fix: security fixes (#9)

Author: bercianor

DEVELOPMENT.md

@@ -115,6 +115,20 @@ To use Auth0 as your identity provider:
 
 For external validation (e.g., via a proxy), set `strategy = "external"` and configure your proxy to forward validated JWTs in the `X-Validated-Jwt` header.
 
+### Configuring Exposed JWT Claims
+
+As a template, this project allows configuring which JWT claims are exposed to MCP tools via the `context` module. This is crucial for security, as JWT payloads may contain sensitive information (PII) that should not be accessible to tools.
+
+- **Default**: `jwt_exposed_claims = "all"` - Exposes all claims in the JWT payload.
+- **Secure Option**: `jwt_exposed_claims = ["user_id", "roles", "permissions"]` - Only exposes specific claims.
+
+**Important**: Review your JWT structure and set `jwt_exposed_claims` to only the claims your tools need. Avoid exposing sensitive data like emails, personal info, or internal IDs unless necessary. Update this in `config.toml` and test that tools receive only expected data.
+
+Example in `config.toml`:
+```toml
+jwt_exposed_claims = ["user_id", "roles"]
+```
+
 ## Configuration Placeholders
 
 Before using this template, you must replace all placeholders with your actual values:

README-es.md

@@ -158,6 +158,52 @@ Ver `config.toml` para ejemplo de configuración.
 
 **Nota de seguridad**: Por defecto, el servidor se ejecuta en `127.0.0.1` para evitar exposiciones no deseadas. Cambia a `0.0.0.0` solo si es necesario y con las medidas de seguridad apropiadas.
 
+## Consideraciones de Seguridad
+
+Esta plantilla implementa varias medidas de seguridad para proteger contra vulnerabilidades comunes. Como plantilla, está diseñada para ser configurable para diferentes escenarios de despliegue.
+
+### Exposición de Claims JWT
+
+Para minimizar la exposición de datos, configura qué claims JWT son accesibles en el contexto:
+
+```toml
+[context]
+jwt_exposed_claims = ["user_id", "roles"]  # Solo exponer claims específicos
+# o
+jwt_exposed_claims = "all"  # Exponer todos los claims (no recomendado para producción)
+```
+
+### Logging de Acceso
+
+Los headers sensibles se redactan automáticamente en los logs:
+
+```toml
+[logging]
+redacted_headers = ["Authorization", "X-API-Key", "Cookie"]
+max_body_size = 1024  # Limitar el tamaño del body logueado
+```
+
+### Rate Limiting
+
+Se implementa rate limiting básico para validación JWT para prevenir ataques de fuerza bruta.
+
+### Validación de URIs
+
+Las URIs de OAuth y JWKS se validan contra dominios en whitelist para prevenir ataques SSRF.
+
+### Dependencias Seguras
+
+Las dependencias se actualizan regularmente para abordar vulnerabilidades conocidas. Ejecuta `uv lock --upgrade` para actualizar a las versiones más recientes seguras.
+
+### Lista de Verificación para Producción
+
+- Usar estrategia JWT "external" con un proxy apropiado (Istio, Envoy)
+- Configurar claims expuestos mínimos
+- Habilitar logging de acceso con redacción
+- Validar todas las URIs contra dominios confiables
+- Mantener dependencias actualizadas
+- Ejecutar tests de seguridad regularmente
+
 ## Documentación
 
 - [Documentación Completa](docs/index.md) - Guía completa incluyendo desarrollo, configuración y contribución.

README.md

@@ -160,6 +160,52 @@ See `config.toml` for configuration example.
 
 **Security Note**: By default, the server runs on `127.0.0.1` to avoid unwanted exposures. Change to `0.0.0.0` only if necessary and with appropriate security measures.
 
+## Security Considerations
+
+This template implements several security measures to protect against common vulnerabilities. As a template, it's designed to be configurable for different deployment scenarios.
+
+### JWT Claims Exposure
+
+To minimize data exposure, configure which JWT claims are accessible in the context:
+
+```toml
+[context]
+jwt_exposed_claims = ["user_id", "roles"]  # Only expose specific claims
+# or
+jwt_exposed_claims = "all"  # Expose all claims (not recommended for production)
+```
+
+### Access Logging
+
+Sensitive headers are automatically redacted in logs:
+
+```toml
+[logging]
+redacted_headers = ["Authorization", "X-API-Key", "Cookie"]
+max_body_size = 1024  # Limit logged body size
+```
+
+### Rate Limiting
+
+Basic rate limiting is implemented for JWT validation to prevent brute force attacks.
+
+### URI Validation
+
+OAuth and JWKS URIs are validated against whitelisted domains to prevent SSRF attacks.
+
+### Secure Dependencies
+
+Dependencies are regularly updated to address known vulnerabilities. Run `uv lock --upgrade` to update to latest secure versions.
+
+### Production Checklist
+
+- Use "external" JWT strategy with a proper proxy (Istio, Envoy)
+- Configure minimal exposed claims
+- Enable access logging with redaction
+- Validate all URIs against trusted domains
+- Keep dependencies updated
+- Run security tests regularly
+
 ## Documentation
 
