tftsr-devops_investigation

Author	SHA1	Message	Date
Shaun Arman	0469f121b1	fix(mcp): add validation to block dangerous environment variables Some checks failed Test / rust-fmt-check (pull_request) Successful in 1m55s Details Test / frontend-typecheck (pull_request) Successful in 1m47s Details Test / frontend-tests (pull_request) Successful in 1m46s Details Test / rust-clippy (pull_request) Successful in 3m8s Details PR Review Automation / review (pull_request) Successful in 4m25s Details Test / rust-tests (pull_request) Failing after 4m39s Details Add defense-in-depth security validation for stdio transport to reject environment variables that could be used for privilege escalation attacks. Blocks the following dangerous variables (case-insensitive): - LD_PRELOAD (Linux) - LD_LIBRARY_PATH (Linux) - DYLD_INSERT_LIBRARIES (macOS) - DYLD_LIBRARY_PATH (macOS) - DYLD_FRAMEWORK_PATH (macOS) - DYLD_FALLBACK_LIBRARY_PATH (macOS) These variables can inject malicious libraries into spawned processes and should never be user-configurable for MCP servers. Add comprehensive tests: - test_rejects_relative_path: Verify existing path validation - test_rejects_dangerous_env_vars: Test all blocked variables - test_rejects_dangerous_env_vars_case_insensitive: Verify lowercase variants blocked - test_allows_safe_env_vars: Verify legitimate vars (DEBUG, PATH, API_KEY) allowed All tests passing.	2026-06-01 12:16:11 -05:00
Shaun Arman	922f90a794	fix(mcp): change plaintext env input to type=text Change plaintext_env input field from type='password' to type='text' since this field is explicitly for non-sensitive values (DEBUG, LOG_LEVEL, etc.). Using password type for plaintext config was misleading and prevented copy/paste of legitimate non-sensitive configuration. Only the encrypted_env and http_headers fields remain as type='password' for sensitive values like API keys and tokens.	2026-06-01 12:06:04 -05:00
sarman	ed49de1edd	Update README.md	2026-06-01 17:02:03 +00:00
Shaun Arman	d264e6b09d	fix(mcp): improve UX clarity for encrypted env vars during edit Add clearer placeholder and helper text to explain that encrypted environment variables are never displayed for security reasons. When editing an existing server, the encrypted_env field shows a placeholder explaining that leaving it blank will preserve existing values. Also apply cargo fmt formatting fixes to store.rs.	2026-06-01 11:58:52 -05:00

1 changed files with 0 additions and 12 deletions

									
										12

.mcp.json
									
										View File
									
					@ -1,12 +0,0 @@

					{

					  "mcpServers": {

					    "github": {

					      "transport": "stdio",

					      "command": "npx",

					      "args": ["-y", "@modelcontextprotocol/server-github"],

					      "env": {

					        "GITHUB_PERSONAL_ACCESS_TOKEN": "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"

					      }

					    }

					  }

					}

Compare commits

4 Commits

2ad87b4c78 ... 0469f121b1

12

.mcp.json

View File

Compare commits

4 Commits 2ad87b4c78 ... 0469f121b1

12 .mcp.json Unescape Escape View File

4 Commits

2ad87b4c78 ... 0469f121b1

12

.mcp.json

View File