Problem
The MCP gateway endpoint can return environment-resolved extension config and can persist user-supplied MCP config containing command, args, env, headers, and OAuth fields. The runtime later starts stdio MCP servers from that config. The current flow does not appear to enforce an admin boundary, secret masking, command allow-listing, or safe persistence semantics.
Impact
A caller with access to these endpoints may be able to read resolved secrets, persist sensitive values, or configure executable stdio MCP commands that will later run in the backend context.
Suggested Fix
Require admin-level authorization for read/write operations, never return raw secrets, mask or reference secret values, validate command/URL allow lists, write config atomically with restrictive permissions, and add audit logging for changes.
Tests
- GET should return masked placeholders rather than resolved secret values.
- PUT should reject unauthorized callers.
- PUT should reject disallowed stdio commands or unsafe URLs.
- Persisted config should use expected file permissions and atomic replace.
References
backend/app/gateway/routers/mcp.py:66backend/app/gateway/routers/mcp.py:104backend/packages/harness/deerflow/config/extensions_config.py:134backend/packages/harness/deerflow/mcp/client.py:24
Problem
The MCP gateway endpoint can return environment-resolved extension config and can persist user-supplied MCP config containing
command,args,env,headers, and OAuth fields. The runtime later starts stdio MCP servers from that config. The current flow does not appear to enforce an admin boundary, secret masking, command allow-listing, or safe persistence semantics.Impact
A caller with access to these endpoints may be able to read resolved secrets, persist sensitive values, or configure executable stdio MCP commands that will later run in the backend context.
Suggested Fix
Require admin-level authorization for read/write operations, never return raw secrets, mask or reference secret values, validate command/URL allow lists, write config atomically with restrictive permissions, and add audit logging for changes.
Tests
References
backend/app/gateway/routers/mcp.py:66backend/app/gateway/routers/mcp.py:104backend/packages/harness/deerflow/config/extensions_config.py:134backend/packages/harness/deerflow/mcp/client.py:24