Skip to content

Allowed localhosts for remote url when testing #906

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
oidebrett wants to merge 2 commits into from
+65 −3
Closed

Allowed localhosts for remote url when testing #906

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
caf9f4f
allowed localhosts for remote url when testing
ivobrett Jan 20, 2026
53ce549
changed to const for scheme due to lint error
ivobrett Jan 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,42 @@
# Multi-stage Dockerfile for MCP Registry with localhost support
FROM golang:1.24-alpine AS builder

# Install build dependencies
RUN apk add --no-cache git make

# Set working directory
WORKDIR /build

# Copy go mod files first for better caching
COPY go.mod go.sum ./
RUN go mod download

# Copy source code
COPY . .

# Build the registry with version info
RUN CGO_ENABLED=0 GOOS=linux go build \
-ldflags="-X main.Version=$(git describe --tags --always --dirty) -X main.GitCommit=$(git rev-parse HEAD) -X main.BuildTime=$(date -u +%Y-%m-%dT%H:%M:%SZ)" \
-a -installsuffix cgo \
-o /registry \
./cmd/registry

# Final stage
FROM alpine:latest

# Install ca-certificates for HTTPS
RUN apk --no-cache add ca-certificates

WORKDIR /app

# Copy binary from builder
COPY --from=builder /registry /app/registry

# Copy seed data
COPY --from=builder /build/data ./data

# Expose port
EXPOSE 8080

# Run the registry
ENTRYPOINT ["/app/registry"]
26 changes: 23 additions & 3 deletions internal/validators/utils.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package validators

import (
"net/url"
"os"
"regexp"
"strings"
)
Expand Down Expand Up @@ -133,6 +134,11 @@ func IsValidSubfolderPath(path string) bool {

// IsValidRemoteURL checks if a URL is valid for remotes (stricter than packages - no localhost allowed)
func IsValidRemoteURL(rawURL string) bool {
const (
httpScheme = "http"
httpsScheme = "https"
)

// First check basic URL structure
if !IsValidURL(rawURL) {
return false
Expand All @@ -148,12 +154,26 @@ func IsValidRemoteURL(rawURL string) bool {
}

// Reject localhost URLs for remotes (security/production concerns)
// Allow localhost if MCP_REGISTRY_ALLOW_LOCALHOST is explicitly enabled (for local development)
hostname := u.Hostname()
if hostname == "localhost" || hostname == "127.0.0.1" || strings.HasSuffix(hostname, ".localhost") {
return false
isLocalhost := hostname == "localhost" || hostname == "127.0.0.1" || strings.HasSuffix(hostname, ".localhost")

allowLocalhostEnv := os.Getenv("MCP_REGISTRY_ALLOW_LOCALHOST")
allowLocalhost := allowLocalhostEnv == "true" || allowLocalhostEnv == "1"

if isLocalhost {
// Check if localhost URLs are allowed via environment variable
if !allowLocalhost {
return false
}
// If explicitly enabled, allow localhost URLs (http or https)
}

if u.Scheme != "https" {
// Require HTTPS for non-localhost URLs, but allow HTTP for localhost (when enabled)
if u.Scheme != httpsScheme && u.Scheme != httpScheme {
return false
}
if u.Scheme == httpScheme && !allowLocalhost {
return false
}

Expand Down
Loading