fix(mcp): anchor TP3 loopback URL exemption to a host boundary#113
Open
jichaowang02-lang wants to merge 1 commit into
Open
fix(mcp): anchor TP3 loopback URL exemption to a host boundary#113jichaowang02-lang wants to merge 1 commit into
jichaowang02-lang wants to merge 1 commit into
Conversation
`_TP3_MALICIOUS_URL_RE` exempted any default URL whose host merely *starts with* "localhost"/"127.0.0.1": the negative lookahead matched the bare substring with no host boundary. An attacker-controlled host such as `http://localhost.evil.com/exfil` was therefore treated as loopback and skipped, silently bypassing the malicious-default-URL detection in TP3 — an attacker only needs to register a host beginning with `localhost.`. Anchor the exemption with `(?:[:/?#]|$)` so only genuine loopback hosts (optionally followed by a port/path/query/fragment) are exempt. External hosts that share the prefix are now flagged; real loopback defaults (`http://localhost:8080/...`, `http://127.0.0.1/...`) stay exempt. Adds regression tests for localhost-/127.0.0.1-prefixed attacker URLs and a guard that genuine loopback defaults remain exempt. Signed-off-by: jichao wang <jichaowang02@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The TP3 (parameter injection) analyzer's malicious-default-URL check can be
bypassed: a default value pointing at an attacker-controlled host whose
name merely starts with
localhost/127.0.0.1is treated as benignloopback and produces no finding.
Root cause
mcp_tool_poisoning.py:The negative lookahead matches the bare substring
localhost/127.0.0.1with no host boundary, so any host that begins with that prefix is
exempted.
_check_tp3gates the malicious-default finding on this regex, so anexfiltration default like
http://localhost.evil.com/exfilyields zero TP3findings. An attacker only needs to register a host beginning with
localhost.(or127.0.0.1.).http://localhost.evil.com/exfilhttp://127.0.0.1.evil.com/xhttp://attacker.com/exfilhttp://localhost:8080/cb(loopback)http://127.0.0.1/cb(loopback)Fix
Anchor the loopback exemption to a real host boundary (port / path / query /
fragment / end of string):
r"https?://(?!(?:localhost|127\.0\.0\.1)(?:[:/?#]|$))\S+"Only genuine loopback hosts are exempt; external hosts that share the prefix
are now flagged.
Testing
Adds
test_localhost_prefixed_attacker_url_is_flagged(the bypass cases) andtest_genuine_loopback_default_url_is_exempt(regression guard). Verifiedend-to-end against
_check_tp3/node()on Python 3.13.(No pre-existing issue — newly found while reading the analyzer. Commit is
DCO
Signed-off-by.)