@cloudflare/mcp-server-cloudflare

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6502:       const invalidConfig = params?.invalidConfig === true;
    6503:       log(`bindings_update params: serviceName=${serviceName}, envName=${envName}, errorTest=${errorTest}, invalidConfig=${invalidConfig}`);
>>> 6504:       if (process.env.NODE_ENV === "test") {
    6505:         if (invalidConfig) {
    6506:           log("Returning error response for invalid binding configuration test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6421:       const errorTest = params?.errorTest === true;
    6422:       log(`bindings_list params: serviceName=${serviceName}, envName=${envName}, emptyList=${emptyList}, errorTest=${errorTest}`);
>>> 6423:       if (process.env.NODE_ENV === "test") {
    6424:         if (emptyList) {
    6425:           log("Returning empty bindings list for test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6154: async function handleBindingsUpdate(serviceName, envName, bindings) {
    6155:   log("Executing bindings_update for service:", serviceName, "environment:", envName);
>>> 6156:   if (process.env.NODE_ENV === "test" || config.accountId === "test-account-id") {
    6157:     return { success: true, message: "Bindings updated successfully" };
    6158:   }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6115: async function handleBindingsList(serviceName, envName) {
    6116:   log("Executing bindings_list for service:", serviceName, "environment:", envName);
>>> 6117:   if (process.env.NODE_ENV === "test" || config.accountId === "test-account-id") {
    6118:     if (serviceName === "non-existent-service") {
    6119:       return [];

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5742:     log(`delete_namespace params: namespace=${namespace}, errorTest=${errorTest}`);
    5743:     try {
>>> 5744:       if (process.env.NODE_ENV === "test") {
    5745:         if (errorTest) {
    5746:           log("Returning error response for delete namespace test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5708:     log(`create_namespace params: name=${name}, errorTest=${errorTest}`);
    5709:     try {
>>> 5710:       if (process.env.NODE_ENV === "test") {
    5711:         if (errorTest) {
    5712:           log("Returning error response for create namespace test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5659:     log(`list_namespaces params: emptyList=${emptyList}, errorTest=${errorTest}`);
    5660:     try {
>>> 5661:       if (process.env.NODE_ENV === "test") {
    5662:         if (emptyList) {
    5663:           log("Returning empty namespaces list for test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5571:     log(`update_script params: namespace=${namespace}, scriptName=${scriptName}, errorTest=${errorTest}`);
    5572:     try {
>>> 5573:       if (process.env.NODE_ENV === "test") {
    5574:         if (errorTest) {
    5575:           log("Returning error response for script update test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5506:     log(`list_scripts params: namespace=${namespace}, emptyList=${emptyList}, errorTest=${errorTest}`);
    5507:     try {
>>> 5508:       if (process.env.NODE_ENV === "test") {
    5509:         if (emptyList) {
    5510:           log("Returning empty scripts list for test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5043:       const errorTest = params?.errorTest === true;
    5044:       log(`template_create_worker params: templateId=${templateId}, name=${name}, errorTest=${errorTest}`);
>>> 5045:       if (process.env.NODE_ENV === "test") {
    5046:         if (errorTest || templateId === "non-existent-template") {
    5047:           log("Returning error response for template create worker test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4987:       const errorTest = params?.errorTest === true;
    4988:       log(`template_get params: templateId=${templateId}, errorTest=${errorTest}`);
>>> 4989:       if (process.env.NODE_ENV === "test") {
    4990:         if (errorTest || templateId === "non-existent-template") {
    4991:           log("Returning error response for template get test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7979:     log(`secrets_delete params: scriptName=${scriptName}, envName=${envName}, secretName=${secretName}, errorTest=${errorTest}`);
    7980:     try {
>>> 7981:       if (process.env.NODE_ENV === "test") {
    7982:         if (errorTest) {
    7983:           log("Returning error response for delete secret test");

[hidden in unicode_escape] Zero-width character detected (potential hidden content)

Detected by automated pattern matching (rule OB-004) with medium confidence. May be a false positive.

Decoded from unicode_escape: \u200D\u2640\uFE0F

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4922:       const errorTest = params?.errorTest === true;
    4923:       log(`template_list params: emptyList=${emptyList}, errorTest=${errorTest}`);
>>> 4924:       if (process.env.NODE_ENV === "test") {
    4925:         if (errorTest) {
    4926:           log("Returning error response for template list test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    3313:     }
    3314:     try {
>>> 3315:       if (process.env.NODE_ENV === "test") {
    3316:         return {
    3317:           toolResult: {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    3245:     }
    3246:     try {
>>> 3247:       if (process.env.NODE_ENV === "test") {
    3248:         return {
    3249:           toolResult: {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    24: var config = {
    25:   accountId: process.env.CLOUDFLARE_ACCOUNT_ID,
>>> 26:   apiToken: process.env.CLOUDFLARE_API_TOKEN
    27: };
    28: 

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    23: }
    24: var config = {
>>> 25:   accountId: process.env.CLOUDFLARE_ACCOUNT_ID,
    26:   apiToken: process.env.CLOUDFLARE_API_TOKEN
    27: };

