Shaun Arman 2ad87b4c78 fix(mcp): add validation to block dangerous environment variables ... Add defense-in-depth security validation for stdio transport to reject environment variables that could be used for privilege escalation attacks. Blocks the following dangerous variables (case-insensitive): - LD_PRELOAD (Linux) - LD_LIBRARY_PATH (Linux) - DYLD_INSERT_LIBRARIES (macOS) - DYLD_LIBRARY_PATH (macOS) - DYLD_FRAMEWORK_PATH (macOS) - DYLD_FALLBACK_LIBRARY_PATH (macOS) These variables can inject malicious libraries into spawned processes and should never be user-configurable for MCP servers. Add comprehensive tests: - test_rejects_relative_path: Verify existing path validation - test_rejects_dangerous_env_vars: Test all blocked variables - test_rejects_dangerous_env_vars_case_insensitive: Verify lowercase variants blocked - test_allows_safe_env_vars: Verify legitimate vars (DEBUG, PATH, API_KEY) allowed All tests passing.		2026-06-01 12:16:11 -05:00
..
.cargo	fix: resolve clippy format-args failures and OpenSSL vendoring issue	2026-04-04 15:05:13 -05:00
capabilities	chore: add MIT license, security hardening, and repo hygiene	2026-04-07 12:50:13 -05:00
gen/schemas	feat: add image attachment support with PII detection	2026-04-08 20:03:34 -05:00
icons	fix: replace empty icon placeholder files with real app icons	2026-03-15 20:31:52 -05:00
resources/ollama	feat(ui): fix model dropdown, auth prefill, PII persistence, theme toggle, and Ollama bundle	2026-04-05 19:30:41 -05:00
src	fix(mcp): add validation to block dangerous environment variables	2026-06-01 12:16:11 -05:00
build.rs	fix: remove invalid --locked flag from cargo commands and fix format string	2026-04-14 20:50:47 -05:00
Cargo.lock	feat: attachment DB storage and cross-incident recall	2026-05-31 17:55:47 -05:00
Cargo.toml	feat: attachment DB storage and cross-incident recall	2026-05-31 17:55:47 -05:00
tauri.conf.json	fix: bump tauri.conf.json version to 0.3.0	2026-05-23 17:36:38 -05:00