 - [Full Documentation](docs/index.md) - Complete guide including development, configuration, and contributing.

config.toml

@@ -21,9 +21,15 @@ enabled = true
 strategy = "local"
 forwarded_header = "X-Validated-Jwt"
 
+# JWT Claims Exposure Configuration
+# Set to "all" to expose all claims, or list specific claims to expose only those
+# IMPORTANT: Review and limit exposed claims to prevent PII leakage
+jwt_exposed_claims = "all"
+
 [middleware.jwt.validation.local]
 jwks_uri = "https://your-keycloak.example.com/realms/your-realm/protocol/openid-connect/certs"
 cache_interval = 10
+whitelist_domains = ["your-keycloak.example.com"]
 
 [[middleware.jwt.validation.local.allow_conditions]]
 expression = 'has(payload.email) && payload.email.endswith("@yourdomain.com")'
@@ -39,3 +45,7 @@ resource = "mcp-resource"
 auth_servers = ["http://localhost:8080/auth/realms/master"]
 jwks_uri = "http://localhost:8080/auth/realms/master/protocol/openid-connect/certs"
 scopes_supported = ["openid", "profile", "email"]
+
+# OAuth Whitelist Domains
+# List of allowed domains for OAuth URIs to prevent SSRF attacks
+oauth_whitelist_domains = ["localhost", "yourdomain.com"]

src/mcp_app/config.py

@@ -9,7 +9,9 @@
 
 from __future__ import annotations
 
+import logging
 import os
+import re
 from datetime import timedelta  # noqa: TC003
 from pathlib import Path
 
@@ -121,11 +123,43 @@ class Configuration(BaseModel):
     middleware: MiddlewareConfig | None = None
     oauth_authorization_server: OAuthAuthorizationServer | None = None
     oauth_protected_resource: OAuthProtectedResourceConfig | None = None
+    jwt_exposed_claims: str | list[str] = "all"
+    oauth_whitelist_domains: list[str] = []
 
 
 # --- Configuration Loading Function ---
 
 
+def safe_expandvars(content: str, allowed_vars: set[str] | None = None) -> str:
+    """
+    Safely expand environment variables in content.
+
+    Only expands variables that are in the allowed_vars set to prevent accidental
+    exposure of sensitive environment variables.
+
+    Args:
+        content: The string content to expand variables in.
+        allowed_vars: Set of allowed environment variable names. If None, allows all.
+
+    Returns:
+        The content with allowed variables expanded.
+
+    """
+
+    def replacer(match: re.Match[str]) -> str:
+        var_name = match.group(1) or match.group(2)
+        if allowed_vars is not None and var_name not in allowed_vars:
+            # Log warning but don't expand
+            logger = logging.getLogger(__name__)
+            logger.warning("Blocked expansion of disallowed env var: %s", var_name)
+            return match.group(0)  # Return original ${VAR} or $VAR unchanged
+        return os.environ.get(var_name, match.group(0))
+
+    # Match ${VAR} or $VAR patterns
+    pattern = re.compile(r"\$\{([^}]+)\}|\$([A-Za-z_][A-Za-z0-9_]*)")
+    return pattern.sub(replacer, content)
+
+
 def load_config_from_file(filepath: str | Path) -> Configuration:
     """
     Read a TOML configuration file.
@@ -145,7 +179,22 @@ def load_config_from_file(filepath: str | Path) -> Configuration:
         raise FileNotFoundError(msg)
 
     raw_content = config_path.read_text(encoding="utf-8")
-    expanded_content = os.path.expandvars(raw_content)
+    # Only allow expansion of common, non-sensitive vars
+    allowed_vars = {
+        "HOME",
+        "USER",
+        "PATH",
+        "PWD",
+        "SHELL",
+        "LANG",
+        "LC_ALL",
+        "TMPDIR",
+        "TEMP",
+        "TMP",
+        "LOGNAME",
+        "USERNAME",
+    }
+    expanded_content = safe_expandvars(raw_content, allowed_vars)
     config_data = tomllib.loads(expanded_content)
 
     return Configuration.model_validate(config_data)

src/mcp_app/context.py

@@ -8,22 +8,64 @@
 from contextvars import ContextVar
 from typing import Any
 
+
+class JWTContextConfig:
+    """Configuration for JWT context exposure."""
+
+    def __init__(self) -> None:
+        """Initialize the JWT context configuration."""
+        self.exposed_claims: str | list[str] = "all"
+
+
+# Singleton instance
+jwt_context_config = JWTContextConfig()
+
 # Context variables for JWT data
 jwt_token: ContextVar[str | None] = ContextVar("jwt_token", default=None)
 jwt_payload: ContextVar[dict[str, Any] | None] = ContextVar("jwt_payload", default=None)
 