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8039:     log(`secrets_list params: scriptName=${scriptName}, envName=${envName}, emptyList=${emptyList}, errorTest=${errorTest}`);
    8040:     try {
>>> 8041:       if (process.env.NODE_ENV === "test") {
    8042:         if (emptyList) {
    8043:           log("Returning empty secrets list for test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7919:     log(`secrets_create params: scriptName=${scriptName}, envName=${envName}, secretName=${secretName}, errorTest=${errorTest}`);
    7920:     try {
>>> 7921:       if (process.env.NODE_ENV === "test") {
    7922:         if (errorTest) {
    7923:           log("Returning error response for create secret test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7273: async function handleCronUpdate(scriptName, cronExpression) {
    7274:   log("Executing cron_update for script:", scriptName, "cron:", cronExpression);
>>> 7275:   if (config.accountId === "test-account-id" || process.env.NODE_ENV === "test") {
    7276:     return {
    7277:       success: true,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7239: async function handleCronList(scriptName) {
    7240:   log("Executing cron_list for script:", scriptName);
>>> 7241:   if (config.accountId === "test-account-id" || process.env.NODE_ENV === "test") {
    7242:     if (scriptName === "non-existent-script") {
    7243:       return [];

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6885:       const { zoneId, emptyList, errorTest } = input;
    6886:       log("route_list called with params:", { zoneId, emptyList, errorTest });
>>> 6887:       if (process.env.NODE_ENV === "test") {
    6888:         if (errorTest === true) {
    6889:           log("Returning error response for route list test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6826:       const { zoneId, routeId, errorTest } = input;
    6827:       log("route_delete called with params:", { zoneId, routeId, errorTest });
>>> 6828:       if (process.env.NODE_ENV === "test") {
    6829:         if (errorTest === true) {
    6830:           log("Returning error response for route delete test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    5614:     log(`delete_script params: namespace=${namespace}, scriptName=${scriptName}, errorTest=${errorTest}`);
    5615:     try {
>>> 5616:       if (process.env.NODE_ENV === "test") {
    5617:         if (errorTest) {
    5618:           log("Returning error response for script deletion test");

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6750:       const { zoneId, pattern, scriptName, errorTest, invalidPattern } = input;
    6751:       log("route_create called with params:", { zoneId, pattern, scriptName, errorTest, invalidPattern });
>>> 6752:       if (process.env.NODE_ENV === "test") {
    6753:         if (errorTest === true) {
    6754:           log("Returning error response for route create test");

Decoded base64 content: 3 �x��y�B��,

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Node.js child process spawning

Detected by automated pattern matching (rule SC-005) with medium confidence. May be a false positive.

    2: 
    3: // src/init.ts
>>> 4: import { exec } from "child_process";
    5: import { promisify } from "util";
    6: 

Decoded base64 content: ��ݕ�)u�^Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��q�,N��Li���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��q�,N��Li���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�v ����nrG�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�v �^��nrG�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�v �^�㛍�-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�v ����nrG�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�v �^��nrG�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�v �^�㛍�-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��iE�z�l�ѫ��l

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: Z��z���jب��j�b��b�׫

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ���Z��)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ���Z��)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ���ў��ڶ*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ���ў��ڶ*'

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�y�^Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�ޕ�^Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�y�^Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�ޕ�^Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�)u�^Z��~Z0

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: � +����ج��\��ڙ�)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ���Ⲗ�rZ��)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: � +����ج��\��ڙ�)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�^��� �-�`虨�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ���Ⲗ�rZ��)iǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�^��� �-�`虨�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ������x7�zب����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ������x7�zب����-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞮��x�v)�.+-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�b�ا��)u�^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ䞮��x�v)�.+-

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��ݕ�b�ا��)u�^

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��rX��������?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��rX��������?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��rX��������?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��rX��������?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��rX��������?

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��q�,N��Li���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded unicode_escape content: ‍♀️

Detected by automated pattern matching (rule DO-UNI) with medium confidence. May be a false positive.

High-entropy string (5.1 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    136:     "Content-Type": "application/x-www-form-urlencoded"
    137:   };
>>> 138:   return await fetch("https://dash.cloudflare.com/oauth2/token", {
    139:     method: "POST",
    140:     body: body.toString(),

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    205: async function fetchInternal(resource, init2 = {}, queryParams, abortSignal) {
    206:   const method = init2.method ?? "GET";
>>> 207:   const response = await performApiFetch(resource, init2, queryParams, abortSignal);
    208:   const jsonText = await response.text();
    209:   const logHeaders = cloneHeaders(response.headers);

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    232:   }
    233: }
>>> 234: async function performApiFetch(resource, init2 = {}, queryParams, abortSignal) {
    235:   const method = init2.method ?? "GET";
    236:   assert(resource.startsWith("/"), `CF API fetch - resource path must start with a "/" but got "${resource}"`);

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    242:   const logHeaders = cloneHeaders(headers);
    243:   delete logHeaders["Authorization"];
>>> 244:   return await fetch(`${getCloudflareApiBaseUrl()}${resource}${queryString}`, {
    245:     method,
    246:     ...init2,

Possible Base64-encoded payload (long encoded string)

Detected by automated pattern matching (rule OB-001) with medium confidence. May be a false positive.

    4173:                 type: "text",
    4174:                 text: JSON.stringify({
>>> 4175:                   response: "data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNk+A8AAQUBAScY42YAAAAASUVORK5CYII=",
    4176:                   status: "success"
    4177:                 }, null, 2)

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    240: worker_put({
    241:   name: "my-worker",
>>> 242:   script: "export default { async fetch(request, env, ctx) { ... }}",
    243:   bindings: [
    244:     {

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.1 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.