Merge branch 'main' into MCP-199

Author: jeroenvervaeke

README.md

@@ -47,7 +47,9 @@ node -v
 
 ### Quick Start
 
-**Note:** When using Atlas API credentials, be sure to assign only the minimum required permissions to your service account. See [Atlas API Permissions](#atlas-api-permissions) for details.
+> **🔒 Security Recommendation 1:** When using Atlas API credentials, be sure to assign only the minimum required permissions to your service account. See [Atlas API Permissions](#atlas-api-permissions) for details.
+
+> **🔒 Security Recommendation 2:** For enhanced security, we strongly recommend using environment variables to pass sensitive configuration such as connection strings and API credentials instead of command line arguments. Command line arguments can be visible in process lists and logged in various system locations, potentially exposing your secrets. Environment variables provide a more secure way to handle sensitive information.
 
 Most MCP clients require a configuration file to be created or modified to add the MCP server.
 
@@ -60,30 +62,27 @@ Note: The configuration file syntax can be different across clients. Please refe
 
 > **Default Safety Notice:** All examples below include `--readOnly` by default to ensure safe, read-only access to your data. Remove `--readOnly` if you need to enable write operations.
 
-#### Option 1: Connection String args
+#### Option 1: Connection String
 
-You can pass your connection string via args, make sure to use a valid username and password.
+You can pass your connection string via environment variables, make sure to use a valid username and password.
 
 ```json
 {
   "mcpServers": {
     "MongoDB": {
       "command": "npx",
-      "args": [
-        "-y",
-        "mongodb-mcp-server",
-        "--connectionString",
-        "mongodb://localhost:27017/myDatabase",
-        "--readOnly"
-      ]
+      "args": ["-y", "mongodb-mcp-server@latest", "--readOnly"],
+      "env": {
+        "MDB_MCP_CONNECTION_STRING": "mongodb://localhost:27017/myDatabase"
+      }
     }
   }
 }
 ```
 
 NOTE: The connection string can be configured to connect to any MongoDB cluster, whether it's a local instance or an Atlas cluster.
 
-#### Option 2: Atlas API credentials args
+#### Option 2: Atlas API Credentials
 
 Use your Atlas API Service Accounts credentials. Must follow all the steps in [Atlas API Access](#atlas-api-access) section.
 
@@ -92,43 +91,37 @@ Use your Atlas API Service Accounts credentials. Must follow all the steps in [A
   "mcpServers": {
     "MongoDB": {
       "command": "npx",
-      "args": [
-        "-y",
-        "mongodb-mcp-server",
-        "--apiClientId",
-        "your-atlas-service-accounts-client-id",
-        "--apiClientSecret",
-        "your-atlas-service-accounts-client-secret",
-        "--readOnly"
-      ]
+      "args": ["-y", "mongodb-mcp-server@latest", "--readOnly"],
+      "env": {
+        "MDB_MCP_API_CLIENT_ID": "your-atlas-service-accounts-client-id",
+        "MDB_MCP_API_CLIENT_SECRET": "your-atlas-service-accounts-client-secret"
+      }
     }
   }
 }
 ```
 
-#### Option 3: Standalone Service using command arguments
+#### Option 3: Standalone Service using environment variables and command line arguments
 
-Start Server using npx command:
+You can source environment variables defined in a config file or explicitly set them like we do in the example below and run the server via npx.
 
 ```shell
- npx -y mongodb-mcp-server@latest --apiClientId="your-atlas-service-accounts-client-id" --apiClientSecret="your-atlas-service-accounts-client-secret" --readOnly
-```
-
-- For a complete list of arguments see [Configuration Options](#configuration-options)
-- To configure your Atlas Service Accounts credentials please refer to [Atlas API Access](#atlas-api-access)
-
-#### Option 4: Standalone Service using environment variables
+# Set your credentials as environment variables first
+export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id"
+export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret"
 
