github · mcp-server00cc9302d74f

Evidence

file_path_str = args.get("file_path")

    except Exception:

        # If we can't parse input, we deny to be safe

        print(json.dumps({"decision": "deny", "reason": "Hook error: Could not parse tool input."}))

        sys.exit(0)

    if not file_path_str:

Remediation

Strip C0/C1 control codes before printing user-controlled values. Python: re.sub(r"[\x00-\x08\x0b-\x1f\x7f]", "", s). Prefer a structured logger (json/logfmt) over raw print to stdout.

Evidence

except httpx.HTTPStatusError as e:

            return JSONResponse({"error": str(e)}, status_code=e.response.status_code)

        except (httpx.TimeoutException, TimeoutError) as e:

            return JSONResponse({"error": str(e)}, status_code=504)

        except RuntimeError as e:

            return JSONResponse({"error": str(e)}, status_code=500)

        except Exception as e:  # pragma: no cover - generic catch-all

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

except ValueError as e:

            return JSONResponse({"error": str(e)}, status_code=400)

        except httpx.HTTPStatusError as e:

            return JSONResponse({"error": str(e)}, status_code=e.response.status_code)

        except (httpx.TimeoutException, TimeoutError) as e:

            return JSONResponse({"error": str(e)}, status_code=504)

        except RuntimeError as e:

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

except (httpx.TimeoutException, TimeoutError) as e:

            return JSONResponse({"error": str(e)}, status_code=504)

        except RuntimeError as e:

            return JSONResponse({"error": str(e)}, status_code=500)

        except Exception as e:  # pragma: no cover - generic catch-all

            return JSONResponse({"error": str(e)}, status_code=500)

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

except ResponseTooLargeError as e:

            return JSONResponse({"error": str(e)}, status_code=413)

        except ValueError as e:

            return JSONResponse({"error": str(e)}, status_code=400)

        except httpx.HTTPStatusError as e:

            return JSONResponse({"error": str(e)}, status_code=e.response.status_code)

        except (httpx.TimeoutException, TimeoutError) as e:

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

try:

            return await func(request)

        except ResponseTooLargeError as e:

            return JSONResponse({"error": str(e)}, status_code=413)

        except ValueError as e:

            return JSONResponse({"error": str(e)}, status_code=400)

        except httpx.HTTPStatusError as e:

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

except RuntimeError as e:

            return JSONResponse({"error": str(e)}, status_code=500)

        except Exception as e:  # pragma: no cover - generic catch-all

            return JSONResponse({"error": str(e)}, status_code=500)

    return wrapper

Remediation

Log the full exception server-side with a correlation ID; return only {"error_id": id, "message": "internal error"} to the caller. Never enable Flask debug mode in production.

Evidence

class DirectApiEndpoint(BaseModel):

    """Represents a single direct API endpoint."""

    path: str = Field(description="The API endpoint path (e.g., '/api/v2/stats').")

    description: str = Field(description="A description of what this endpoint returns.")

Remediation

Shape the schema to the tool's actual intent: - Zod: chain `.enum([...])`, `.regex(/.../)`, or `.max(n)`; prefer `z.enum([...])` or `z.literal(...)` when the value set is small. - Pydantic: use `Literal["a", "b"]` or `Field(max_length=..., pattern=r"...")`. - JSON Schema: add `"enum"`, `"pattern"`, or `"maxLength"` to the property. An overbroad schema is an "overpowered tool" — the model has nothing to prevent it from calling the tool with input far beyond what the tool's prose contract

Evidence

# Generated by https://smithery.ai. See: https://smithery.ai/docs/build/project-config

FROM python:3.12-slim

WORKDIR /app

COPY pyproject.toml pyproject.toml

# Install uv for dependency management

RUN pip install uv

RUN uv pip install --system . # Install dependencies from pyproject.toml

COPY blockscout_mcp_server /app/blockscout_mcp_server

ENV PYTHONUNBUFFERED=1

# Expose environment variables that can be set at runtime

# Set defaults here to document expected environment variables

# ENV BLO

Remediation

Create and switch to a non-root user before the CMD / ENTRYPOINT: RUN adduser --system --uid 1000 app USER 1000 Or reuse the base image's shipped non-root account (e.g. `USER nobody`, `USER nonroot` on distroless). Multi-stage builds only need the USER directive in the final stage.

