fix: Bind to localhost by default + redact API secrets from tool results#1
Open
taylorodell wants to merge 1 commit into
Open
Conversation
…ntext - Default bind to 127.0.0.1 instead of 0.0.0.0 (serve + start --transport sse) - Add --host flag to override binding when network access is needed - Replace wildcard Access-Control-Allow-Origin: * with opt-in --allowed-origins - Redact api_secret fields from tool results before they enter LLM context - Add SECURITY.md documenting the threat model and mitigations
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR addresses two security vulnerabilities in the MCP server's HTTP transports:
1. DNS Rebinding / Network Exposure (Critical for provisioning-tier credentials)
The
serveandstart --transport ssecommands previously bound to0.0.0.0withAccess-Control-Allow-Origin: *, making the server accessible to any device on the network and any web origin. Since this server handles organization-level provisioning credentials (capable of creating/deleting sub-accounts, users, roles, and access keys), this exposure is critical.Changes:
0.0.0.0to127.0.0.1(localhost-only)--hostflag to explicitly opt into network exposure when needed (e.g., Docker)Access-Control-Allow-Origin: *with opt-in--allowed-originsflag--host 0.0.0.0is usedThis is the same vulnerability class as cloudinary/analysis-mcp#1.
2. API Secret Exposure to LLM Context
The
access-keys-listandaccess-keys-generatetools return Cloudinary API responses verbatim, includingapi_secretfields in plaintext. These secrets are then passed into the LLM context window where they may be:Changes:
redactSecrets()post-processing informatResult()that strips any JSON field matching/^(api_secret|secret|.*_secret)$/ibefore returning to the LLMAdditional
SECURITY.mddocumenting the threat model and security recommendationsMigration / Breaking Changes
0.0.0.0binding must now pass--host 0.0.0.0explicitly (or keep the-pport mapping which handles this via Docker networking)--allowed-originsapi_secretfrom tool results will now see[REDACTED]— use the Cloudinary Console to retrieve secrets directly