 
+def set_exposed_claims(claims: str | list[str]) -> None:
+    """
+    Set the configuration for which JWT claims to expose.
+
+    Args:
+        claims: "all" to expose all claims, or a list of claim names to expose only those.
+
+    """
+    jwt_context_config.exposed_claims = claims
+
+
+def filter_payload(payload: dict[str, Any]) -> dict[str, Any]:
+    """
+    Filter the JWT payload based on exposed_claims configuration.
+
+    Args:
+        payload: The full JWT payload.
+
+    Returns:
+        Filtered payload dictionary.
+
+    """
+    if jwt_context_config.exposed_claims == "all":
+        return payload
+    if isinstance(jwt_context_config.exposed_claims, list):
+        return {k: v for k, v in payload.items() if k in jwt_context_config.exposed_claims}
+    # Fallback to all if misconfigured
+    return payload
+
+
 def set_jwt_context(token: str, payload: dict[str, Any]) -> None:
     """
-    Set the JWT token and its decoded payload.
+    Set the JWT token and its decoded payload, filtering based on configuration.
 
     Args:
         token: The validated JWT token string.
         payload: The decoded JWT payload.
 
     """
     jwt_token.set(token)
-    jwt_payload.set(payload)
+    jwt_payload.set(filter_payload(payload))
 
 
 def get_jwt_payload() -> dict[str, Any] | None:

src/mcp_app/handlers/handlers.py

@@ -5,11 +5,16 @@
 corresponding to the Go handlers.
 """
 
+import logging
+from urllib.parse import urlparse
+
 import httpx
 from fastapi import HTTPException
 
 from mcp_app.config import Configuration
 
+logger = logging.getLogger(__name__)
+
 
 class HandlersManager:
     """Manager for OAuth handlers."""
@@ -18,6 +23,32 @@ def __init__(self, config: Configuration) -> None:
         """Initialize the handlers manager."""
         self.config = config
 
+    def _is_uri_allowed(self, uri: str) -> bool:
+        """Check if URI domain is in OAuth whitelist."""
+        if not self.config.oauth_whitelist_domains:
+            return True  # Allow all if no whitelist
+        parsed = urlparse(uri)
+        domain = parsed.netloc
+        return any(domain.endswith(allowed) for allowed in self.config.oauth_whitelist_domains)
+
+    def _sanitize_openid_config(self, data: dict) -> dict:
+        """Sanitize OpenID configuration response."""
+        # Remove potentially sensitive fields like private keys, secrets, etc.
+        sensitive_fields = {
+            "private_key_jwt",
+            "client_secret",
+            "registration_access_token",
+            "introspection_endpoint_auth_signing_alg_values_supported",
+            # Add more as needed
+        }
+        sanitized = {}
+        for key, value in data.items():
+            if key not in sensitive_fields:
+                sanitized[key] = value
+            else:
+                logger.warning("Removed sensitive field from OpenID config: %s", key)
+        return sanitized
+
     async def handle_oauth_authorization_server(self) -> dict:
         """
         Handle requests for /.well-known/oauth-authorization-server endpoint.
@@ -30,19 +61,22 @@ async def handle_oauth_authorization_server(self) -> dict:
         ):
             raise HTTPException(status_code=404, detail="OAuth authorization server not enabled")
 
-        remote_url = (
-            f"{self.config.oauth_authorization_server.issuer_uri}/.well-known/openid-configuration"
-        )
+        issuer_uri = self.config.oauth_authorization_server.issuer_uri
+        if not self._is_uri_allowed(issuer_uri):
+            raise HTTPException(status_code=403, detail="Issuer URI not in allowed domains")
 
-        async with httpx.AsyncClient() as client:
+        remote_url = f"{issuer_uri}/.well-known/openid-configuration"
+
+        async with httpx.AsyncClient(timeout=10.0) as client:
             try:
                 response = await client.get(remote_url)
                 response.raise_for_status()
-                return response.json()
+                data = response.json()
+                # Sanitize response: remove potentially sensitive fields
+                return self._sanitize_openid_config(data)
             except httpx.HTTPError as e:
-                raise HTTPException(
-                    status_code=500, detail=f"Error fetching OpenID config: {e!s}"
-                ) from e
+                logger.exception("Error fetching OpenID config from %s", remote_url)
+                raise HTTPException(status_code=500, detail="Error fetching OpenID config") from e
 
     async def handle_oauth_protected_resources(self) -> dict:
         """
@@ -58,6 +92,15 @@ async def handle_oauth_protected_resources(self) -> dict:
 
         pr = self.config.oauth_protected_resource
 
+        # Validate URIs
+        for auth_server in pr.auth_servers:
+            if not self._is_uri_allowed(auth_server):
+                raise HTTPException(
+                    status_code=403, detail=f"Auth server URI not allowed: {auth_server}"
+                )
+        if not self._is_uri_allowed(pr.jwks_uri):
+            raise HTTPException(status_code=403, detail="JWKS URI not allowed")
+
         response = {
             "resource": pr.resource,
             "authorization_servers": pr.auth_servers,