fix: noto 1426 jira mcp atlassian vuln updates (#18)

* fix(confluence): add path traversal guard for attachment downloads (sooperset#987)

Add validate_safe_path() utility that resolves symlinks via
Path.resolve() and validates containment with is_relative_to().
Guard Confluence download_attachment() and
download_content_attachments() against path traversal.
Refactor Jira attachment guards to use the shared utility,
strengthening them with symlink resolution.

Addresses GHSA-xjgw-4wvw-rgm4.

Reported-by: yotampe-pluto
Github-Issue: sooperset#984

* update version

* ai gen test fixes :/

* .

* skip instead of ai slop

* delete more stuff

* more

* remove  more changes

* revert more changes

* disable confluence on main

---------

Co-authored-by: Hyeonsoo Lee <32061883+sooperset@users.noreply.github.com>

Author: tanzimCohere

README.md

@@ -1,5 +1,7 @@
 # MCP Atlassian
 
+## WARNING: Confluence not supported in this fork, we will clean up soon
+
 ![PyPI Version](https://img.shields.io/pypi/v/mcp-atlassian)
 ![PyPI - Downloads](https://img.shields.io/pypi/dm/mcp-atlassian)
 ![PePy - Total Downloads](https://static.pepy.tech/personalized-badge/mcp-atlassian?period=total&units=international_system&left_color=grey&right_color=blue&left_text=Total%20Downloads)

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "mcp-atlassian"
-version = "0.11.9+cohere.3"
+version = "0.11.9+cohere.4"
 description = "The Model Context Protocol (MCP) Atlassian integration is an open-source implementation that bridges Atlassian products (Jira and Confluence) with AI language models following Anthropic's MCP specification. This project enables secure, contextual AI interactions with Atlassian tools while maintaining data privacy and security. Key features include:"
 readme = "README.md"
 requires-python = ">=3.10"

src/mcp_atlassian/jira/attachments.py

@@ -6,6 +6,7 @@
 from typing import Any
 
 from ..models.jira import JiraAttachment
+from ..utils.io import validate_safe_path
 from .client import JiraClient
 from .protocols import AttachmentsOperationsProto
 
@@ -36,6 +37,9 @@ def download_attachment(self, url: str, target_path: str) -> bool:
             if not os.path.isabs(target_path):
                 target_path = os.path.abspath(target_path)
 
+            # Guard against path traversal (resolves symlinks)
+            validate_safe_path(target_path)
+
             logger.info(f"Downloading attachment from {url} to {target_path}")
 
             # Create the directory if it doesn't exist
@@ -82,6 +86,9 @@ def download_issue_attachments(
         if not os.path.isabs(target_dir):
             target_dir = os.path.abspath(target_dir)
 
+        # Guard against path traversal (resolves symlinks)
+        validate_safe_path(target_dir)
+
         logger.info(
             f"Downloading attachments for {issue_key} to directory: {target_dir}"
         )

src/mcp_atlassian/servers/main.py

@@ -24,7 +24,6 @@
 from mcp_atlassian.utils.logging import mask_sensitive
 from mcp_atlassian.utils.tools import get_enabled_tools, should_include_tool
 
-from .confluence import confluence_mcp
 from .context import MainAppContext
 from .jira import jira_mcp
 
@@ -61,19 +60,7 @@ async def main_lifespan(app: FastMCP[MainAppContext]) -> AsyncIterator[dict]:
             logger.error(f"Failed to load Jira configuration: {e}", exc_info=True)
 
     if services.get("confluence"):
-        try:
-            confluence_config = ConfluenceConfig.from_env()
-            if confluence_config.is_auth_configured():
-                loaded_confluence_config = confluence_config
-                logger.info(
-                    "Confluence configuration loaded and authentication is configured."
-                )
-            else:
-                logger.warning(
-                    "Confluence URL found, but authentication is not fully configured. Confluence tools will be unavailable."
-                )
-        except Exception as e:
-            logger.error(f"Failed to load Confluence configuration: {e}", exc_info=True)
+        raise NotImplementedError("confluence unsupported for now")
 
     app_context = MainAppContext(
         full_jira_config=loaded_jira_config,
@@ -161,6 +148,8 @@ async def _mcp_list_tools(self) -> list[MCPTool]:
             # Exclude Jira/Confluence tools if config is not fully authenticated
             is_jira_tool = "jira" in tool_tags
             is_confluence_tool = "confluence" in tool_tags
+            if is_confluence_tool:
+                raise NotImplementedError("confluence not supported for now")
             service_configured_and_available = True
             if app_lifespan_state:
                 if is_jira_tool and not app_lifespan_state.full_jira_config:
@@ -331,7 +320,8 @@ async def dispatch(
 
 main_mcp = AtlassianMCP(name="Atlassian MCP", lifespan=main_lifespan)
 main_mcp.mount(jira_mcp, prefix="jira")
-main_mcp.mount(confluence_mcp, prefix="confluence")
+# removing confluence for now
+# main_mcp.mount(confluence_mcp, prefix="confluence")
 
