Skip to content

feat(fetch): add SSRF protection and comprehensive security test suite#3180

Open
Tomo1912 wants to merge 1 commit intomodelcontextprotocol:mainfrom
Tomo1912:feat/security-hardening
Open

feat(fetch): add SSRF protection and comprehensive security test suite#3180
Tomo1912 wants to merge 1 commit intomodelcontextprotocol:mainfrom
Tomo1912:feat/security-hardening

Conversation

@Tomo1912
Copy link

@Tomo1912 Tomo1912 commented Jan 5, 2026
edited
Loading

Summary

This PR adds Server-Side Request Forgery (SSRF) protection and a comprehensive security test suite to the fetch MCP server.

Security Features Added

SSRF Protection

  • URL scheme validation (only http/https allowed)
  • Private IP range blocking (10.x, 172.16-31.x, 192.168.x, 127.x, etc.)
  • IPv6 private address blocking (::1, fe80::, fc00::, etc.)
  • Dangerous hostname blocking (localhost, metadata services, etc.)
  • DNS resolution validation to prevent DNS rebinding
  • Configurable via MCP_FETCH_ALLOW_PRIVATE_IPS env var
  • Whitelist support via MCP_FETCH_ALLOWED_PRIVATE_HOSTS

SSL Configuration

  • Configurable SSL verification via MCP_FETCH_SSL_VERIFY env var
  • Comprehensive SSL error handling with helpful messages

Test Suite (89 tests)

  • SSRF protection tests
  • Private IP blocking tests
  • Input validation tests
  • URL scheme validation tests
  • Integration tests
  • Edge case tests

Configuration

# Disable SSL verification for self-signed certs
export MCP_FETCH_SSL_VERIFY=false

# Allow private IPs (use with caution)
export MCP_FETCH_ALLOW_PRIVATE_IPS=true

# Whitelist specific internal hosts
export MCP_FETCH_ALLOWED_PRIVATE_HOSTS=internal.company.com,api.local

Server Details

  • Server: fetch
  • Changes to: Security (SSRF protection, SSL config), tests

Motivation and Context

The fetch server can be exploited for SSRF attacks, allowing malicious actors to access internal services (cloud metadata endpoints, internal APIs, etc.). This PR adds comprehensive protection while maintaining flexibility for legitimate internal use cases through configuration options.

How Has This Been Tested?

  • 89 security tests pass locally
  • Tested with pyright (0 errors)
  • CI pipeline passes

Breaking Changes

None. All protections are backward compatible. Private IPs can be enabled via env var if needed.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Protocol Documentation
  • My changes follows MCP security best practices
  • I have updated the server's README accordingly
  • I have tested this with an LLM client
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have documented all environment variables and configuration options

Additional context

This PR builds on #3179 which adds SSL verification configuration.

@Tomo1912 Tomo1912 mentioned this pull request Jan 5, 2026
Open
12 tasks
@Tomo1912 Tomo1912 force-pushed the feat/security-hardening branch 3 times, most recently from d0c9333 to 2892ae1 Compare January 8, 2026 20:53
@Tomo1912 Tomo1912 force-pushed the feat/security-hardening branch from 7e6a302 to 345a570 Compare January 19, 2026 22:19
@Tomo1912 Tomo1912 force-pushed the feat/security-hardening branch from 0e0769e to a4ce0fc Compare January 27, 2026 12:29
@Tomo1912 Tomo1912 force-pushed the feat/security-hardening branch 2 times, most recently from 7703e1e to 2a2c923 Compare February 4, 2026 18:06
@Tomo1912
feat(fetch): add SSRF protection and comprehensive security test suite
7aabbb4 
This PR adds Server-Side Request Forgery (SSRF) protection and a comprehensive
security test suite to the fetch MCP server.

- URL scheme validation (only http/https allowed)
- Private IP range blocking (10.x, 172.16-31.x, 192.168.x, 127.x, etc.)
- IPv6 private address blocking (::1, fe80::, fc00::, etc.)
- Dangerous hostname blocking (localhost, metadata services, etc.)
- DNS resolution validation to prevent DNS rebinding
- Configurable via MCP_FETCH_ALLOW_PRIVATE_IPS env var
- Whitelist support via MCP_FETCH_ALLOWED_PRIVATE_HOSTS

- Configurable SSL verification via MCP_FETCH_SSL_VERIFY env var
- Comprehensive SSL error handling with helpful messages

- SSRF protection tests
- Private IP blocking tests
- Input validation tests
- URL scheme validation tests
- Integration tests
- Edge case tests

```bash
export MCP_FETCH_SSL_VERIFY=false

export MCP_FETCH_ALLOW_PRIVATE_IPS=true

export MCP_FETCH_ALLOWED_PRIVATE_HOSTS=internal.company.com,api.local
```

fix: address security review feedback

- Disable follow_redirects to prevent SSRF bypass via open redirects
- Add explicit IP obfuscation detection (decimal/octal/hex formats)
- Fix SSL parsing to be fail-secure (only 'false' disables verification)
- Clean up test headers (remove enterprise roleplay language)
- Add comprehensive tests for IP obfuscation parsing

fix: add octal integer IP parsing and fix test naming

- Add octal integer format parsing (017700000001 = 127.0.0.1)
- Rename SSL test to reflect fail-secure behavior (stays_enabled, not defaults_to_false)
- Add tests for octal integer IP obfuscation
@Tomo1912 Tomo1912 force-pushed the feat/security-hardening branch from 2a2c923 to 7aabbb4 Compare February 4, 2026 18:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Tomo1912