feat(CREDENTIALS_IN_URL): flag credentials embedded in the transport URL#42
Open
dmchaledev wants to merge 1 commit into
Open
feat(CREDENTIALS_IN_URL): flag credentials embedded in the transport URL#42dmchaledev wants to merge 1 commit into
dmchaledev wants to merge 1 commit into
Conversation
An MCP transport/serverUrl of the form `scheme://user:password@host` embeds long-lived credentials directly in the connection string. Those credentials leak through access/proxy logs, browser history, and Referer headers — TLS does not protect them, because the exposure happens at the endpoints, not on the wire (CWE-522 / CWE-598). Previously such a config scanned completely clean (0 findings, PASSED), a false negative on a real credential-exposure vector that none of the existing rules cover. Add a HIGH-severity `CREDENTIALS_IN_URL` rule that parses the transport URL with the WHATWG URL API and fires on any non-empty userinfo component. The password is redacted in the finding evidence so the scanner never echoes the secret it flags. Because embedded credentials are visible in the URL string itself, the rule is URL-evaluable and runs in URL mode too — giving that mode its first genuine security finding. - New RuleId.CREDENTIALS_IN_URL, auto-included in `--rule` validation and help. - Added to URL_EVALUABLE_RULES so it runs against a bare endpoint URL. - Tests: user:pass and bare user@, wss://, serverUrl fallback, redaction, unparseable/clean/absent URLs, and URL-mode integration + no-secret-leak. - README "What It Checks" notes the new detection. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01XgH2BbU7WoCekW6n8QxcNE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A transport/
serverUrlof the formscheme://user:password@hostembeds long‑lived credentials directly in the connection string. Today the scanner has no rule for this, so such a config scans completely clean:That's a false negative on a real, well‑known credential‑exposure vector (CWE‑522 / CWE‑598): credentials in a URL leak through access/proxy logs, browser history, and
Refererheaders. TLS does not protect them — the exposure happens at the endpoints, not on the wire — soMISSING_TLS/INSECURE_TRANSPORTdon't cover it, and the secret‑scanning patterns (sk-…,ghp_…,AKIA…,password=…) don't match a URL userinfo component either.This gap is independent of the current backlog — no open/closed issue or PR references URL userinfo / embedded credentials. (The
EXPOSED_SECRETSPRs all target API‑key/token/password patterns in string values.)Change
Add a HIGH‑severity
CREDENTIALS_IN_URLrule that parses the transport URL with the WHATWGURLAPI and fires on any non‑emptyusername(with or without a password).transport.url: https://admin:***@mcp.example.com/mcp) — the scanner never echoes the secret it flags.URL_EVALUABLE_RULESand runs in URL mode too — giving that mode its first genuine (non‑transport‑scheme) security finding.RuleIdis auto‑included in--rulevalidation and--help(both derive from the enum), so no CLI wiring changes were needed.Tests
user:password@, bareuser@,wss://,serverUrlfallback, evidence redaction, and the clean/absent/unparseable negatives.Full suite: 128 passed.
typecheck,lint(--max-warnings 0), andbuildall clean.Docs
README "What It Checks" now mentions credentials embedded in the connection URL.
🤖 Generated with Claude Code
https://claude.ai/code/session_01XgH2BbU7WoCekW6n8QxcNE
Generated by Claude Code