Contrib.social

Security improvements

Open on Drupal.org β†’
Created on 28 May 2025, 9 days ago

Problem/Motivation

There are security improvements that need to be done to get the security advisory coverage. The main ones mentioned by @marcus_johansson

  • You have to be able to set which roles can use the MCP server via permissions
  • For token authentication - you have to be able to choose which user the token authentication can spoof as
  • In MCP Extra - the content types when not picked, should be opt-in
  • In Dev Tools - it is experimental, and it should only be for local development, but I feel like you should remove eval command here. Otherwise, it is an open RCE, if someone forgets about it. In general allowing what commands to allow here, would be good

Remaining tasks

  • Add and use 'use mcp server' permission
  • Give user possibility to choose user when enable token auth
  • Make content typles disabled by default when enable content type plugin
  • Find a way to disable eval, or think about how to implement allowed commands
πŸ“Œ Task
Status

Active

Version

1.0

Component

Code

Created by

πŸ‡¬πŸ‡ͺGeorgia gagosha

Live updates comments and jobs are added and updated live.
  • Security improvements

    It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @gagosha
  • Merge request !14Resolve #3526963 "Security improvements" β†’ (Merged) created by Unnamed author
  • Comment 8 days ago β†’
    πŸ‡¬πŸ‡ͺGeorgia gagosha

    1. Add 'use mcp server' permission and access checks

    • Added new permission use mcp server for basic MCP access
    • Updated routing to require this permission for the /mcp/post endpoint
    • Implemented hasAccess() checks in plugin base class with support for administrative override
    • Added permission validation in JSON-RPC methods (ResourcesRead, ToolsCall)

    2. Token authentication user selection

    • Added user selection field in authentication settings form
    • Token authentication can now be configured to use any user account
    • Updated McpAuthProvider to load the configured user instead of hardcoded user 1
    • Added validation to ensure configured user exists and is active
    • Improved flood protection to use correct user ID

    3. Content plugin opt-in behavior

    • Changed default behavior to opt-in (all content types disabled by default)
    • Updated form to clearly indicate opt-in behavior with description
    • Modified isContentTypeEnabled() to return FALSE by default
    • Added test updates to reflect new behavior

    4. DrushCaller security improvements

    • Implemented command allowlist system with categorization by risk level:
      • Safe commands (read-only, enabled by default)
      • Moderate risk (cache operations, disabled by default)
      • Dangerous commands (database/file modifications, disabled by default with warnings)
    • Added form-based configuration for granular command control
    • Implemented strict mode for exact command matching
    • Added ability to configure custom commands
    • Command validation in both getTools() and executeTool() methods
    • Clear security warnings in UI for dangerous commands
  • Comment 8 days ago β†’
    πŸ‡¬πŸ‡ͺGeorgia gagosha
  • Comment 5 days ago β†’
    System Message
  • Comment 4 days ago β†’
    πŸ‡¬πŸ‡ͺGeorgia jibla

    @gagosha
    βœ… 1. I see the permission.
    βœ… 2. I see user selection in token authentication.
    βœ… 3. Content types are disallowed by default.
    ❓4. Regarding drush - I don't see the granular form described, but the textarea. Is it how its intended to be used?

  • Comment 3 days ago β†’
    πŸ‡¬πŸ‡ͺGeorgia gagosha

    @jibla, just update the above comment for DrushCaller. Since the allowlist categorization doesn’t seem so stable, I decided to make it a text area where the user can opt-in to allowed commands or use the * wildcard.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024