-```shell
- npx -y mongodb-mcp-server@latest --readOnly
+# Then start the server
+npx -y mongodb-mcp-server@latest --readOnly
 ```
 
-You can use environment variables in the config file or set them and run the server via npx.
+> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
 
+- For a complete list of configuration options see [Configuration Options](#configuration-options)
+- To configure your Atlas Service Accounts credentials please refer to [Atlas API Access](#atlas-api-access)
 - Connection String via environment variables in the MCP file [example](#connection-string-with-environment-variables)
 - Atlas API credentials via environment variables in the MCP file [example](#atlas-api-credentials-with-environment-variables)
 
-#### Option 5: Using Docker
+#### Option 4: Using Docker
 
 You can run the MongoDB MCP Server in a Docker container, which provides isolation and doesn't require a local Node.js installation.
 
@@ -146,22 +139,35 @@ docker run --rm -i \
 ##### Option B: With MongoDB connection string
 
 ```shell
+# Set your credentials as environment variables first
+export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:[email protected]/myDatabase"
+
+# Then start the docker container
 docker run --rm -i \
-  -e MDB_MCP_CONNECTION_STRING="mongodb+srv://username:[email protected]/myDatabase" \
+  -e MDB_MCP_CONNECTION_STRING \
   -e MDB_MCP_READ_ONLY="true" \
   mongodb/mongodb-mcp-server:latest
 ```
 
+> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
+
 ##### Option C: With Atlas API credentials
 
 ```shell
+# Set your credentials as environment variables first
+export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id"
+export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret"
+
+# Then start the docker container
 docker run --rm -i \
-  -e MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id" \
-  -e MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret" \
+  -e MDB_MCP_API_CLIENT_ID \
+  -e MDB_MCP_API_CLIENT_SECRET \
   -e MDB_MCP_READ_ONLY="true" \
   mongodb/mongodb-mcp-server:latest
 ```
 
+> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
+
 ##### Docker in MCP Configuration File
 
 Without options:
@@ -196,11 +202,14 @@ With connection string:
         "--rm",
         "-i",
         "-e",
-        "MDB_MCP_CONNECTION_STRING=mongodb+srv://username:[email protected]/myDatabase",
+        "MDB_MCP_CONNECTION_STRING",
         "-e",
         "MDB_MCP_READ_ONLY=true",
         "mongodb/mongodb-mcp-server:latest"
-      ]
+      ],
+      "env": {
+        "MDB_MCP_CONNECTION_STRING": "mongodb+srv://username:[email protected]/myDatabase"
+      }
     }
   }
 }
@@ -220,17 +229,21 @@ With Atlas API credentials:
         "-e",
         "MDB_MCP_READ_ONLY=true",
         "-e",
-        "MDB_MCP_API_CLIENT_ID=your-atlas-service-accounts-client-id",
+        "MDB_MCP_API_CLIENT_ID",
         "-e",
-        "MDB_MCP_API_CLIENT_SECRET=your-atlas-service-accounts-client-secret",
+        "MDB_MCP_API_CLIENT_SECRET",
         "mongodb/mongodb-mcp-server:latest"
-      ]
+      ],
+      "env": {
+        "MDB_MCP_API_CLIENT_ID": "your-atlas-service-accounts-client-id",
+        "MDB_MCP_API_CLIENT_SECRET": "your-atlas-service-accounts-client-secret"
+      }
     }
   }
 }
 ```
 
-#### Option 6: Running as an HTTP Server
+#### Option 5: Running as an HTTP Server
 
 > **⚠️ Security Notice:** This server now supports Streamable HTTP transport for remote connections. **HTTP transport is NOT recommended for production use without implementing proper authentication and security measures.**
 
@@ -316,6 +329,8 @@ NOTE: atlas tools are only available when you set credentials on [configuration]
 
 ## Configuration
 
+> **🔒 Security Best Practice:** We strongly recommend using environment variables for sensitive configuration such as API credentials (`MDB_MCP_API_CLIENT_ID`, `MDB_MCP_API_CLIENT_SECRET`) and connection strings (`MDB_MCP_CONNECTION_STRING`) instead of command-line arguments. Environment variables are not visible in process lists and provide better security for your sensitive data.
+
 The MongoDB MCP Server can be configured using multiple methods, with the following precedence (highest to lowest):
 
