limit uris to http(s): & data:

Author: ochafik

mcp-server/src/services/mcp.ts

@@ -653,8 +653,12 @@ export const createMcpServer = (): McpServerWrapper => {
       const { files, outputType } = ZipResourcesInputSchema.parse(args);
       const zip = new JSZip();
 
-      for (const [fileName, fileUrl] of Object.entries(files)) {
+      for (const [fileName, fileUrlString] of Object.entries(files)) {
         try {
+          const fileUrl = new URL(fileUrlString);
+          if (fileUrl.protocol !== 'http:' && fileUrl.protocol !== 'https:' && fileUrl.protocol !== 'data:') {
+            throw new Error(`Unsupported URL protocol for ${fileUrlString}. Only http, https, and data URLs are supported.`);
+          }
           const response = await fetch(fileUrl);
           if (!response.ok) {
             throw new Error(