Security hardening: MCP server auth + client URL validation#448
Draft
Security hardening: MCP server auth + client URL validation#448
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Addresses security scan findings #14 (MCP server mounted without auth) and #15 (MCP client accepts arbitrary URLs). .NET half of a 3-SDK PR set (TS + PY are separate PRs on the same branch name).
#14 — MCP server auth
New
McpPluginOptionsclass with an opt-inRequireAuthdelegate. New overload on the existing extension method:```csharp
builder.AddTeamsMcp(options =>
{
options.RequireAuth = ctx =>
Task.FromResult(ctx.Request.Headers.Authorization.ToString() == "Bearer ...");
});
```
Delegate signature:
Func<HttpContext, Task<bool>>.false/throw → 401 via an ASP.NET Core middleware path-filtered to/mcp. Parameterless.AddTeamsMcp()overload is unchanged (backward compatible). WhenRequireAuthis unset, a one-time startup warning fires.#15 — MCP client SSRF
New
UrlValidation.csgate, called in bothFetchToolsFromServerandCallMcpToolbefore transport creation. Two new fields onMcpClientPluginParams:AllowPrivateNetwork: bool = false— block RFC1918, loopback, link-local, IPv6 unique-local / site-localValidateUrl: Func<Uri, Task<bool>>?— when set, fully replaces the default scheme + host-network checksDefault policy: scheme ∈ {
http,https}; if notAllowPrivateNetwork, resolve host viaDns.GetHostAddressesAsyncand reject private addresses. IP literals short-circuit DNS. InternalHostResolverseam for testability.Behavior change to be aware of
MCP client calls that previously pointed at localhost / on-prem MCP servers will now fail with
UrlValidationExceptionunlessAllowPrivateNetwork = trueis set on the call's params. Set the flag for intentional on-prem deployments.Design docs
design/mcp-server-auth-options.mddesign/mcp-client-ssrf-options.mdE2E verified
/mcpreturns 401 without/wrong auth, 400 ("Mcp-Session-Id header is required") on correct bearer (past middleware)/v3/conversations/devtools/activities);/devtoolsUI unaffected (200)RequireAuthis unset; silent when setNote on DNS rebinding
Default private-network filter rejects at registration time but does not prevent DNS rebinding. Known residual risk; call out if follow-up work is wanted.