 1. Command-line arguments
@@ -362,6 +377,8 @@ You can combine multiple loggers, e.g. `--loggers disk stderr` or `export MDB_MC
 export MDB_MCP_LOGGERS="disk,stderr"
 ```
 
+> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
+
 ##### Example: Set logger via command-line argument
 
 ```shell
@@ -412,6 +429,8 @@ You can enable read-only mode using:
 - **Environment variable**: `export MDB_MCP_READ_ONLY=true`
 - **Command-line argument**: `--readOnly`
 
+> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
+
 When read-only mode is active, you'll see a message in the server logs indicating which tools were prevented from registering due to this restriction.
 
 #### Index Check Mode
@@ -425,6 +444,8 @@ You can enable index check mode using:
 - **Environment variable**: `export MDB_MCP_INDEX_CHECK=true`
 - **Command-line argument**: `--indexCheck`
 
+> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
+
 When index check mode is active, you'll see an error message if a query is rejected due to not using an index.
 
 #### Exports
@@ -448,6 +469,8 @@ You can disable telemetry using:
 - **Command-line argument**: `--telemetry disabled`
 - **DO_NOT_TRACK environment variable**: `export DO_NOT_TRACK=1`
 
+> **💡 Platform Note:** For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
+
 ### Atlas API Access
 
 To use the Atlas API tools, you'll need to create a service account in MongoDB Atlas:
@@ -501,16 +524,43 @@ For a full list of roles and their privileges, see the [Atlas User Roles documen
 
 Set environment variables with the prefix `MDB_MCP_` followed by the option name in uppercase with underscores:
 
-```shell
+**Linux/macOS (bash/zsh):**
+
+```bash
 # Set Atlas API credentials (via Service Accounts)
 export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id"
 export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret"
 
 # Set a custom MongoDB connection string
 export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:[email protected]/myDatabase"
 
+# Set log path
 export MDB_MCP_LOG_PATH="/path/to/logs"
+```
 
+**Windows Command Prompt (cmd):**
+
+```cmd
+set "MDB_MCP_API_CLIENT_ID=your-atlas-service-accounts-client-id"
+set "MDB_MCP_API_CLIENT_SECRET=your-atlas-service-accounts-client-secret"
+
+set "MDB_MCP_CONNECTION_STRING=mongodb+srv://username:[email protected]/myDatabase"
+
+set "MDB_MCP_LOG_PATH=C:\path\to\logs"
+```
+
+**Windows PowerShell:**
+
+```powershell
+# Set Atlas API credentials (via Service Accounts)
+$env:MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id"
+$env:MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret"
+
+# Set a custom MongoDB connection string
+$env:MDB_MCP_CONNECTION_STRING="mongodb+srv://username:[email protected]/myDatabase"
+
+# Set log path
+$env:MDB_MCP_LOG_PATH="C:\path\to\logs"
 ```
 
 #### MCP configuration file examples
@@ -552,14 +602,26 @@ export MDB_MCP_LOG_PATH="/path/to/logs"
 
 Pass configuration options as command-line arguments when starting the server:
 
+> **🔒 Security Note:** For sensitive configuration like API credentials and connection strings, use environment variables instead of command-line arguments.
+
 ```shell
-npx -y mongodb-mcp-server@latest --apiClientId="your-atlas-service-accounts-client-id" --apiClientSecret="your-atlas-service-accounts-client-secret" --connectionString="mongodb+srv://username:[email protected]/myDatabase" --logPath=/path/to/logs --readOnly --indexCheck
+# Set sensitive data as environment variable
+export MDB_MCP_API_CLIENT_ID="your-atlas-service-accounts-client-id"
+export MDB_MCP_API_CLIENT_SECRET="your-atlas-service-accounts-client-secret"
+export MDB_MCP_CONNECTION_STRING="mongodb+srv://username:[email protected]/myDatabase"
+
+# Start the server with command line arguments
+npx -y mongodb-mcp-server@latest --logPath=/path/to/logs --readOnly --indexCheck
 ```
 
+> **💡 Platform Note:** The examples above use Unix/Linux/macOS syntax. For Windows users, see [Environment Variables](#environment-variables) for platform-specific instructions.
+
 #### MCP configuration file examples
 
 ##### Connection String with command-line arguments
 
+> **🔒 Security Note:** We do not recommend passing connection string as command line argument. Connection string might contain credentials which can be visible in process lists and logged in various system locations, potentially exposing your credentials. Instead configure [connection string through environment variables](#connection-string-with-environment-variables)
+
 ```json
 {
   "mcpServers": {
@@ -579,6 +641,8 @@ npx -y mongodb-mcp-server@latest --apiClientId="your-atlas-service-accounts-clie
 
