Skip to content

chore: backport mcp server editor configuration disclosure#222

Merged
azmkercso merged 1 commit into
1.1from
fix/backport-mcp-editor-disclosure-1.1
May 18, 2026
Merged

chore: backport mcp server editor configuration disclosure#222
azmkercso merged 1 commit into
1.1from
fix/backport-mcp-editor-disclosure-1.1

Conversation

@azmkercso
Copy link
Copy Markdown
Contributor

@azmkercso azmkercso commented May 18, 2026

Backport MCP server editor configuration disclosure from upstream Code-OSS (commit be09b4c7).

Changes

  • Add patches/common/fix-mcp-server-editor-disclosure.diff — shows environment variables, env file, and headers in the MCP server editor deeplink install UI
  • Update patches/backported-patches.json with all findings from the May 18 security scan
  • Add @backported and @finding-id metadata to backported patch headers

Testing

  • prepare-src.sh applies all patches cleanly for all 4 targets
  • No lockfile changes needed (source-only patch)

@azmkercso azmkercso requested review from a team as code owners May 18, 2026 09:56
@azmkercso azmkercso closed this May 18, 2026
@azmkercso azmkercso deleted the fix/backport-mcp-editor-disclosure-1.1 branch May 18, 2026 09:58
@azmkercso azmkercso restored the fix/backport-mcp-editor-disclosure-1.1 branch May 18, 2026 10:00
@azmkercso azmkercso reopened this May 18, 2026
@azmkercso
Copy link
Copy Markdown
Contributor Author

azmkercso commented May 18, 2026

Issue

V2213552988

Description of Changes

Backport MCP server editor configuration disclosure from upstream Code-OSS (commit be09b4c7). Adds environment variables, env file, and headers display to the MCP server editor deeplink install UI. Also registers non-applicable advisories in backported-patches.json with note field and adds @backported/@finding-id metadata to patch headers.

Testing

  • prepare-src.sh applies all patches cleanly for all 4 targets (sagemaker, web-server, web-embedded, web-embedded-with-terminal)
  • Source-only patch — no lockfile changes needed

Screenshots/Videos

N/A

Additional Notes

Sibling PRs: #224 (main), #223 (1.0)

Backporting

Already applied to main (PR #224) and 1.0 (PR #223 — metadata only, vulnerable code path does not exist in Code-OSS 1.101.2).

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

This was referenced May 18, 2026
Merged
Merged
@azmkercso azmkercso merged commit d8aab5c into 1.1 May 18, 2026
2 checks passed
@azmkercso azmkercso deleted the fix/backport-mcp-editor-disclosure-1.1 branch May 18, 2026 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sachinh-amazon sachinh-amazon sachinh-amazon approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@azmkercso @sachinh-amazon