 
 @main_mcp.custom_route("/healthz", methods=["GET"], include_in_schema=False)

src/mcp_atlassian/utils/__init__.py

@@ -4,7 +4,7 @@
 """
 
 from .date import parse_date
-from .io import is_read_only_mode
+from .io import is_read_only_mode, validate_safe_path
 
 # Export lifecycle utilities
 from .lifecycle import (
@@ -24,6 +24,7 @@
     "configure_ssl_verification",
     "is_atlassian_cloud_url",
     "is_read_only_mode",
+    "validate_safe_path",
     "setup_logging",
     "parse_date",
     "parse_iso8601_date",

src/mcp_atlassian/utils/io.py

@@ -1,5 +1,8 @@
 """I/O utility functions for MCP Atlassian."""
 
+import os
+from pathlib import Path
+
 from mcp_atlassian.utils.env import is_env_extended_truthy
 
 
@@ -15,3 +18,41 @@ def is_read_only_mode() -> bool:
         True if read-only mode is enabled, False otherwise
     """
     return is_env_extended_truthy("READ_ONLY_MODE", "false")
+
+
+def validate_safe_path(
+    path: str | os.PathLike[str],
+    base_dir: str | os.PathLike[str] | None = None,
+) -> Path:
+    """Validate that a path does not escape the base directory.
+
+    Resolves symlinks and normalizes the path to prevent path traversal
+    attacks (e.g., ``../../etc/passwd``).
+
+    Args:
+        path: The path to validate.
+        base_dir: The directory the path must stay within.
+            Defaults to the current working directory.
+
+    Returns:
+        The resolved, validated path.
+
+    Raises:
+        ValueError: If the resolved path escapes *base_dir*.
+    """
+    if base_dir is None:
+        base_dir = os.getcwd()
+
+    resolved_base = Path(base_dir).resolve(strict=False)
+    p = Path(path)
+    # Resolve relative paths against base_dir, not cwd
+    if not p.is_absolute():
+        p = resolved_base / p
+    resolved_path = p.resolve(strict=False)
+
+    if not resolved_path.is_relative_to(resolved_base):
+        raise ValueError(
+            f"Path traversal detected: {path} resolves outside {resolved_base}"
+        )
+
+    return resolved_path

tests/unit/jira/test_attachments.py

@@ -72,6 +72,7 @@ def test_download_attachment_success(self, attachments_mixin: AttachmentsMixin):
             patch("os.path.exists") as mock_exists,
             patch("os.path.getsize") as mock_getsize,
             patch("os.makedirs") as mock_makedirs,
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             mock_exists.return_value = True
             mock_getsize.return_value = 12  # Length of "test content"
@@ -108,6 +109,8 @@ def test_download_attachment_relative_path(
             patch("os.makedirs") as mock_makedirs,
             patch("os.path.abspath") as mock_abspath,
             patch("os.path.isabs") as mock_isabs,
+            patch("os.getcwd", return_value="/absolute/path"),
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             mock_exists.return_value = True
             mock_getsize.return_value = 12
@@ -137,9 +140,10 @@ def test_download_attachment_http_error(self, attachments_mixin: AttachmentsMixi
         mock_response.raise_for_status.side_effect = Exception("HTTP Error")
         attachments_mixin.jira._session.get.return_value = mock_response
 
-        result = attachments_mixin.download_attachment(
-            "https://test.url/attachment", "/tmp/test_file.txt"
-        )
+        with patch("mcp_atlassian.jira.attachments.validate_safe_path"):
+            result = attachments_mixin.download_attachment(
+                "https://test.url/attachment", "/tmp/test_file.txt"
+            )
         assert result is False
 
     def test_download_attachment_file_write_error(
@@ -156,6 +160,7 @@ def test_download_attachment_file_write_error(
         with (
             patch("builtins.open", mock_open()) as mock_file,
             patch("os.makedirs") as mock_makedirs,
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             mock_file().write.side_effect = OSError("Write error")
 
@@ -179,6 +184,7 @@ def test_download_attachment_file_not_created(
             patch("builtins.open", mock_open()) as mock_file,
             patch("os.path.exists") as mock_exists,
             patch("os.makedirs") as mock_makedirs,
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             mock_exists.return_value = False  # File doesn't exist after write
 
@@ -231,6 +237,7 @@ def test_download_issue_attachments_success(
                 "mcp_atlassian.models.jira.JiraAttachment.from_api_response",
                 side_effect=[mock_attachment1, mock_attachment2],
             ),
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             result = attachments_mixin.download_issue_attachments(
                 "TEST-123", "/tmp/attachments"
@@ -281,6 +288,8 @@ def test_download_issue_attachments_relative_path(
             ),
             patch("os.path.isabs") as mock_isabs,
             patch("os.path.abspath") as mock_abspath,
+            patch("os.getcwd", return_value="/absolute/path"),
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             mock_isabs.return_value = False
             mock_abspath.return_value = "/absolute/path/attachments"
@@ -302,7 +311,10 @@ def test_download_issue_attachments_no_attachments(
         mock_issue = {"fields": {"attachment": []}}
         attachments_mixin.jira.issue.return_value = mock_issue
 