 ##### Atlas API credentials with command-line arguments
 
+> **🔒 Security Note:** We do not recommend passing Atlas API credentials as command line argument. The provided credentials can be visible in process lists and logged in various system locations, potentially exposing your credentials. Instead configure [Atlas API credentials through environment variables](#atlas-api-credentials-with-environment-variables)
+
 ```json
 {
   "mcpServers": {

src/common/exportsManager.ts

@@ -127,7 +127,7 @@ export class ExportsManager extends EventEmitter<ExportsManagerEvents> {
     public async readExport(exportName: string): Promise<string> {
         try {
             this.assertIsNotShuttingDown();
-            exportName = decodeURIComponent(exportName);
+            exportName = decodeAndNormalize(exportName);
             const exportHandle = this.storedExports[exportName];
             if (!exportHandle) {
                 throw new Error("Requested export has either expired or does not exist.");
@@ -163,7 +163,7 @@ export class ExportsManager extends EventEmitter<ExportsManagerEvents> {
     }): Promise<AvailableExport> {
         try {
             this.assertIsNotShuttingDown();
-            const exportNameWithExtension = validateExportName(ensureExtension(exportName, "json"));
+            const exportNameWithExtension = decodeAndNormalize(ensureExtension(exportName, "json"));
             if (this.storedExports[exportNameWithExtension]) {
                 return Promise.reject(
                     new Error("Export with same name is either already available or being generated.")
@@ -363,6 +363,10 @@ export class ExportsManager extends EventEmitter<ExportsManagerEvents> {
     }
 }
 
+export function decodeAndNormalize(text: string): string {
+    return decodeURIComponent(text).normalize("NFKC");
+}
+
 /**
  * Ensures the path ends with the provided extension */
 export function ensureExtension(pathOrName: string, extension: string): string {
@@ -373,22 +377,6 @@ export function ensureExtension(pathOrName: string, extension: string): string {
     return `${pathOrName}${extWithDot}`;
 }
 
-/**
- * Small utility to decoding and validating provided export name for path
- * traversal or no extension */
-export function validateExportName(nameWithExtension: string): string {
-    const decodedName = decodeURIComponent(nameWithExtension);
-    if (!path.extname(decodedName)) {
-        throw new Error("Provided export name has no extension");
-    }
-
-    if (decodedName.includes("..") || decodedName.includes("/") || decodedName.includes("\\")) {
-        throw new Error("Invalid export name: path traversal hinted");
-    }
-
-    return decodedName;
-}
-
 export function isExportExpired(createdAt: number, exportTimeoutMs: number): boolean {
     return Date.now() - createdAt > exportTimeoutMs;
 }

src/resources/common/exportedData.ts

@@ -72,7 +72,12 @@ export class ExportedData {
     private autoCompleteExportName: CompleteResourceTemplateCallback = (value) => {
         try {
             return this.session.exportsManager.availableExports
-                .filter(({ exportName }) => exportName.startsWith(value))
+                .filter(({ exportName, exportTitle }) => {
+                    const lcExportName = exportName.toLowerCase();
+                    const lcExportTitle = exportTitle.toLowerCase();
+                    const lcValue = value.toLowerCase();
+                    return lcExportName.startsWith(lcValue) || lcExportTitle.includes(lcValue);
+                })
                 .map(({ exportName }) => exportName);
         } catch (error) {
             this.session.logger.error({