fix(mcp): reject local targets over HTTP transport#196
Conversation
Signed-off-by: Rod Boev <rod.boev@gmail.com>
rng1995
left a comment
There was a problem hiding this comment.
Approving — solid, fail-closed hardening: HTTP transport sets allow_local_targets=False and _is_local_target() rejects file://, absolute/drive, and UNC paths before the graph runs, while remote schemes pass through. Test coverage is thorough (local/file:// rejected, remote allowed, UNC + relative-path classification, transport policy stdio=allow/http=disallow, and default-compat).
Non-blocking notes:
_is_local_target()callsPath(target).expanduser().exists()for the relative/no-scheme case, i.e. an unauthenticated HTTP caller can make the serverstat()arbitrary relative paths (a minor file-existence oracle). The read itself is still blocked, so impact is low, but consider dropping the.exists()probe and classifying unknown bare strings as non-local.- Touches
mcp_server.pyalongside #204, and the README note in #193 documents this behavior — expect a merge-order/rebase with those.
rng1995
left a comment
There was a problem hiding this comment.
[Automated SkillSpector Review]
Re-review: approved. The HTTP local-target guard remains unchanged from the prior approved head. The only subsequent commit is formatter-only normalization of static_runner.py and three tests, with no semantic change to the MCP security behavior.
Summary
HTTP MCP callers can currently pass local filesystem targets to
scan_skill, and the server forwards those paths into the normal scan graph. This adds an MCP transport guard so routable HTTP use rejects local paths andfile://targets before the graph can read them, while CLI and stdio MCP scans keep their existing local-path behavior.Closes #191
Root cause
scan_skillforwards the caller-providedtargettorun_scanwithout transport context. The input resolver then treats local files and directories as valid scan targets, which is correct for trusted local use but too broad for unauthenticated HTTP exposure.Diff Notes
run_scanuse.Scope
This does not add MCP authentication, change the generic input resolver, or alter report output. PR #193 covers the documentation warning slice; this PR covers the code guard.
Verification
python -m pytest tests/unit/test_mcp_server.py -v-> 18 passed, 1 warninguv run ruff check src/ tests/-> passeduv run ruff format --check src/skillspector/mcp_server.py tests/unit/test_mcp_server.py-> 2 files already formatteduv run ruff format --check src/ tests/-> still reports pre-existing drift outside the target scope insrc/skillspector/nodes/analyzers/static_runner.py,tests/nodes/analyzers/test_binary_and_pe3_filtering.py,tests/nodes/analyzers/test_mp2_regex_backtracking.py, andtests/nodes/test_llm_analyzer_base.pyLint & Test (Python 3.12),Lint & Test (Python 3.13), andDCO Check- pending maintainer approval if fork checks are gatedNotes
Follow-up to maintainer review on #36 (review).