Skip to content

chore: warn about insecure httpHost usage - MCP-184 #541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Sep 10, 2025
Merged

chore: warn about insecure httpHost usage - MCP-184 #541

merged 5 commits into from
Sep 10, 2025

Conversation

@blva
Copy link
Collaborator

@blva blva commented Sep 10, 2025
edited
Loading

Proposed changes

addresses [REC7] Warn users when they try to change localhost bindings to 0.0.0.0 or other non-local network interfaces.

[WARNING] 1006009 - streamableHttpTransport: Binding to 0.0.0.0 can expose the MCP Server to the entire local network, which allows other devices on the same network to potentially access the MCP Server. This is a security risk and could allow unauthorized access to your database context. (46537)

Checklist

@blva blva changed the title chore: warn about insecure httpHost usage chore: warn about insecure httpHost usage - MCP-184 Sep 10, 2025
@blva blva marked this pull request as ready for review September 10, 2025 13:31
Copilot AI review requested due to automatic review settings September 10, 2025 13:31
@blva blva requested a review from a team as a code owner September 10, 2025 13:31
Copilot AI reviewed Sep 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds a security warning to alert users when they bind the MCP Server to 0.0.0.0, which exposes it to the entire local network and poses security risks.

  • Adds a warning log when httpHost is set to 0.0.0.0
  • Creates a new log ID for the security warning message

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
src/transports/streamableHttp.ts Adds security warning logic after server startup when httpHost is "0.0.0.0"
src/common/logger.ts Adds new log ID constant for the HTTP host security warning

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

src/transports/streamableHttp.ts Outdated
noRedaction: true,
});

if (this.userConfig.httpHost === "0.0.0.0") {
Copy link

Copilot AI Sep 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The warning only checks for exact match of '0.0.0.0'. Consider also warning for other non-localhost bindings like '::' (IPv6 all interfaces) or specific external IP addresses that could expose the server to unauthorized access.

Copilot uses AI. Check for mistakes.
@coveralls
Copy link
Collaborator

Pull Request Test Coverage Report for Build 17615294858

Details

  • 2 of 6 (33.33%) changed or added relevant lines in 2 files are covered.
  • 6 unchanged lines in 1 file lost coverage.
  • Overall coverage increased (+0.1%) to 81.412%
Changes Missing Coverage Covered Lines Changed/Added Lines %
src/transports/streamableHttp.ts 1 5 20.0%
Files with Coverage Reduction New Missed Lines %
src/transports/streamableHttp.ts 6 54.9%
Totals Coverage Status
Change from base Build 17615110273: 0.1%
Covered Lines: 4783
Relevant Lines: 5780
💛 - Coveralls

@blva blva merged commit dd7760b into main Sep 10, 2025
16 of 17 checks passed
@blva blva deleted the MCP-184 branch September 10, 2025 13:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@himanshusinghs himanshusinghs himanshusinghs approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@blva @coveralls @himanshusinghs