Skip to content

Add absolute path validation for MCP gateway payloadDir field #13183

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
lpcox merged 2 commits into from
Feb 2, 2026
Merged

Add absolute path validation for MCP gateway payloadDir field #13183

lpcox merged 2 commits into from
Feb 2, 2026
+82 −18

Conversation

Copy link
Contributor

Copilot AI commented Feb 2, 2026
edited
Loading

The payloadDir field in the MCP gateway configuration lacked path validation, allowing relative paths that could create security and portability issues.

Changes

  • Specification (Section 4.1.3.1): Added RFC 2119 requirements enforcing absolute paths

    • Unix: MUST start with /
    • Windows: MUST start with drive letter + :\
    • Includes validation examples and security considerations

  • JSON Schema: Added pattern constraint ^(/|[A-Za-z]:\\) to both schema files

    • pkg/workflow/schemas/mcp-gateway-config.schema.json
    • docs/public/schemas/mcp-gateway-config.schema.json

  • Compliance Testing: Added test T-CFG-005 for payload directory path validation

Example

Valid paths:

{
  "gateway": {
    "payloadDir": "/var/lib/mcp-gateway/payloads"  // Unix
  }
}
{
  "gateway": {
    "payloadDir": "C:\\Program Files\\Gateway\\payloads"  // Windows
  }
}

Invalid paths now rejected:

{
  "gateway": {
    "payloadDir": "payloads"  // Relative path - rejected
  }
}

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026

🔍 PR Triage Results

Category: chore | Risk: medium | Priority: 35/100

Scores Breakdown

  • Impact: 20/50 - Medium - schema validation improvement
  • Urgency: 5/30 - Low - just opened, not blocking
  • Quality: 10/20 - Fair - draft status, no implementation yet

📋 Recommended Action: defer

This is a WIP draft with no code changes yet. Schema validation improvements are valuable but not urgent. Can be triaged again once implementation is complete.

Triaged by PR Triage Agent on 2026-02-02

AI generated by PR Triage Agent

@github-actions github-actions bot mentioned this pull request Feb 2, 2026
Closed
@lpcox
Add payloadDir full pathname validation to MCP gateway specification
c8fc933 
Co-authored-by: lpcox <15877973+lpcox@users.noreply.github.com>
Copilot AI changed the title [WIP] Validate payloadDir field in gateway object Add absolute path validation for MCP gateway payloadDir field Feb 2, 2026
Copilot AI requested a review from lpcox February 2, 2026 00:52
@lpcox lpcox marked this pull request as ready for review February 2, 2026 00:53
@github-actions
Copy link
Contributor

github-actions bot commented Feb 2, 2026

PR titles: Add absolute path validation for MCP gateway payloadDir field | Refactor compiler to use grouped shell redirects (fix SC2129)
GitHub MCP ✅; safeinputs-gh ✅; Serena ✅
Playwright ✅; Tavily ✅; file write ✅; bash cat ✅
Discussion query/comment ✅; build ✅
Overall: PASS

AI generated by Smoke Codex

@lpcox lpcox merged commit a2bc819 into main Feb 2, 2026
6 checks passed
@lpcox lpcox deleted the copilot/validate-gateway-payload-dir branch February 2, 2026 00:58
This was referenced Feb 2, 2026
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan pelikhan approved these changes

@lpcox lpcox Awaiting requested review from lpcox

Assignees

@lpcox lpcox

Copilot code review Copilot

Labels

pr-action:defer pr-agent:copilot pr-priority:low pr-risk:medium pr-type:chore smoke-codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan @lpcox