v1.2.0: 安全漏洞修复与文档更新

安全修复:
- 升级 mcp>=1.23.0，修复 3 个高危 CVE (CVE-2025-53365, CVE-2025-53366, CVE-2025-66416)
- 替换 PyPDF2 为 pypdf>=6.7.1，修复 CVE-2023-36464
- 添加路径遍历防护，防止任意文件读取攻击
- 错误信息脱敏，移除完整路径泄露

新增:
- 添加 project.urls 链接到 GitHub 仓库

变更:
- 升级 python-docx>=1.2.0
- 升级 openpyxl>=3.1.5
- CI/CD 迁移到 uv
- 更新所有文档的依赖版本说明

Author: xt765

.github/workflows/ci.yml

@@ -17,40 +17,30 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+    - name: Install uv
+      uses: astral-sh/setup-uv@v4
       with:
         python-version: ${{ matrix.python-version }}
 
-    - name: Cache pip dependencies
-      uses: actions/cache@v4
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
       with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}
-        restore-keys: |
-          ${{ runner.os }}-pip-${{ matrix.python-version }}-
-          ${{ runner.os }}-pip-
+        python-version: ${{ matrix.python-version }}
 
     - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install -e .[dev]
+      run: uv sync --all-extras
 
     - name: Lint with Ruff
-      run: |
-        ruff check mcp_documents_reader.py tests
+      run: uv run ruff check mcp_documents_reader.py tests
 
     - name: Check formatting with Ruff
-      run: |
-        ruff format --check mcp_documents_reader.py tests
+      run: uv run ruff format --check mcp_documents_reader.py tests
 
     - name: Type check with Basedpyright
-      run: |
-        basedpyright mcp_documents_reader.py
+      run: uv run basedpyright mcp_documents_reader.py
 
     - name: Test with pytest
-      run: |
-        pytest --cov-report=xml
+      run: uv run pytest --cov-report=xml
 
     - name: Upload coverage to Codecov
       uses: codecov/codecov-action@v5

.github/workflows/release.yml

@@ -11,7 +11,7 @@ on:
         default: 'false'
         type: boolean
       version:
-        description: 'Version to publish (e.g., 1.1.0, required when skip_pypi is true)'
+        description: 'Version to publish (e.g., 1.2.0, required when skip_pypi is true)'
         required: false
         type: string
 
@@ -25,36 +25,30 @@ jobs:
     steps:
     - uses: actions/checkout@v4
 
-    - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v5
+    - name: Install uv
+      uses: astral-sh/setup-uv@v4
       with:
         python-version: ${{ matrix.python-version }}
 
-    - name: Cache pip dependencies
-      uses: actions/cache@v4
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v5
       with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}
-        restore-keys: |
-          ${{ runner.os }}-pip-${{ matrix.python-version }}-
-          ${{ runner.os }}-pip-
+        python-version: ${{ matrix.python-version }}
 
     - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install -e .[dev]
+      run: uv sync --all-extras
 
     - name: Lint with Ruff
-      run: ruff check mcp_documents_reader.py tests
+      run: uv run ruff check mcp_documents_reader.py tests
 
     - name: Check formatting with Ruff
-      run: ruff format --check mcp_documents_reader.py tests
+      run: uv run ruff format --check mcp_documents_reader.py tests
 
     - name: Type check with Basedpyright
-      run: basedpyright mcp_documents_reader.py
+      run: uv run basedpyright mcp_documents_reader.py
 
     - name: Run tests with coverage
-      run: pytest --cov-report=xml
+      run: uv run pytest --cov-report=xml
 
   build:
     needs: test
@@ -65,30 +59,19 @@ jobs:
         fetch-depth: 0
         fetch-tags: true
 
+    - name: Install uv
+      uses: astral-sh/setup-uv@v4
+
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
         python-version: "3.10"
 
-    - name: Cache pip dependencies
-      uses: actions/cache@v4
-      with:
-        path: ~/.cache/pip
-        key: ${{ runner.os }}-pip-build-${{ hashFiles('pyproject.toml') }}
-        restore-keys: |
-          ${{ runner.os }}-pip-build-
-          ${{ runner.os }}-pip-
-
-    - name: Install dependencies
-      run: |
-        python -m pip install --upgrade pip
-        pip install build twine
-
     - name: Build package
-      run: python -m build
+      run: uv build
 
     - name: Check distribution
-      run: python -m twine check --strict dist/*
+      run: uv run twine check --strict dist/*
 
     - name: Upload Artifacts
       uses: actions/upload-artifact@v4
@@ -136,17 +119,20 @@ jobs:
 
