MB before parsing.
- API keys never logged — keys are read from env or config and forwarded only to the official provider endpoint. They are never written to disk, logs, or any secondary destination.
- Input validation — all
tools/callarguments are validated before use. A non-string or emptyurlreturns JSON-RPC-32602 Invalid params. - Provider allowlist enforced per call — an untrusted MCP caller cannot supply an arbitrary
providerstring to reach internal dispatch. - No persistent state across calls — each tool call is stateless; no session data is retained between requests.
- Zero runtime dependencies — the package has zero production dependencies. Reviewers can easily audit the entire runtime code surface.
socket.devfindings — outbound network calls and provider endpoint strings are intentional and documented. The code avoids direct environment-variable reads in the provider layer.- Network access is explicit — feed fetching and optional provider analysis require outbound HTTP requests by design. These are restricted to documented HTTP/HTTPS endpoints, validated before use, and capped for size and redirects.
- Threshold guidance — short feeds with little or no description text may need
fetchFullArticle: trueor a lowerthresholdto avoid over-filtering. The default threshold is intentionally conservative for technical feeds.
Please do not open a public GitHub issue for security vulnerabilities.
- Email security@bluecarbons.io with the subject line
[agentic-rss-parser] Security Vulnerability. - Include:
- A description of the vulnerability and its impact.
- Steps to reproduce or a proof-of-concept.
- The affected version(s).
- You will receive an acknowledgement within 48 hours and a patch timeline within 7 days.
- We follow coordinated disclosure: fixes are prepared and released before public disclosure.
- CVEs are filed where appropriate.
- The CHANGELOG.md documents all security fixes under a
### Securityheading with the exact file and line-level description of the fix.