Skip to content

Unsecure transport #310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 4, 2025
Merged

Unsecure transport #310

merged 7 commits into from
Sep 4, 2025

Conversation

@anuchandy
Copy link
Member

@anuchandy anuchandy commented Sep 4, 2025
edited
Loading

What does this PR do?

[Provide a clear, concise description of the changes]

adding an insecure, undocumented switch to begin the early exploration of self-hosted remote mcp server.

[Any additional context, screenshots, or information that helps reviewers]

GitHub issue number?

[Link to the GitHub issue this PR addresses]

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Updated CHANGELOG.md for product changes (features, bug fixes, UI/UX, updated dependencies)
    • Spelling check passes: .\eng\common\spelling\Invoke-Cspell.ps1
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated README.md documentation
    • Updated command list in /docs/azmcp-commands.md
    • Updated test prompts in /docs/e2eTestPrompts.md
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
  • 👉 For Community (non-Azure team member) PRs:
    • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
    • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

@anuchandy anuchandy self-assigned this Sep 4, 2025
Copilot AI review requested due to automatic review settings September 4, 2025 01:59
@anuchandy anuchandy requested a review from a team as a code owner September 4, 2025 01:59
@anuchandy anuchandy requested a review from hallipr September 4, 2025 01:59
@github-project-automation github-project-automation bot moved this to Untriaged in Azure MCP Server Sep 4, 2025
Copilot AI reviewed Sep 4, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces HTTP transport support for the MCP server as an alternative to the default STDIO transport. The changes add a new command-line option --enable-insecure-transports that allows the server to run over HTTP with CORS enabled for development purposes.

Key changes:

  • Adds HTTP transport capability with CORS configuration
  • Introduces security validation requiring production credentials when enabling insecure transports
  • Updates package dependencies to support the new HTTP transport functionality

Reviewed Changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
Azure.Mcp.Core.csproj Adds ModelContextProtocol.AspNetCore package reference for HTTP transport
ServiceStartOptions.cs Adds EnableInsecureTransports property to configuration options
ServiceOptionDefinitions.cs Defines the new command-line option for enabling insecure transports
ServiceStartCommand.cs Implements HTTP host creation and security validation logic
ServiceCollectionExtensions.cs Configures MCP server with appropriate transport based on options
Directory.Packages.props Updates ModelContextProtocol package versions and adds AspNetCore variant
Comments suppressed due to low confidence (1)

core/Azure.Mcp.Core/src/Areas/Server/Commands/ServiceStartCommand.cs:1

  • According to the coding guidelines, System.Text.Json should be used instead of Newtonsoft.Json. Consider migrating to System.Text.Json for consistency.
// Copyright (c) Microsoft Corporation.

@anuchandy
Copy link
Member Author

anuchandy commented Sep 4, 2025
edited
Loading

@LarryOsterman, here is the pr based on our offline discussion

joshfree
joshfree approved these changes Sep 4, 2025
View reviewed changes
jongio
jongio reviewed Sep 4, 2025
View reviewed changes
@xiangyan99
Copy link
Member

xiangyan99 commented Sep 4, 2025

Will this trigger the security concern again?

@github-project-automation github-project-automation bot moved this from Untriaged to In Progress in Azure MCP Server Sep 4, 2025
@joshfree joshfree enabled auto-merge (squash) September 4, 2025 20:22
@joshfree joshfree merged commit 2b08327 into microsoft:main Sep 4, 2025
26 checks passed
@github-project-automation github-project-automation bot moved this from In Progress to Done in Azure MCP Server Sep 4, 2025
feiskyer pushed a commit to feiskyer/microsoft-mcp that referenced this pull request Sep 8, 2025
@vcolin7
Added unit tests for Key Vault (microsoft#310)
fb6e47f 
* Updated live tests

* Added unit test for list keys

* Added unit tests for get key

* Added unit tests for create key

* Refactored code and removed unnecessary tests
colbytimm pushed a commit to colbytimm/microsoft-mcp that referenced this pull request Sep 27, 2025
@anuchandy @colbytimm
Unsecure transport (microsoft#310)
0817adc 
* Enable enable-insecure-transports option

* Check for ProdCred for streaming

* allow standard ASPNETCORE_URLS and fix message

* address cspell

* improve message

* adding GetSafeAspNetCoreUrl

* restrict further
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jongio jongio jongio left review comments

Copilot code review Copilot Copilot left review comments

@joshfree joshfree joshfree approved these changes

@LarryOsterman LarryOsterman LarryOsterman approved these changes

@hallipr hallipr Awaiting requested review from hallipr hallipr is a code owner automatically assigned from microsoft/azure-mcp

@vukelich vukelich Awaiting requested review from vukelich vukelich is a code owner automatically assigned from microsoft/azure-mcp

@wbreza wbreza Awaiting requested review from wbreza wbreza is a code owner automatically assigned from microsoft/azure-mcp

@conniey conniey Awaiting requested review from conniey conniey is a code owner automatically assigned from microsoft/azure-mcp

@JasonYeMSFT JasonYeMSFT Awaiting requested review from JasonYeMSFT JasonYeMSFT is a code owner automatically assigned from microsoft/azure-mcp

@alzimmermsft alzimmermsft Awaiting requested review from alzimmermsft alzimmermsft is a code owner automatically assigned from microsoft/azure-mcp

Assignees

@anuchandy anuchandy

Labels

None yet

Projects

Azure MCP Server
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@anuchandy @xiangyan99 @joshfree @jongio @LarryOsterman