Skip to content

Mcp#3106

Merged
SudoUserReal merged 10 commits intomainfrom
mcp
Jan 4, 2026
Merged

Mcp#3106
SudoUserReal merged 10 commits intomainfrom
mcp

Conversation

@SudoUserReal
Copy link
Collaborator

@SudoUserReal SudoUserReal commented Dec 31, 2025
edited
Loading

中文模板 / Chinese Template

What kind of change does this PR introduce? (check at least one)

  • Bugfix
  • Feature
  • Code style update
  • Refactor
  • Test Case
  • TypeScript definition update
  • Document improve
  • CI/CD improve
  • Branch sync
  • Other, please describe:

PR description

Fixes #

Changelog

🇨🇳 Chinese

  • Feat: 新增 mcp, get_semi_document 获取组件文档或组件列表 get_component_file_list 获取组件文件列表 get_file_code 获取文件代码 get_function_code 获取函数实现

🇺🇸 English

  • Feat: add mcp, get_semi_document Get component documentation or component list get_component_file_list Get component file list get_file_code Get file code get_function_code Get function implementation

Checklist

  • Test or no need
  • Document or no need
  • Changelog or no need

Other

  • Skip Changelog

Additional information

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 31, 2025
View reviewed changes
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 31, 2025
View reviewed changes
ecosystem/semi-mcp/src/http.ts
Comment on lines +145 to +149
res.end(JSON.stringify({
jsonrpc: '2.0',
error: { code: -32000, message: errorMessage },
id: null,
}));

Check warning

Code scanning / CodeQL

Information exposure through a stack trace Medium

This information exposed to the user depends on
stack trace information
Loading
.

Copilot Autofix

AI about 2 months ago

In general, to fix this kind of issue you should avoid sending raw exception messages or stack traces to the client. Instead, log detailed error information on the server (including the original error/stack) and send back a generic, stable error message and possibly a coarse error code. This preserves observability for developers while preventing attackers from learning about internal structure.

For this specific file, we should keep the existing logging behavior (or expand it slightly) but change the HTTP response so it no longer includes errorMessage derived from the thrown error. Instead, return a constant, non‑sensitive message such as "Internal server error" or a localized equivalent, and keep the JSON-RPC error.code unchanged to avoid breaking clients. Optionally, we can log the full error object (including stack) with console.error, but that must not be reflected in the response.

Concretely:

  • In ecosystem/semi-mcp/src/http.ts, within the catch (error) block around lines 140–149:
    • Keep computing errorMessage for logging purposes only.
    • Keep (or slightly enhance) the server‑side console.error call.
    • Change the JSON response body so that error.message is a fixed generic string (e.g., 'Internal server error') instead of errorMessage.
  • No new imports are required; we can use console.error as already present.
  • No new functions or types are strictly needed; this is a minimal behavior-preserving change for clients except that they no longer receive internal error text.
Suggested changeset 1
ecosystem/semi-mcp/src/http.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/ecosystem/semi-mcp/src/http.ts b/ecosystem/semi-mcp/src/http.ts
--- a/ecosystem/semi-mcp/src/http.ts
+++ b/ecosystem/semi-mcp/src/http.ts
@@ -139,12 +139,16 @@
             console.log(`[${new Date().toISOString()}] ${req.method} ${url.pathname} - ${res.statusCode}`);
           } catch (error) {
             const errorMessage = error instanceof Error ? error.message : String(error);
-            console.error(`[${new Date().toISOString()}] 请求处理错误:`, errorMessage);
+            // 仅在服务器端日志中记录详细错误信息,避免向客户端暴露内部细节
+            console.error(
+              `[${new Date().toISOString()}] 请求处理错误:`,
+              errorMessage
+            );
             if (!res.headersSent) {
               res.writeHead(500, { 'Content-Type': 'application/json' });
               res.end(JSON.stringify({ 
                 jsonrpc: '2.0',
-                error: { code: -32000, message: errorMessage },
+                error: { code: -32000, message: 'Internal server error' },
                 id: null,
               }));
             }
EOF
@@ -139,12 +139,16 @@
console.log(`[${new Date().toISOString()}] ${req.method} ${url.pathname} - ${res.statusCode}`);
} catch (error) {
const errorMessage = error instanceof Error ? error.message : String(error);
console.error(`[${new Date().toISOString()}] 请求处理错误:`, errorMessage);
// 仅在服务器端日志中记录详细错误信息,避免向客户端暴露内部细节
console.error(
`[${new Date().toISOString()}] 请求处理错误:`,
errorMessage
);
if (!res.headersSent) {
res.writeHead(500, { 'Content-Type': 'application/json' });
res.end(JSON.stringify({
jsonrpc: '2.0',
error: { code: -32000, message: errorMessage },
error: { code: -32000, message: 'Internal server error' },
id: null,
}));
}
Copilot is powered by AI and may make mistakes. Always verify output.
Unable to commit as this autofix suggestion is now outdated
@SudoUserReal SudoUserReal merged commit 6595398 into main Jan 4, 2026
7 of 10 checks passed
@SudoUserReal SudoUserReal deleted the mcp branch January 4, 2026 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SudoUserReal