Skip to content

Cross session dataleakage fix#71

Open
Tobiasee16 wants to merge 4 commits into
mainfrom
Cross-session-dataleakage
Open

Cross session dataleakage fix#71
Tobiasee16 wants to merge 4 commits into
mainfrom
Cross-session-dataleakage

Conversation

@Tobiasee16
Copy link
Copy Markdown
Collaborator

@Tobiasee16 Tobiasee16 commented May 15, 2026

Problem:
Any client knowing a chat_id (a UUID) could directly call get_drawn_layers(session_id=<victim_id>) and retrieve another user's map geometry.

Fix:

  • Added mcp_auth.py. This makes it impossible for other users to call tool endpoints directly from the outside by generating a new token when the server starts.
  • All six entries in server.py are now wrapped with MCPAuthMiddleware
  • session:manager.py includes the token as a header in every MCP server registration so the Copilot SDK includes it automatically on outgoing ccalls.
    @Tobiasee16
    Tobiasee16 committed yesterday
  • Add _ALLOWED_HOSTS frozenset; _fetch_json now rejects any URL whose scheme is not https or hostname is not ws.geonorge.no

Tobiasee16 added 3 commits May 14, 2026 12:55
@Tobiasee16
Block unauthenticated access to MCP endpoints
668368d 
Problem:
Any client knowing a chat_id (a UUID) could directly call get_drawn_layers(session_id=<victim_id>) and retrieve another user's map geometry.

Fix:
- Added mcp_auth.py. This makes it impossible for other users to call tool endpoints directly from the outside by generating a new token when the server starts.
- All six entries in server.py are now wrapped with MCPAuthMiddleware
- session:manager.py includes the token as a header in every MCP server registration so the Copilot SDK includes it automatically on outgoing ccalls.
@Tobiasee16
Fix geo_server: Allowlist
f49b683 
- Add _ALLOWED_HOSTS frozenset; _fetch_json now rejects any URL whose scheme is not https or hostname is not ws.geonorge.no
@Tobiasee16
Merge branch 'main' into Cross-session-dataleakage
72ac79e
sigurdbrekke
sigurdbrekke reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@sigurdbrekke sigurdbrekke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, men lurer på hvor og hva MCP_INTERNAL_SECRET er?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sigurdbrekke sigurdbrekke sigurdbrekke left review comments

@TriggeredBanana TriggeredBanana Awaiting requested review from TriggeredBanana

@oliverhallow oliverhallow Awaiting requested review from oliverhallow

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Tobiasee16 @sigurdbrekke