github · ref-tools-mcpHEAD

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

await transport.handleRequest(req, res, body)

          } else if (req.method === 'DELETE') {

            console.log('DELETE request', transports[req.headers['mcp-session-id'] as string])

            const sessionId = req.headers['mcp-session-id'] as string | undefined

            if (sessionId && transports[sessionId]) {

              await transports[sessionId].close()

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

res.end('Not found')

        }

      } catch (error) {

        console.error('Error handling request:', error)

        if (!res.headersSent) {

          res.writeHead(500)

          res.end('Internal Server Error')

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

userAgent.split('/')[0] ||

            'unknown'

          console.error('MCP REQUEST', {

            headers: req.headers,

            method: req.method,

            url: req.url,

            sessionId,

            mcpClient,

          })

          // Extract config from base64-encoded JSON parameter for Smithery compatibility

          const fullUrl = new URL(req.url || '', `http://${req.headers.host}`)

User-controlled value printed to terminal without ANSI escape sanitization. Malicious input can inject cursor-control sequences, rewrite earlier output, or hide shell commands from the operator.

server.setRequestHandler(CallToolRequestSchema, async (request) => {

    if (request.params.name === toolConfig.searchToolName) {

      console.error('[search_documentation] arguments', request.params.arguments)

      const input = request.params.arguments as {

        query: string

      }

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

For repeated similar searches in a session, Ref will never return repeated results. Traditionally, you dig farther in to search results by paging to the next result but this approach allows the agent to page AND adjust the prompt at the same time.

### 2. Fetching the part of the page that matters

When reading a page of documentation, Ref will use the agent's session search history to dropout less relevant sections and return the most relevant 5k tokens. This helps Ref avoid a big problem with s

Network / IO / subprocess call without an explicit timeout. A malicious or hung upstream (HTTP host, socket peer, child process) can pin threads, exhaust connection/process pools, and make the MCP server unresponsive. Always pass a bounded timeout. v2 extends v1 with subprocess coverage (R03 from the legacy readiness audit).

```

ref_search_documentation(query) -> search(query)

ref_read_url(url) -> fetch(id)

```

## Development

Dockerfile never sets a non-root `USER` directive, so the CMD runs as root by default. Any RCE or library-level vulnerability exploited inside this container gets full privileges (MCP Top-10 R3). Add `USER <non-root>` before CMD / ENTRYPOINT in the final stage — e.g. `USER 1000`, `USER nobody`, or `USER nonroot` on distroless.

# Generated by https://smithery.ai. See: https://smithery.ai/docs/build/project-config

# syntax=docker/dockerfile:1

FROM node:lts-alpine AS builder

WORKDIR /app

# Install dependencies and build

COPY package.json package-lock.json tsconfig.json .

RUN npm ci --ignore-scripts

COPY index.ts .

RUN npm run build

# Runtime stage

FROM node:lts-alpine

WORKDIR /app

# Copy runtime dependencies

COPY package.json package-lock.json .

RUN npm ci --production --ignore-scripts

# Copy built files

COPY --from

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

jq --arg v "$VERSION" '.version = $v' manifest.json > manifest.tmp.json

          mv manifest.tmp.json manifest.json

      - uses: NimbleBrainInc/mcpb-pack@v2

        with:

          output: "{name}-{version}-${{ matrix.os }}-${{ matrix.arch }}.mcpb"

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

arch: arm64

            runner: macos-latest

    steps:

      - uses: actions/checkout@v4

      - name: Setup Node.js

        uses: actions/setup-node@v4

GitHub Actions `uses:` reference is not pinned to a 40-character commit SHA. Tags (`@v4`) and branches (`@main`) are mutable — a compromised maintainer or a tag rewrite can substitute malicious code into your CI pipeline silently. Pin to a SHA: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab`. For readability, include the version as a trailing comment: `# v4.1.1`. Tools like `pinact` / `ratchet` automate this. Allowed unpinned forms (excluded by the rule): - Local actions `.

- uses: actions/checkout@v4

      - name: Setup Node.js

        uses: actions/setup-node@v4

        with:

          node-version: '22'