Skip to content

security: validate MCP_REGISTRY_URL and reject http:// overrides at SimpleRegistryClient #814

@danielmeppiel

Description

@danielmeppiel

Follow-up to #813 (fixed in PR #810). The fix for #813 makes MCP_REGISTRY_URL honoured by all apm mcp discovery commands, but the supply-chain-security panel review identified two hardening items that should ship as a separate, security-focused change.

S1 - Validate MCP_REGISTRY_URL at construction

SimpleRegistryClient.__init__ (src/apm_cli/registry/client.py:19-21) currently accepts whatever string the env var contains. A misconfigured value (mcp.internal.example.com without scheme, file:///etc/hosts, blank string) silently flows into request URLs.

Proposal:

  • Parse the override with urlparse; reject missing scheme/netloc with a clear error.
  • Reject http:// by default; require an explicit MCP_REGISTRY_ALLOW_HTTP=1 opt-in for plaintext intranet registries.
  • Emit an actionable error message naming the offending value and the env var.

S2 - Fail-closed on registry network errors when overridden

In RegistryIntegration.validate_servers_exist (and equivalent install pre-flights), today a network failure against a custom MCP_REGISTRY_URL falls back through error paths that may degrade to "could not reach registry, skipping validation". For default registry: acceptable. For an explicitly overridden registry: should fail-closed -- the user opted into a specific endpoint and we must not silently bypass validation.

Proposal: when MCP_REGISTRY_URL is set, registry network errors during install pre-flights are fatal (current behaviour for the default URL stays as-is or is tightened separately).

Why a separate issue

Related

Acceptance criteria

  • SimpleRegistryClient.__init__ validates URL shape; rejects schemeless and (by default) http:// overrides.
  • MCP_REGISTRY_ALLOW_HTTP=1 documented as the explicit opt-in.
  • Registry network errors during install pre-flights are fatal when MCP_REGISTRY_URL is set.
  • Tests cover all three: invalid URL rejection, http opt-in, and fail-closed install.
  • CHANGELOG entry under ### Changed (these are intentional behaviour changes).

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions