fix: use fail-secure SSL parsing (only explicit 'false' disables verification)

Tomo1912 · Tomo1912 · commit c8d575117674 · 2026-01-08T23:55:07.000+01:00
- Change from '== true' to '!= false' for fail-secure behavior
- Invalid/unknown values now keep SSL verification ENABLED
- Add tests for yes/no values to document behavior
diff --git a/src/fetch/src/mcp_server_fetch/server.py b/src/fetch/src/mcp_server_fetch/server.py
@@ -28,7 +28,8 @@
 # Set MCP_FETCH_SSL_VERIFY=false to disable SSL certificate verification.
 # This is useful for internal servers with self-signed certificates.
 # WARNING: Disabling SSL verification reduces security. Only use in trusted environments.
-SSL_VERIFY = os.getenv("MCP_FETCH_SSL_VERIFY", "true").lower() == "true"
+# NOTE: Only explicit "false" disables verification; any other value keeps it enabled (fail-secure).
+SSL_VERIFY = os.getenv("MCP_FETCH_SSL_VERIFY", "true").lower() != "false"
 
 DEFAULT_USER_AGENT_AUTONOMOUS = "ModelContextProtocol/1.0 (Autonomous; +https://github.com/modelcontextprotocol/servers)"
 DEFAULT_USER_AGENT_MANUAL = "ModelContextProtocol/1.0 (User-Specified; +https://github.com/modelcontextprotocol/servers)"
diff --git a/src/fetch/tests/test_ssl.py b/src/fetch/tests/test_ssl.py
@@ -68,43 +68,65 @@ def test_ssl_verify_FALSE_all_caps(self, monkeypatch):
         
         assert server_module.SSL_VERIFY is False
 
-    def test_ssl_verify_invalid_value_defaults_to_disabled(self, monkeypatch):
-        """Invalid values should result in SSL verification being disabled (not 'true')."""
+    def test_ssl_verify_invalid_value_stays_enabled(self, monkeypatch):
+        """Invalid/unknown values should keep SSL verification ENABLED (fail-secure)."""
         monkeypatch.setenv("MCP_FETCH_SSL_VERIFY", "invalid")
-        
+
         import mcp_server_fetch.server as server_module
         importlib.reload(server_module)
-        
-        # Since "invalid".lower() != "true", SSL_VERIFY will be False
-        assert server_module.SSL_VERIFY is False
 
-    def test_ssl_verify_empty_string_defaults_to_disabled(self, monkeypatch):
-        """Empty string should result in SSL verification being disabled."""
+        # Fail-secure: only explicit "false" disables SSL verification
+        assert server_module.SSL_VERIFY is True
+
+    def test_ssl_verify_empty_string_stays_enabled(self, monkeypatch):
+        """Empty string should keep SSL verification ENABLED (fail-secure)."""
         monkeypatch.setenv("MCP_FETCH_SSL_VERIFY", "")
-        
+
         import mcp_server_fetch.server as server_module
         importlib.reload(server_module)
-        
-        assert server_module.SSL_VERIFY is False
 
-    def test_ssl_verify_0_is_disabled(self, monkeypatch):
-        """'0' should result in SSL verification being disabled."""
+        # Fail-secure: only explicit "false" disables SSL verification
+        assert server_module.SSL_VERIFY is True
+
+    def test_ssl_verify_0_stays_enabled(self, monkeypatch):
+        """'0' should keep SSL verification ENABLED (fail-secure, only 'false' disables)."""
         monkeypatch.setenv("MCP_FETCH_SSL_VERIFY", "0")
-        
+
         import mcp_server_fetch.server as server_module
         importlib.reload(server_module)
-        
-        assert server_module.SSL_VERIFY is False
 
-    def test_ssl_verify_1_is_disabled(self, monkeypatch):
-        """'1' should result in SSL verification being disabled (only 'true' enables it)."""
+        # Fail-secure: only explicit "false" disables SSL verification
+        assert server_module.SSL_VERIFY is True
+
+    def test_ssl_verify_1_stays_enabled(self, monkeypatch):
+        """'1' should keep SSL verification ENABLED (fail-secure)."""
         monkeypatch.setenv("MCP_FETCH_SSL_VERIFY", "1")
-        
+
         import mcp_server_fetch.server as server_module
         importlib.reload(server_module)
-        
-        # Only "true" (case-insensitive) enables SSL verification
-        assert server_module.SSL_VERIFY is False
+
+        # Fail-secure: only explicit "false" disables SSL verification
+        assert server_module.SSL_VERIFY is True
+
+    def test_ssl_verify_yes_stays_enabled(self, monkeypatch):
+        """'yes' should keep SSL verification ENABLED (fail-secure)."""
+        monkeypatch.setenv("MCP_FETCH_SSL_VERIFY", "yes")
+
+        import mcp_server_fetch.server as server_module
+        importlib.reload(server_module)
+
+        # Fail-secure: only explicit "false" disables SSL verification
+        assert server_module.SSL_VERIFY is True
+
+    def test_ssl_verify_no_stays_enabled(self, monkeypatch):
+        """'no' should keep SSL verification ENABLED (fail-secure, only 'false' disables)."""
+        monkeypatch.setenv("MCP_FETCH_SSL_VERIFY", "no")
+
+        import mcp_server_fetch.server as server_module
+        importlib.reload(server_module)
+
+        # Fail-secure: only explicit "false" disables SSL verification
+        assert server_module.SSL_VERIFY is True
 
 
 class TestSSLErrorHandling:
