fix(security): source-less in-process TPA description scanner (MCP-2082)#636
Merged
Conversation
Remote http/sse servers have no source files or Docker container, so every bundled (Docker-image) scanner prefails on image availability and the engine reports "all scanners failed" / "No Source Available" with Risk 0 — even though the connected server's tool descriptions/schemas are available and should still get a Tool-Poisoning-Attack scan. Add a built-in, Docker-less scanner `tpa-descriptions` that runs in-process for any connected server: - ScannerPlugin gains an InProcess flag; such scanners seed as "installed" (always on) and skip the Docker image-availability gate. - The engine branches to runInProcessScanner, which reads the exported tools.json and runs description/schema heuristics (hidden instructions, prompt-injection phrasing, data-exfiltration hints) plus embedded-secret detection via the existing security.Detector. - The description scan is a Pass-1 concern; Pass-2 (supply chain audit) skips it. Result: a remote server with no source still produces a real description-based TPA scan + risk score that COMPLETES, instead of the dead-end. Related MCP-2082
Deploying mcpproxy-docs with
|
| Latest commit: |
ca2e98f
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://d9110c83.mcpproxy-docs.pages.dev |
| Branch Preview URL: | https://mcp-2082-tpa-descriptions.mcpproxy-docs.pages.dev |
| } | ||
|
|
||
| toolsPath := filepath.Join(req.SourceDir, "tools.json") | ||
| data, err := os.ReadFile(toolsPath) |
|
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
📦 Build ArtifactsWorkflow Run: View Run Available Artifacts
How to DownloadOption 1: GitHub Web UI (easiest)
Option 2: GitHub CLI gh run download 27398917668 --repo smart-mcp-proxy/mcpproxy-go
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem (MCP-2082)
A connected remote server (e.g.
com.googleapis.sqladmin/mcpover http) hits Scan Now and gets:This is wrong for a remote server: there is no source/Docker, but the connected server's tool descriptions/schemas are available and should still get a Tool-Poisoning-Attack (TPA) scan.
Root cause
Every bundled scanner is Docker-image based and requires a mountable
/scan/source. On a host without those images pulled, all of them prefail (Docker image … not available locally), the engine has no source-less scanner, so it reportsall scanners failed(engine.go) and the UI shows the dead-end.Fix
Add a built-in, Docker-less scanner
tpa-descriptionsthat runs in-process for any connected server:ScannerPlugin.InProcessflag — such scanners seed asinstalled(always on) and skip the Docker image-availability gate inresolveScanners.Engine.runSingleScannerbranches torunInProcessScanner, which reads the already-exportedtools.jsonand runs description/schema heuristics — hidden instructions, prompt-injection phrasing, data-exfiltration hints — plus embedded-secret detection via the existingsecurity.Detector.Result: a remote server with no source now produces a real description-based TPA scan + risk score that completes, instead of
all scanners failed/No Source Available.Tests (TDD, all green)
inprocess_test.go— hidden instructions detected, clean tools → no findings, documented example AWS key ignored, exfiltration phrasing detected.engine_test.go— end-to-end: a remote-style scan (no Docker, onlytools.json) completes with findings and non-zero risk (not "all failed"); in-process scanner always resolves and never prefails.registry_test.go— in-process scanner isinstalledby default with no image.Verification
go build ./...(personal +-tags server) ✅go vet ./internal/security/...✅go test ./internal/security/... -race✅go test ./internal/storage/✅./scripts/run-linter.sh→ 0 issues ✅Docs
docs/features/security-scanner-plugins.mdupdated (registry now 8 scanners; new always-on in-process entry documented).Notes
source_methodstaysurl/tool_definitions_onlyfor connected servers), the "No Source Available" dead-end no longer applies. No frontend change in scope.Related MCP-2082