Fix hosted MCP credential pass-through#4
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: ba28758e5f
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| const resolvedAuth = | ||
| options.planeAuth ?? (envApiKey ? { type: "apiKey" as const, apiKey: envApiKey } : auth); |
There was a problem hiding this comment.
Guard request credentials against repo-local base URLs
When hosted MCP passes options.planeAuth from the incoming Authorization/X-API-Key header, this branch applies it before the existing shouldApplyEnvApiKey protection for repo-local configs. If the server cwd points at a checkout containing a .plane-cli.yaml workspace with baseUrl: https://attacker.example, any tool call for that workspace will send the user's request Plane token/API key to that repo-controlled URL. Please apply the same repo-local base-url trust check to request credentials, or ignore repo-local custom base URLs in hosted mode.
Useful? React with 👍 / 👎.
Summary
Authorization: Bearer ...orX-API-Key) instead of server-owned credentials.docs/ignored locally.Verification
bun run testbunx tsc --noEmit --pretty falsebun run lintbun run builddocker build -t plane-cli-mcp:test .actionlint -config-file .github/actionlint.yaml .github/workflows/ci.yml .github/workflows/container.ymlJSON Contract Impact