     - name: Update server.json version
       run: |
-        VERSION=${{ steps.get_version.outputs.VERSION }}
+        VERSION="${{ steps.get_version.outputs.VERSION }}"
         python -c "
         import json
+        import os
         with open('server.json', 'r') as f:
             data = json.load(f)
-        data['version'] = '$VERSION'
+        data['version'] = os.environ.get('VERSION', '')
         for pkg in data.get('packages', []):
-            pkg['version'] = '$VERSION'
+            pkg['version'] = os.environ.get('VERSION', '')
         with open('server.json', 'w') as f:
             json.dump(data, f, indent=2)
         "
+      env:
+        VERSION: ${{ steps.get_version.outputs.VERSION }}
 
     - name: Download mcp-publisher
       run: |

README.md

@@ -209,10 +209,10 @@ Read any supported document type.
 ## Dependencies
 
 ### Core Dependencies
-- `mcp` >= 0.1.0 - MCP protocol implementation
-- `python-docx` >= 0.8.11 - DOCX file reading
-- `PyPDF2` >= 3.0.1 - PDF file reading
-- `openpyxl` >= 3.0.10 - Excel file reading
+- `mcp` >= 1.23.0 - MCP protocol implementation
+- `python-docx` >= 1.2.0 - DOCX file reading
+- `pypdf` >= 6.7.1 - PDF file reading (replaces PyPDF2)
+- `openpyxl` >= 3.1.5 - Excel file reading
 
 ### Development Dependencies
 - `pytest` >= 8.0.0 - Testing framework

README.zh-CN.md

@@ -209,10 +209,10 @@ if DocumentReaderFactory.is_supported("file.xlsx"):
 ## 依赖
 
 ### 核心依赖
-- `mcp` >= 0.1.0 - MCP 协议实现
-- `python-docx` >= 0.8.11 - DOCX 文件读取
-- `PyPDF2` >= 3.0.1 - PDF 文件读取
-- `openpyxl` >= 3.0.10 - Excel 文件读取
+- `mcp` >= 1.23.0 - MCP 协议实现
+- `python-docx` >= 1.2.0 - DOCX 文件读取
+- `pypdf` >= 6.7.1 - PDF 文件读取（替代 PyPDF2）
+- `openpyxl` >= 3.1.5 - Excel 文件读取
 
 ### 开发依赖
 - `pytest` >= 8.0.0 - 测试框架

docs/en/API.md

@@ -62,6 +62,8 @@ content = reader.read("/path/to/document.docx")
 
 Reads PDF documents.
 
+> **Note:** Starting from v1.2.0, the PDF reader has been migrated from PyPDF2 to pypdf (more secure and better maintained).
+
 ```python
 from mcp_documents_reader import PdfReader
 

docs/en/CHANGELOG.md

@@ -5,6 +5,32 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.2.0] - 2025-03-02
+
+### Security Fixes
+
+- **MCP SDK Security Vulnerabilities**: Upgraded mcp>=1.23.0, fixed 3 high-severity CVEs
+  - CVE-2025-53365: Unhandled exception in Streamable HTTP Transport leading to DoS
+  - CVE-2025-53366: FastMCP Server validation error leading to DoS
+  - CVE-2025-66416: DNS rebinding protection not enabled by default
+- **PyPDF2 Security Vulnerability**: Replaced with pypdf>=6.7.1, fixed CVE-2023-36464
+- **Path Traversal Protection**: Added explicit path validation to prevent arbitrary file read attacks
+- **Error Message Sanitization**: Removed full paths from error messages to prevent information disclosure
+
+### Added
+
+- **PyPI Package Metadata**: Added project.urls linking to GitHub repository
+
+### Changed
+
+- **Dependency Upgrades**:
+  - mcp>=0.1.0 → mcp>=1.23.0
+  - PyPDF2>=3.0.1 → pypdf>=6.7.1
+  - python-docx>=0.8.11 → python-docx>=1.2.0
+  - openpyxl>=3.0.10 → openpyxl>=3.1.5
+  - typing_extensions>=4.0.0 → typing_extensions>=4.12.0
+- **CI/CD Migration**: Migrated from pip to uv for faster builds
+
 ## [1.1.0] - 2025-03-01
 
 ### Fixed

docs/zh/API.md

@@ -62,6 +62,8 @@ content = reader.read("/path/to/document.docx")
 
 读取 PDF 文档。
 
+> **注意：** 从 v1.2.0 开始，PDF 读取器已从 PyPDF2 迁移到 pypdf（更安全、维护更好）。
+
 ```python
 from mcp_documents_reader import PdfReader
 

docs/zh/CHANGELOG.md

@@ -5,6 +5,32 @@
 格式基于 [Keep a Changelog](https://keepachangelog.com/zh-CN/1.0.0/)，
 本项目遵循 [语义化版本](https://semver.org/lang/zh-CN/)。
 
