Security Audit — Issue 13 of 15
Severity: Low
File: packages/server/src/routes/entities.ts:12
Description
Number('foo') yields NaN. The limit and offset query parameters are converted with Number() but never validated. SQLite with LIMIT NaN may throw or silently misbehave.
Verified
✅ Confirmed — direct Number() conversion without bounds or type checks. No validation middleware on numeric query params.
Suggested Fix
- Validate and clamp numeric params:
Math.max(1, Math.min(Number(limit) || 50, 1000))
- Or use Zod schema validation on the query parameters
Source
From a community security review on Reddit:
https://www.reddit.com/r/ClaudeAI/comments/1rm4avi/built_an_mcp_server_that_gives_claude_code_access/
Security Audit — Issue 13 of 15
Severity: Low
File:
packages/server/src/routes/entities.ts:12Description
Number('foo')yieldsNaN. Thelimitandoffsetquery parameters are converted withNumber()but never validated. SQLite withLIMIT NaNmay throw or silently misbehave.Verified
✅ Confirmed — direct
Number()conversion without bounds or type checks. No validation middleware on numeric query params.Suggested Fix
Math.max(1, Math.min(Number(limit) || 50, 1000))Source
From a community security review on Reddit:
https://www.reddit.com/r/ClaudeAI/comments/1rm4avi/built_an_mcp_server_that_gives_claude_code_access/