fix(security): extend MCP env var blocklist and fix audit logger silent drop#2446
Merged
fix(security): extend MCP env var blocklist and fix audit logger silent drop#2446
Conversation
…nt drop Closes #2437, closes #2438. - Extend `is_dangerous_env_var()` in `mcp_bridge.rs` to block PATH (path hijacking), HTTP_PROXY/HTTPS_PROXY/ALL_PROXY/NO_PROXY (proxy interception), BASH_ENV/ENV (shell startup injection), and PYTHONPATH/NODE_PATH/RUBYLIB (runtime module injection). These vars were not filtered by PR #2436. - Replace silent `return` in `AuditLogger::log()` with `tracing::error!("audit entry serialization failed: {err}")` so serialization failures are observable in logs instead of silently dropped. - Update and extend tests for both changes. Note: #2412 was already resolved in PR #2423 (ProtocolVersion::LATEST in discovery handler); CHANGELOG entry added only.
github-actions
bot
added
documentation
This was
linked to
issues
Mar 30, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
is_dangerous_env_var()incrates/zeph-acp/src/mcp_bridge.rs— PR feat(security): MCP→ACP confused-deputy boundary enforcement and security model audit #2436 only blocked library injection vectors (LD_PRELOAD,DYLD_*). This PR adds the remaining attack surface:PATH(path hijacking),HTTP_PROXY/HTTPS_PROXY/ALL_PROXY/NO_PROXY(proxy interception),BASH_ENV/ENV(shell startup injection),PYTHONPATH/NODE_PATH/RUBYLIB(runtime module injection).returninAuditLogger::log()withtracing::error!("audit entry serialization failed: {err}")so broken audit entries are observable in logs.ProtocolVersion::LATESTin discovery handler). CHANGELOG entry added.Test plan
cargo +nightly fmt --check— cleancargo clippy --workspace -- -D warnings— cleancargo nextest run --workspace --features full --lib --bins— 7279 passedmcp_bridge.rscover all 14 newly-blocked env var names plus case-insensitivity