+## [1.2.0] - 2025-03-02
+
+### 安全修复
+
+- **MCP SDK 安全漏洞**：升级 mcp>=1.23.0，修复 3 个高危 CVE
+  - CVE-2025-53365: Streamable HTTP Transport 未处理异常导致 DoS
+  - CVE-2025-53366: FastMCP Server 验证错误导致 DoS
+  - CVE-2025-66416: DNS rebinding 保护默认未启用
+- **PyPDF2 安全漏洞**：替换为 pypdf>=6.7.1，修复 CVE-2023-36464
+- **路径遍历防护**：添加显式路径验证，防止任意文件读取攻击
+- **错误信息脱敏**：移除错误信息中的完整路径，防止信息泄露
+
+### 新增
+
+- **PyPI 包元数据**：添加 project.urls，链接到 GitHub 仓库
+
+### 变更
+
+- **依赖升级**：
+  - mcp>=0.1.0 → mcp>=1.23.0
+  - PyPDF2>=3.0.1 → pypdf>=6.7.1
+  - python-docx>=0.8.11 → python-docx>=1.2.0
+  - openpyxl>=3.0.10 → openpyxl>=3.1.5
+  - typing_extensions>=4.0.0 → typing_extensions>=4.12.0
+- **CI/CD 迁移**：从 pip 迁移到 uv，提升构建速度
+
 ## [1.1.0] - 2025-03-01
 
 ### 修复

mcp_documents_reader.py

@@ -7,7 +7,7 @@
 from docx import Document as DocxDocument
 from mcp.server.fastmcp import FastMCP
 from openpyxl import load_workbook
-from PyPDF2 import PdfReader as PyPdfReader
+from pypdf import PdfReader as PyPdfReader
 from typing_extensions import override
 
 # Directory where documents are stored
@@ -193,12 +193,34 @@ def is_supported(cls, file_path: str) -> bool:
 
 
 def _get_document_path(ctx: object, filename: str) -> str:
-    """Get full document path from context or environment"""
-    try:
-        doc_dir = getattr(ctx, "document_directory", DOCUMENT_DIRECTORY)
-    except Exception:
-        doc_dir = DOCUMENT_DIRECTORY
-    return os.path.join(doc_dir, filename)
+    """获取文档路径，防止路径遍历攻击。
+
+    Args:
+        ctx: FastMCP 上下文对象
+        filename: 文件名
+
+    Returns:
+        str: 安全的完整文件路径
+
+    Raises:
+        ValueError: 当检测到路径遍历攻击时
+    """
+    doc_dir = getattr(ctx, "document_directory", DOCUMENT_DIRECTORY)
+
+    # 使用 basename 防止路径遍历
+    safe_filename = os.path.basename(filename)
+
+    # 构建完整路径
+    full_path = os.path.join(doc_dir, safe_filename)
+
+    # 验证路径在允许的目录内
+    real_path = os.path.realpath(full_path)
+    real_doc_dir = os.path.realpath(doc_dir)
+
+    if not real_path.startswith(real_doc_dir + os.sep) and real_path != real_doc_dir:
+        raise ValueError("Access denied: path outside document directory")
+
+    return full_path
 
 
 @mcp.tool()
@@ -211,10 +233,13 @@ def read_document(ctx: object, filename: str) -> str:
     :param filename: Name of the document file to read
     :return: Extracted text from the document
     """
-    doc_path = _get_document_path(ctx, filename)
+    try:
+        doc_path = _get_document_path(ctx, filename)
+    except ValueError:
+        return "Error: Invalid file path."
 
     if not os.path.exists(doc_path):
-        return f"Error: File '{filename}' not found at {doc_path}."
+        return f"Error: File '{filename}' not found."
 
     if not DocumentReaderFactory.is_supported(doc_path):
         return f"Error: Unsupported document type for file '{filename}'."

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "mcp-documents-reader"
-version = "1.1.0"
+version = "1.2.0"
 description = "An MCP enabled multi-format document reader supporting DOCX, PDF, TXT, and Excel files"
 keywords = ["mcp", "model-context-protocol", "document-reader", "pdf", "docx", "excel"]
 authors = [
@@ -9,13 +9,19 @@ authors = [
 readme = "README.md"
 requires-python = ">=3.10"
 dependencies = [
-  "mcp>=0.1.0",
-  "python-docx>=0.8.11",
-  "PyPDF2>=3.0.1",
-  "openpyxl>=3.0.10",
-  "typing_extensions>=4.0.0"
+  "mcp>=1.23.0",
+  "python-docx>=1.2.0",
+  "pypdf>=6.7.1",
+  "openpyxl>=3.1.5",
+  "typing_extensions>=4.12.0"
 ]
 
+[project.urls]
+Homepage = "https://github.com/xt765/mcp_documents_reader"
+Repository = "https://github.com/xt765/mcp_documents_reader"
+Issues = "https://github.com/xt765/mcp_documents_reader/issues"
+Documentation = "https://github.com/xt765/mcp_documents_reader#readme"
+
 [project.optional-dependencies]
 dev = [
   "ruff>=0.8.0",