github · mcp-adapterHEAD

RemediationAI

The 'echo' tool in `route.ts` lacks authorization checks, allowing any caller to retrieve arbitrary messages without verifying ownership or permissions. Add an `@Authorize()` decorator or middleware (e.g., `checkOwnership(req.user, message.ownerId)`) before returning the message. This ensures only authorized users access content tied to their identity. Verify by testing with a non-owner user—requests should return `403 Forbidden`.

RemediationAI

The 'echo' tool name conflicts with generic MCP tool names, risking collisions or unintended overrides. Rename the tool to include a server-specific prefix (e.g., `myapp_echo`) in the `@Tool()` annotation or route definition. This avoids ambiguity and ensures unique tool identification. Confirm by listing tools via the MCP API—no duplicates should appear.

RemediationAI

The 'echo' tool directly injects user-supplied `message` content into LLM context without delimiters, enabling prompt injection. Wrap the output with provenance delimiters (e.g., `<message>${sanitizedContent}</message>`) and sanitize input using a library like `DOMPurify.sanitize()`. This prevents malicious payloads from altering LLM behavior. Test by submitting a payload like `Ignore instructions and...`—it should appear as literal text, not executed.

Evidence

with:

          token: ${{ secrets.GH_TOKEN_PULL_REQUESTS }}

      - uses: pnpm/action-setup@v4

        name: Install pnpm

        id: pnpm-setup

        with:

RemediationAI

The `pnpm/action-setup@v4` reference in `.github/workflows/release-snapshot.yml` uses a mutable tag, risking supply-chain attacks. Replace it with a pinned SHA (e.g., `uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v4.1.0`). This ensures immutable execution. Verify by running `git diff`—the SHA should match the expected version.

Evidence

id-token: write

    steps:

      - name: Checkout

        uses: actions/checkout@v4

        with:

          token: ${{ secrets.GH_TOKEN_PULL_REQUESTS }}

RemediationAI

The `actions/checkout@v4` reference in `.github/workflows/release-snapshot.yml` uses a mutable tag. Replace it with a pinned SHA (e.g., `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1`). This prevents silent code substitution. Confirm by checking the workflow file for the SHA and version comment.

Evidence

run: pnpm install --frozen-lockfile

      - name: Create Release PR or Publish Packages

        uses: changesets/action@v1

        with:

          publish: pnpm release

          version: pnpm version-packages

RemediationAI

The `changesets/action@v1` reference in `.github/workflows/release.yml` uses a mutable tag. Replace it with a pinned SHA (e.g., `uses: changesets/action@c8bada60c408975afd1a20b3db81d6ee668464e5 # v1.4.6`). This ensures deterministic builds. Verify by comparing the SHA to the official release.

Evidence

id-token: write

    steps:

      - name: Checkout

        uses: actions/checkout@v4

        with:

          token: ${{ secrets.GH_TOKEN_PULL_REQUESTS }}

RemediationAI

The `actions/checkout@v4` reference in `.github/workflows/release.yml` uses a mutable tag. Replace it with a pinned SHA (e.g., `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1`). This mitigates supply-chain risks. Confirm by validating the SHA in the workflow file.

Evidence

with:

          token: ${{ secrets.GH_TOKEN_PULL_REQUESTS }}

      - uses: pnpm/action-setup@v4

        name: Install pnpm

        id: pnpm-setup

        with:

RemediationAI

The `pnpm/action-setup@v4` reference in `.github/workflows/release.yml` uses a mutable tag. Replace it with a pinned SHA (e.g., `uses: pnpm/action-setup@d882d12c64e032187b2edb46d3a0d003b7a43598 # v4.1.0`). This ensures immutable execution. Verify by checking the workflow file for the SHA and version comment.