@next-ai-drawio/mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    7: import { log } from "./logger.js";
    8: // Configurable draw.io embed URL for private deployments
>>> 9: const DRAWIO_BASE_URL = process.env.DRAWIO_BASE_URL || "https://embed.diagrams.net";
    10: // Extract origin (scheme + host + port) from URL for postMessage security check
    11: function getOrigin(url) {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    14:     },
    15:     debug: (msg, ...args) => {
>>> 16:         if (process.env.DEBUG === "true") {
    17:             console.error(`[MCP-DrawIO] [DEBUG] ${msg}`, ...args);
    18:         }

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    36: // Server configuration
    37: const config = {
>>> 38:     port: parseInt(process.env.PORT || "6002", 10),
    39: };
    40: // Session state (single session for simplicity)

Decoded base64 content: {kh)h�)�N�^���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Z��ڲ���+�+�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ����r1�Rz�"�r

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ����r1�Rz�"�r

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Z��ڲ���+�+�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: J�b�'���ӭ�즊�

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    56:         const tag = xml.substring(tagStart, tagEnd + 1);
    57:         i = tagEnd + 1;
>>> 58:         const tagMatch = /^<(\/?)([a-zA-Z][a-zA-Z0-9:_-]*)/.exec(tag);
    59:         if (!tagMatch)
    60:             continue;

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    78:     const tagPattern = /<[^>]+>/g;
    79:     let tagMatch;
>>> 80:     while ((tagMatch = tagPattern.exec(xml)) !== null) {
    81:         const tag = tagMatch[0];
    82:         const attrPattern = /\s([a-zA-Z_:][a-zA-Z0-9_:.-]*)\s*=/g;

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    83:         const attributes = new Map();
    84:         let attrMatch;
>>> 85:         while ((attrMatch = attrPattern.exec(tag)) !== null) {
    86:             const attrName = attrMatch[1];
    87:             attributes.set(attrName, (attributes.get(attrName) || 0) + 1);

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    101:     const ids = new Map();
    102:     let idMatch;
>>> 103:     while ((idMatch = idPattern.exec(xml)) !== null) {
    104:         const id = idMatch[1];
    105:         ids.set(id, (ids.get(id) || 0) + 1);

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    141:     const charRefPattern = /&#x?[^;]+;?/g;
    142:     let charMatch;
>>> 143:     while ((charMatch = charRefPattern.exec(xml)) !== null) {
    144:         const ref = charMatch[0];
    145:         if (ref.startsWith("&#x")) {

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    173:     const invalidEntityPattern = /&([a-zA-Z][a-zA-Z0-9]*);/g;
    174:     let entityMatch;
>>> 175:     while ((entityMatch = invalidEntityPattern.exec(xmlWithoutComments)) !== null) {
    176:         if (!VALID_ENTITIES.has(entityMatch[1])) {
    177:             return `Invalid XML: Invalid entity reference: &${entityMatch[1]}; - use only valid XML entities (lt, gt, amp, quot, apos)`;

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    185:     const cellStack = [];
    186:     let cellMatch;
>>> 187:     while ((cellMatch = cellTagPattern.exec(xml)) !== null) {
    188:         const tag = cellMatch[0];
    189:         if (tag.startsWith("</mxCell>")) {

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    249:     const attrValuePattern = /=\s*"([^"]*)"/g;
    250:     let attrValMatch;
>>> 251:     while ((attrValMatch = attrValuePattern.exec(xml)) !== null) {
    252:         const value = attrValMatch[1];
    253:         if (/</.test(value) && !/&lt;/.test(value)) {

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    273:     const commentPattern = /<!--([\s\S]*?)-->/g;
    274:     let commentMatch;
>>> 275:     while ((commentMatch = commentPattern.exec(xml)) !== null) {
    276:         if (/--/.test(commentMatch[1])) {
    277:             return "Invalid XML: Comment contains -- (double hyphen) which is not allowed";

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    395:     let attrMatch;
    396:     let hasUnescapedLt = false;
>>> 397:     while ((attrMatch = attrPattern.exec(fixed)) !== null) {
    398:         if (!attrMatch[3].startsWith("<")) {
    399:             hasUnescapedLt = true;

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    491:     let foreignMatch;
    492:     const foreignTags = new Set();
>>> 493:     while ((foreignMatch = foreignTagPattern.exec(fixed)) !== null) {
    494:         const tagName = foreignMatch[1];
    495:         if (!validDrawioTags.has(tagName)) {

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    537:     const fullTagPattern = /<(\/?[a-zA-Z][a-zA-Z0-9]*)[^>]*>/g;
    538:     let tagCountMatch;
>>> 539:     while ((tagCountMatch = fullTagPattern.exec(fixed)) !== null) {
    540:         const fullMatch = tagCountMatch[0];
    541:         const tagPart = tagCountMatch[1];

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    579:     let lastValidTagEnd = -1;
    580:     let closingMatch;
>>> 581:     while ((closingMatch = closingTagPattern.exec(fixed)) !== null) {
    582:         lastValidTagEnd = closingMatch.index + closingMatch[0].length;
    583:     }

Dynamic code execution via exec()

Detected by automated pattern matching (rule SC-003) with medium confidence. May be a false positive.

    663:     const idPattern = /\bid\s*=\s*["']([^"']+)["']/gi;
    664:     let idMatch;
>>> 665:     while ((idMatch = idPattern.exec(fixed)) !== null) {
    666:         const id = idMatch[1];
    667:         seenIds.set(id, (seenIds.get(id) || 0) + 1);

Decoded base64 content: r��;��'��-����׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��(Z��-z�^}�ޝǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �{ږ'D�ح������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: �{ږ'D�ح������

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��;��'��-����׬

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: r��(Z��-z�^}�ޝǬ

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {kh)h�)�N�^���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: {kh)h�)�N�^���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    605:                         if (isPng || isSvg) {
    606:                             pendingMcpExport = null;
>>> 607:                             fetch('/api/state', {
    608:                                 method: 'POST',
    609:                                 headers: { 'Content-Type': 'application/json' },

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    645:                     } else if (pendingAiSvg) {
    646:                         pendingAiSvg = false;
>>> 647:                         fetch('/api/history-svg', {
    648:                             method: 'POST',
    649:                             headers: { 'Content-Type': 'application/json' },

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    670:             if (!sessionId) return;
    671:             try {
>>> 672:                 const r = await fetch('/api/state', {
    673:                     method: 'POST',
    674:                     headers: { 'Content-Type': 'application/json' },

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    684:             if (!sessionId) return;
    685:             try {
>>> 686:                 const r = await fetch('/api/state?sessionId=' + encodeURIComponent(sessionId));
    687:                 if (!r.ok) return;
    688:                 const s = await r.json();

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    782:             if (!sessionId) return;
    783:             try {
>>> 784:                 const r = await fetch('/api/history?sessionId=' + encodeURIComponent(sessionId));
    785:                 if (r.ok) {
    786:                     const d = await r.json();

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    824:             restoreBtn.textContent = 'Restoring...';
    825:             try {
>>> 826:                 const r = await fetch('/api/restore', {
    827:                     method: 'POST',
    828:                     headers: { 'Content-Type': 'application/json' },

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (5.0 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.8 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.