MCP v2 PR-4: add_host + delete_host + extraArgs sanitiser + third SSH safeguard
Final v2 PR. All 11 planned write tools live. add_host/delete_host let Claude mutate the saved-hosts list; both gated by a new allowAddHost switch (default off) — symmetric with the allowOpenSsh gate from PR-3.5. add_host's extraArgs are sanitised against CVE-2023-51385-class local-RCE primitives: ProxyCommand, LocalCommand, KnownHostsCommand, PermitLocalCommand=yes are refused server-side. Recognises both -o KEY=VAL and -oKEY=VAL, case-insensitive on the key. The manual host manager UI stays unrestricted (user has full agency over their own hosts). Also fixes a pre-existing compile bug: mcp_policy.rs's policy_with test helper was missing the ssh_safeguards field added in PR-3.5, silently breaking the entire policy test module since then. Re-enabling those tests is the prereq for the hard-deny rework that follows in the next commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
71f330e934
commit
9ebb3e4d2e
8 changed files with 513 additions and 5 deletions
|
|
@ -287,7 +287,7 @@ struct DataChunk {
|
|||
/// expansion. We additionally pass `--` before the host on the command line,
|
||||
/// but rejecting up front gives a clearer error and avoids ever handing the
|
||||
/// bad value to ssh.exe.
|
||||
fn validate_ssh_token(label: &str, value: &str) -> Result<()> {
|
||||
pub fn validate_ssh_token(label: &str, value: &str) -> Result<()> {
|
||||
if value.is_empty() {
|
||||
return Err(anyhow!("ssh: {label} must not be empty"));
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue