Skip to content

fix(mcp): validate open pr pressure input#4381

Merged
JSONbored merged 1 commit into
mainfrom
codex/fix-vulnerability-in-mcp-simulator
Jul 9, 2026
Merged

fix(mcp): validate open pr pressure input#4381
JSONbored merged 1 commit into
mainfrom
codex/fix-vulnerability-in-mcp-simulator

Conversation

@JSONbored

Copy link
Copy Markdown
Owner

Motivation

  • The MCP tool gittensory_simulate_open_pr_pressure accepted unbounded/malformed queueHealth and roleContext (via z.unknown()), allowing authenticated callers to cause runtime TypeErrors or reflect large payloads into output.
  • Tighten validation at the MCP boundary to prevent availability/resource-exhaustion and runtime crashes while keeping the simulator pure and read-only.

Description

  • Replace permissive z.unknown() inputs with a bounded queueHealth schema (simulateOpenPrPressureQueueHealthSchema) that validates pressure level, numeric signal counts, limited findings and reasonable string lengths, and add SIMULATE_OPEN_PR_PRESSURE_MAX_COUNT to cap numeric fields.
  • Validate roleContext minimally as an object with maintainerLane: boolean while using .passthrough() so the fuller engine context is preserved.
  • Constrain repoFullName, generatedAt, and contributorOpenPrCount with length/number bounds to avoid oversized inputs.
  • Add regression tests that exercise the MCP boundary rejecting roleContext: null, missing/ill-formed queueHealth.signals, and oversized/string queue counts so malformed inputs fail at schema validation instead of crashing or being reflected in output.

Testing

  • Ran npm run build:miner and the build succeeded.
  • Ran npx vitest run test/unit/mcp-simulate-open-pr-pressure.test.ts and all tests in that file passed.
  • Ran npm run typecheck and TypeScript typecheck passed.
  • Attempted coverage: npx vitest run --coverage test/unit/mcp-simulate-open-pr-pressure.test.ts the tests passed but coverage remapping failed with TypeError: jsTokens is not a function; a full npm run test:coverage run did not complete in this environment.
  • npm audit --audit-level=moderate could not be completed due to the registry audit endpoint returning 403 Forbidden in this environment.

Codex Task

@superagent-security

Copy link
Copy Markdown
Contributor

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.95%. Comparing base (c823f9c) to head (e2f72b8).
⚠️ Report is 6 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4381   +/-   ##
=======================================
  Coverage   93.95%   93.95%           
=======================================
  Files         400      400           
  Lines       36817    36820    +3     
  Branches    13451    13451           
=======================================
+ Hits        34592    34595    +3     
  Misses       1569     1569           
  Partials      656      656           
Files with missing lines Coverage Δ
src/mcp/server.ts 95.42% <100.00%> (+0.01%) ⬆️
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JSONbored JSONbored self-assigned this Jul 9, 2026
@JSONbored JSONbored added the gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier. label Jul 9, 2026
@JSONbored
JSONbored merged commit 141e99a into main Jul 9, 2026
10 checks passed
@JSONbored
JSONbored deleted the codex/fix-vulnerability-in-mcp-simulator branch July 9, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

gittensor:bug Gittensor-scored bug fix — scores a 0.05x multiplier.

Development

Successfully merging this pull request may close these issues.

1 participant