Skip to content

Security hardening: MCP gateway fixes, notification bypass, DLP scanning, code consolidation #35

Merged
chen-zichen merged 2 commits intomainfrom
fix2
Feb 27, 2026
Merged

Security hardening: MCP gateway fixes, notification bypass, DLP scanning, code consolidation #35
chen-zichen merged 2 commits intomainfrom
fix2

Conversation

@cyyever
Copy link
Collaborator

@cyyever cyyever commented Feb 27, 2026
edited
Loading

Summary

  • MCP gateway: close 3 security bypasses — sampling/createMessage and elicitation/create methods now inspected; batch arrays no longer forwarded unexamined; resources/read URI params properly extracted
  • Fix notification bypass — Notifications with security-relevant methods (e.g. tools/call, fs/read_text_file)
    now go through the converter + rule engine, not just DLP scanning
  • Response DLP scanning — Bidirectional stdio proxy inspection; outbound responses scanned for leaked secrets
    in both result and error fields
  • Replace hand-rolled shellQuote — Use mvdan.cc/sh/v3 syntax.Quote instead of custom implementations
  • Code consolidation — Extract scanDLP() / forwardLine() helpers, shared testutil.NewEngine(), deduplicate
    test coverage across proxy layers

Test plan

  • go build ./... passes
  • go test -race ./... passes
  • Tested manually (describe below)

Security checklist

  • No new path traversal or glob bypass vectors
  • No secrets or credentials in code

@cyyever
fix: close 3 MCP gateway security bypasses
cef77ea 
- JSON-RPC batch bypass: extract processMessage() from PipeInspect loop,
  add processBatch() that inspects each element individually
- Notification params DLP: scan Params field on notifications (method+no id)
  to catch secrets embedded by malicious servers
- Server-initiated MCP methods: add sampling/createMessage and
  elicitation/create to security-relevant method conversion
@cyyever
refactor: deduplicate proxy layers, fix notification bypass, use synt…
bf4e413 
…ax.Quote

- Fix notification bypass: notifications with security-relevant methods
  (tools/call, fs/read_text_file, etc.) now go through converter + rule
  engine, not just DLP scanning
- Extract scanDLP() and forwardLine() helpers in pipe.go
- Replace hand-rolled shellQuote with mvdan.cc/sh syntax.Quote
- Add shared testutil.NewEngine() test helper
- Remove redundant tests that duplicate coverage from jsonrpc layer
@chen-zichen chen-zichen merged commit 19f7ff1 into main Feb 27, 2026
6 checks passed
@chen-zichen chen-zichen deleted the fix2 branch February 27, 2026 13:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chen-zichen chen-zichen chen-zichen approved these changes

@zhangchen-xu zhangchen-xu Awaiting requested review from zhangchen-xu

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cyyever @chen-zichen