fix(mcp): reject local targets over HTTP transport#196
Conversation
rng1995
left a comment
There was a problem hiding this comment.
Approving — solid, fail-closed hardening: HTTP transport sets allow_local_targets=False and _is_local_target() rejects file://, absolute/drive, and UNC paths before the graph runs, while remote schemes pass through. Test coverage is thorough (local/file:// rejected, remote allowed, UNC + relative-path classification, transport policy stdio=allow/http=disallow, and default-compat).
Non-blocking notes:
_is_local_target()callsPath(target).expanduser().exists()for the relative/no-scheme case, i.e. an unauthenticated HTTP caller can make the serverstat()arbitrary relative paths (a minor file-existence oracle). The read itself is still blocked, so impact is low, but consider dropping the.exists()probe and classifying unknown bare strings as non-local.- Touches
mcp_server.pyalongside #204, and the README note in #193 documents this behavior — expect a merge-order/rebase with those.
rng1995
left a comment
There was a problem hiding this comment.
[Automated SkillSpector Review]
Re-review: approved. The HTTP local-target guard remains unchanged from the prior approved head. The only subsequent commit is formatter-only normalization of static_runner.py and three tests, with no semantic change to the MCP security behavior.
Signed-off-by: Rod Boev <rod.boev@gmail.com>
7222a95 to
aaeceb1
Compare
Summary
HTTP MCP callers can currently pass local filesystem targets to
scan_skill, and the server forwards those paths into the normal scan graph. This adds an MCP transport guard so routable HTTP use rejects local paths andfile://targets before the graph can read them, while CLI and stdio MCP scans keep their existing local-path behavior.Closes #191
Root cause
scan_skillforwards the caller-providedtargettorun_scanwithout transport context. The input resolver then treats local files and directories as valid scan targets, which is correct for trusted local use but too broad for unauthenticated HTTP exposure.Diff Notes
run_scanuse.Scope
This does not add MCP authentication, change the generic input resolver, or alter report output. PR #193 covers the documentation warning slice; this PR covers the code guard.
Verification
python -m pytest tests/unit/test_mcp_server.py -q-> 21 passeduv run ruff check src/ tests/-> passeduv run ruff format --check src/ tests/-> passedLint & Test (Python 3.12),Lint & Test (Python 3.13), andDCO Check- pending after the signed re-pushNotes
main; the earlier formatting-only tail is already upstream, so the current branch diff is back to the two MCP guard files.