-        with patch("pathlib.Path.mkdir") as mock_mkdir:
+        with (
+            patch("pathlib.Path.mkdir") as mock_mkdir,
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
+        ):
             result = attachments_mixin.download_issue_attachments(
                 "TEST-123", "/tmp/attachments"
             )
@@ -320,9 +332,12 @@ def test_download_issue_attachments_issue_not_found(
         """Test download when issue cannot be retrieved."""
         attachments_mixin.jira.issue.return_value = None
 
-        with pytest.raises(
-            TypeError,
-            match="Unexpected return value type from `jira.issue`: <class 'NoneType'>",
+        with (
+            pytest.raises(
+                TypeError,
+                match="Unexpected return value type from `jira.issue`: <class 'NoneType'>",
+            ),
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             attachments_mixin.download_issue_attachments("TEST-123", "/tmp/attachments")
 
@@ -334,9 +349,10 @@ def test_download_issue_attachments_no_fields(
         mock_issue = {}  # Missing 'fields' key
         attachments_mixin.jira.issue.return_value = mock_issue
 
-        result = attachments_mixin.download_issue_attachments(
-            "TEST-123", "/tmp/attachments"
-        )
+        with patch("mcp_atlassian.jira.attachments.validate_safe_path"):
+            result = attachments_mixin.download_issue_attachments(
+                "TEST-123", "/tmp/attachments"
+            )
 
         # Assertions
         assert result["success"] is False
@@ -386,6 +402,7 @@ def test_download_issue_attachments_some_failures(
                 "mcp_atlassian.models.jira.JiraAttachment.from_api_response",
                 side_effect=[mock_attachment1, mock_attachment2],
             ),
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             result = attachments_mixin.download_issue_attachments(
                 "TEST-123", "/tmp/attachments"
@@ -430,6 +447,7 @@ def test_download_issue_attachments_missing_url(
                 "mcp_atlassian.models.jira.JiraAttachment.from_api_response",
                 return_value=mock_attachment,
             ),
+            patch("mcp_atlassian.jira.attachments.validate_safe_path"),
         ):
             result = attachments_mixin.download_issue_attachments(
                 "TEST-123", "/tmp/attachments"

tests/unit/utils/test_io.py

@@ -1,9 +1,12 @@
 """Tests for the I/O utilities module."""
 
 import os
+from pathlib import Path
 from unittest.mock import patch
 
-from mcp_atlassian.utils.io import is_read_only_mode
+import pytest
+
+from mcp_atlassian.utils.io import is_read_only_mode, validate_safe_path
 
 
 def test_is_read_only_mode_default():
@@ -81,3 +84,44 @@ def test_is_read_only_mode_false():
 
         # Assert
         assert result is False
+
+
+# --- validate_safe_path tests ---
+
+
+class TestValidateSafePath:
+    """Tests for validate_safe_path."""
+
+    def test_safe_relative_path(self, tmp_path: Path) -> None:
+        """Relative path within base_dir is accepted."""
+        result = validate_safe_path("subdir/file.txt", base_dir=tmp_path)
+        assert result == (tmp_path / "subdir" / "file.txt").resolve()
+
+    def test_safe_absolute_path_within_base(self, tmp_path: Path) -> None:
+        """Absolute path inside base_dir is accepted."""
+        target = tmp_path / "sub" / "file.txt"
+        result = validate_safe_path(str(target), base_dir=tmp_path)
+        assert result == target.resolve()
+
+    def test_traversal_dotdot(self, tmp_path: Path) -> None:
+        """Relative path with ../ escaping base_dir raises ValueError."""
+        with pytest.raises(ValueError, match="Path traversal detected"):
+            validate_safe_path("../../etc/passwd", base_dir=tmp_path)
+
+    def test_traversal_absolute_outside(self, tmp_path: Path) -> None:
+        """Absolute path outside base_dir raises ValueError."""
+        with pytest.raises(ValueError, match="Path traversal detected"):
+            validate_safe_path("/etc/passwd", base_dir=tmp_path)
+
+    def test_traversal_nested(self, tmp_path: Path) -> None:
+        """Nested traversal normalised by resolve() raises ValueError."""
+        with pytest.raises(ValueError, match="Path traversal detected"):
+            validate_safe_path("ok/../../../etc/shadow", base_dir=tmp_path)
+
+    def test_defaults_to_cwd(
+        self, monkeypatch: pytest.MonkeyPatch, tmp_path: Path
+    ) -> None:
+        """When base_dir is None, defaults to os.getcwd()."""
+        monkeypatch.chdir(tmp_path)
+        result = validate_safe_path("child.txt")
+        assert result == (tmp_path / "child.txt").resolve()