sarman/tftsr-devops_investigation
1
1
Fork 0
Code Issues 4 Pull Requests Actions 34 Packages Projects 3 Releases 6 Wiki Activity

Compare commits

base: sarman:0469f121b152e967450a9545ebabef8f1cadcd1d
Branches Tags
sarman:beta
sarman:fix/env-u-sodium
sarman:master
sarman:fix/resolve-libsodium-merge-conflict
sarman:v1.2.4-beta.13
sarman:v1.2.4-beta.12
sarman:v1.2.4-beta.11
sarman:v1.2.3
sarman:v1.2.4-beta.10
sarman:v1.2.4-beta.9
sarman:v1.2.4-beta.8
sarman:v1.2.4-beta.7
sarman:v1.2.4-beta.6
sarman:v1.2.4-beta.5
sarman:v1.2.4-beta.4
sarman:v1.2.4-beta.3
sarman:v1.2.4-beta.2
sarman:v1.2.4-beta.1
sarman:v1.2.3-beta.1
sarman:v1.2.2
sarman:v1.2.1
sarman:v1.2.0
sarman:v1.1.0
sarman:v1.0.8
sarman:v0.3.12
sarman:v0.3.11
sarman:v0.3.10
sarman:v0.3.9
sarman:v0.3.8
sarman:v0.3.7
sarman:v0.3.6
sarman:v0.3.5
sarman:v0.3.4
sarman:v0.3.3
sarman:v0.3.2
sarman:v0.3.1
sarman:v0.1.22
..
compare: sarman:2ad87b4c78e8ba39c75d97a0de6249aac8dd455f
Branches Tags
sarman:beta
sarman:fix/env-u-sodium
sarman:master
sarman:fix/resolve-libsodium-merge-conflict
sarman:v1.2.4-beta.13
sarman:v1.2.4-beta.12
sarman:v1.2.4-beta.11
sarman:v1.2.3
sarman:v1.2.4-beta.10
sarman:v1.2.4-beta.9
sarman:v1.2.4-beta.8
sarman:v1.2.4-beta.7
sarman:v1.2.4-beta.6
sarman:v1.2.4-beta.5
sarman:v1.2.4-beta.4
sarman:v1.2.4-beta.3
sarman:v1.2.4-beta.2
sarman:v1.2.4-beta.1
sarman:v1.2.3-beta.1
sarman:v1.2.2
sarman:v1.2.1
sarman:v1.2.0
sarman:v1.1.0
sarman:v1.0.8
sarman:v0.3.12
sarman:v0.3.11
sarman:v0.3.10
sarman:v0.3.9
sarman:v0.3.8
sarman:v0.3.7
sarman:v0.3.6
sarman:v0.3.5
sarman:v0.3.4
sarman:v0.3.3
sarman:v0.3.2
sarman:v0.3.1
sarman:v0.1.22

4 Commits
0469f121b1 ... 2ad87b4c78

Author SHA1 Message Date
Shaun Arman
2ad87b4c78 fix(mcp): add validation to block dangerous environment variables
Some checks failed
Test / rust-fmt-check (pull_request) Successful in 1m30s
Details
Test / frontend-typecheck (pull_request) Successful in 2m6s
Details
Test / frontend-tests (pull_request) Successful in 2m6s
Details
Test / rust-clippy (pull_request) Successful in 3m46s
Details
PR Review Automation / review (pull_request) Successful in 4m45s
Details
Test / rust-tests (pull_request) Failing after 5m12s
Details 
Add defense-in-depth security validation for stdio transport to reject
environment variables that could be used for privilege escalation attacks.
Blocks the following dangerous variables (case-insensitive):
- LD_PRELOAD (Linux)
- LD_LIBRARY_PATH (Linux)
- DYLD_INSERT_LIBRARIES (macOS)
- DYLD_LIBRARY_PATH (macOS)
- DYLD_FRAMEWORK_PATH (macOS)
- DYLD_FALLBACK_LIBRARY_PATH (macOS)

These variables can inject malicious libraries into spawned processes and
should never be user-configurable for MCP servers.

Add comprehensive tests:
- test_rejects_relative_path: Verify existing path validation
- test_rejects_dangerous_env_vars: Test all blocked variables
- test_rejects_dangerous_env_vars_case_insensitive: Verify lowercase variants blocked
- test_allows_safe_env_vars: Verify legitimate vars (DEBUG, PATH, API_KEY) allowed

All tests passing.
 2026-06-01 12:16:11 -05:00
Shaun Arman
82d7f350db fix(mcp): change plaintext env input to type=text
All checks were successful
Test / rust-fmt-check (pull_request) Successful in 1m37s
Details
Test / frontend-tests (pull_request) Successful in 1m31s
Details
Test / frontend-typecheck (pull_request) Successful in 1m32s
Details
Test / rust-clippy (pull_request) Successful in 3m30s
Details
PR Review Automation / review (pull_request) Successful in 4m28s
Details
Test / rust-tests (pull_request) Successful in 5m8s
Details 
Change plaintext_env input field from type='password' to type='text' since
this field is explicitly for non-sensitive values (DEBUG, LOG_LEVEL, etc.).
Using password type for plaintext config was misleading and prevented
copy/paste of legitimate non-sensitive configuration.

Only the encrypted_env and http_headers fields remain as type='password'
for sensitive values like API keys and tokens.
 2026-06-01 12:06:04 -05:00
sarman
a4d3442891 Update README.md
Some checks failed
PR Review Automation / review (pull_request) Has been cancelled
Details
Test / frontend-typecheck (pull_request) Has been cancelled
Details
Test / frontend-tests (pull_request) Has been cancelled
Details
Test / rust-fmt-check (pull_request) Has been cancelled
Details
Test / rust-clippy (pull_request) Has been cancelled
Details
Test / rust-tests (pull_request) Has been cancelled
Details
2026-06-01 17:02:03 +00:00
Shaun Arman
ad42d40365 fix(mcp): improve UX clarity for encrypted env vars during edit
All checks were successful
Test / rust-fmt-check (pull_request) Successful in 1m28s
Details
Test / frontend-tests (pull_request) Successful in 1m31s
Details
Test / frontend-typecheck (pull_request) Successful in 1m34s
Details
Test / rust-clippy (pull_request) Successful in 3m29s
Details
PR Review Automation / review (pull_request) Successful in 4m34s
Details
Test / rust-tests (pull_request) Successful in 4m56s
Details 
Add clearer placeholder and helper text to explain that encrypted environment
variables are never displayed for security reasons. When editing an existing
server, the encrypted_env field shows a placeholder explaining that leaving it
blank will preserve existing values.

Also apply cargo fmt formatting fixes to store.rs.
 2026-06-01 11:58:52 -05:00
1 changed files with 12 additions and 0 deletions
Show Stats Expand all files Collapse all files

12
.mcp.json Normal file
View File

@ -0,0 +1,12 @@
{
"mcpServers": {
"github": {
"transport": "stdio",
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-github"],
"env": {
"GITHUB_PERSONAL_ACCESS_TOKEN": "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"
}
}
}
}