Enhance security: Add protections for sensitive data in git and npm

Maxim Titovich · Maxim Titovich · commit bccddb48d6bf · 2025-03-07T13:54:48.000+01:00
diff --git a/.gitignore b/.gitignore
@@ -1,7 +1,33 @@
+# Dependencies
 node_modules/
+
+# Build outputs
 build/
 dist/
 lib/
+
+# Development and backups
 backup/
-.env
+.vscode/
+.idea/
 *.log
+logs/
+*.swp
+.DS_Store
+
+# Environment and secrets
+.env
+.env.*
+!.env.example
+*.pem
+*.key
+*.crt
+
+# Temp files
+tmp/
+temp/
+.cache/
+
+# npm package files
+*.tgz
+.npm
diff --git a/.npmignore b/.npmignore
@@ -1,16 +1,48 @@
+# Source files
+src/
+tests/
+.typescript/
+tsconfig.json
+*.map
+
 # Development files
-.env
-.env.example
 .git
+.github
 .gitignore
+.prettierrc.json
+.prettierignore
+.eslintrc.json
+.eslintignore
 .vscode
+.idea
+.editorconfig
+
+# CI/CD
+.travis.yml
+.gitlab-ci.yml
+.github/
+.circleci/
+
+# Docs and examples
+docs/
+examples/
+*.md
+!README.md
+
+# Environment and secrets
+.env
+.env.*
+!.env.example
+*.pem
+*.key
+*.crt
+
+# Logs and backups
+logs/
+*.log
+backup/
 .DS_Store
-# Test files
-test-*.js
-*.test.js
-# Server files
-server.js
-mcp-handler.js
-cursor-client-example.js
+*.swp
+
 # Node modules
-node_modules
+node_modules/
diff --git a/package.json b/package.json
@@ -10,15 +10,17 @@
   },
   "files": [
     "build",
-    "README.md"
+    "README.md",
+    ".env.example"
   ],
   "scripts": {
     "start": "node build/index.js",
     "dev": "tsc -w",
     "test-connection": "node build/test-connection.js",
     "sse-server": "node build/sse-server.js",
     "build": "npm run format && tsc && node -e \"require('fs').chmodSync('build/index.js', '755') && require('fs').chmodSync('build/sse-server.js', '755')\"",
-    "prepublishOnly": "npm run check && npm run build",
+    "prepublishOnly": "npm run check && npm run build && npm run security-check",
+    "security-check": "node security-check.js",
     "lint": "eslint . --ext .ts",
     "lint:fix": "eslint . --ext .ts --fix",
     "format": "prettier --write \"src/**/*.ts\"",
@@ -59,10 +61,10 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/yourusername/cursor-azure-devops-mcp.git"
+    "url": "git+https://github.com/maximtitovich/cursor-azure-devops-mcp.git"
   },
   "bugs": {
-    "url": "https://github.com/yourusername/cursor-azure-devops-mcp/issues"
+    "url": "https://github.com/maximtitovich/cursor-azure-devops-mcp/issues"
   },
-  "homepage": "https://github.com/yourusername/cursor-azure-devops-mcp#readme"
+  "homepage": "https://github.com/maximtitovich/cursor-azure-devops-mcp#readme"
 }
diff --git a/security-check.js b/security-check.js
@@ -0,0 +1,76 @@
+#!/usr/bin/env node
+
+/**
+ * Script to check for sensitive files that should not be committed
+ * Run this before committing or as part of a pre-commit hook
+ */
+
+import fs from 'fs';
+import { execSync } from 'child_process';
+
+// Files that should never be committed
+const SENSITIVE_FILES = [
+  '.env',
+  '.env.local',
+  '.env.development',
+  '.env.production',
+  '.env.test',
+  'credentials.json',
+  'secrets.json',
+  'token.json',
+  'keys.json',
+  '*.pem',
+  '*.key',
+  '*.crt',
+  '*.pfx',
+  '*.p12'
+];
+
+console.log('Running security check...');
+
+// Check for sensitive files in the git working directory
+let filesFound = false;
+
+for (const pattern of SENSITIVE_FILES) {
+  // Skip glob patterns
+  if (pattern.includes('*')) continue;
+  
+  // Check if file exists and is not ignored by git
+  if (fs.existsSync(pattern)) {
+    try {
+      // Check if file is already ignored by git
+      execSync(`git check-ignore -q ${pattern}`);
+    } catch (error) {
+      // File exists and is not ignored
+      console.error(`❌ Error: Sensitive file "${pattern}" found and is not ignored by git.`);
+      filesFound = true;
+    }
+  }
+}
+
+// Check for pattern matches (like *.pem files)
+try {
+  const allFiles = execSync('git ls-files').toString().split('\n').filter(Boolean);
+  
+  for (const file of allFiles) {
+    for (const pattern of SENSITIVE_FILES) {
+      if (pattern.includes('*')) {
+        const regex = new RegExp(pattern.replace('.', '\\.').replace('*', '.*'));
+        if (regex.test(file)) {
+          console.error(`❌ Error: Sensitive file "${file}" matching pattern "${pattern}" is tracked by git.`);
+          filesFound = true;
+        }
+      }
+    }
+  }
+} catch (error) {
+  console.error('❌ Error checking git files:', error.message);
+}
+
+if (filesFound) {
+  console.error('❌ Security check failed. Please remove the sensitive files or add them to .gitignore.');
+  process.exit(1);
+} else {
+  console.log('✅ Security check passed. No sensitive files detected.');
+  process.exit(0);
+} 