Evidence

docker-arm-host-key: ${{ secrets.ARM_RUNNER_KEY }}

      - name: Build and push Docker image

        uses: docker/build-push-action@v6

        with:

          context: .

          file: "Dockerfile"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

- name: Checkout repository

        uses: actions/checkout@v4

      - uses: actions-ecosystem/action-regex-match@v2

        id: regex

        with:

          text: ${{ github.ref }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - name: Check out repository

        uses: actions/checkout@v4

      - name: Set up Python 3.12

        uses: actions/setup-python@v5

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

contents: read

    steps:

      - name: Checkout code

        uses: actions/checkout@v5

      - name: Install MCP Publisher

        run: |

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

runs-on: ubuntu-latest

    steps:

      - name: Checkout repository

        uses: actions/checkout@v4

      - uses: actions-ecosystem/action-regex-match@v2

        id: regex

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      # Step 1: Check out the repository code so the workflow can access it.

      - name: Check out repository

        uses: actions/checkout@v4

      # Step 2: Set up the specified Python version from the matrix.

      - name: Set up Python ${{ matrix.python-version }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

uses: actions/checkout@v4

      - name: Set up Python 3.12

        uses: actions/setup-python@v5

        with:

          python-version: "3.12"

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

(if ! [[ "$t" == "" ]]; then echo tags=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$t, ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest; elif ! [[ "$m" == "" ]]; then echo tags=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:$m; else echo tags=; fi) >> $GITHUB_OUTPUT

      - name: Setup repo

        uses: blockscout/actions/.github/actions/setup-multiarch-buildx@main

        id: setup

        with:

          docker-image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

secrets: |

            ci/data/dev/github token | WORKFLOW_TRIGGER_TOKEN ;

      - name: Trigger deploy

        uses: convictional/trigger-workflow-and-wait@v1.6.1

        with:

          owner: blockscout

          repo: deployment-values

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

python-version: "3.12"

      - name: Cache pip dependencies

        uses: actions/cache@v4

        with:

          path: ~/.cache/pip

          key: ${{ runner.os }}-pip-3.12-${{ hashFiles('pyproject.toml') }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

# Step 2: Set up the specified Python version from the matrix.

      - name: Set up Python ${{ matrix.python-version }}

        uses: actions/setup-python@v5

        with:

          python-version: ${{ matrix.python-version }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      - name: Get Vault credentials

        id: retrieve-vault-secrets

        uses: hashicorp/vault-action@v2.4.1

        with:

          url: https://vault.k8s.blockscout.com

          role: ci-dev

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

# Step 2: Set up the specified Python version from the matrix.

      - name: Set up Python ${{ matrix.python-version }}

        uses: actions/setup-python@v5

        with:

          python-version: ${{ matrix.python-version }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

# Step 3: Cache dependencies to speed up subsequent runs.

      # The cache is invalidated if the Python version or pyproject.toml changes.

      - name: Cache pip dependencies

        uses: actions/cache@v4

        with:

          path: ~/.cache/pip

          key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

steps:

      # Step 1: Check out the repository code so the workflow can access it.

      - name: Check out repository

        uses: actions/checkout@v4

      # Step 2: Set up the specified Python version from the matrix.

      - name: Set up Python ${{ matrix.python-version }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

# Step 3: Cache dependencies to speed up subsequent runs.

      # The cache is invalidated if the Python version or pyproject.toml changes.

      - name: Cache pip dependencies

        uses: actions/cache@v4

        with:

          path: ~/.cache/pip

          key: ${{ runner.os }}-pip-${{ matrix.python-version }}-${{ hashFiles('pyproject.toml') }}

Remediation

Pin every `uses:` to a 40-character commit SHA. Trailing comment with the version helps reviewers: `uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v4.1.1` Automate the migration with `pinact` (https://github.com/suzuki-shunsuke/pinact) or `ratchet` (https://github.com/sethvargo/ratchet). Add a `pinact run --check` pre-commit hook so future PRs stay pinned. Re-pin when the action releases a new version — Dependabot can do this automatically with `version-update-strategy: inc

Evidence

for sess in list(self._sessions.values()):

            if not sess.closed:

                try:

                    await sess.close()

                except Exception:

                    pass

        self._pool.clear()

        self._sessions.clear()

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

return {k: _convert_json_args(v) for k, v in obj.items()}

    if isinstance(obj, str):

        try:

            return to_checksum_address(obj)

        except Exception:

            pass

        if obj.startswith(("0x", "0X")):

            return obj

        # Robust numeric detection: support negatives and large ints

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

async def close(self) -> None:

        for w3 in list(self._pool.values()):

            try:

                await w3.provider.disconnect()

            except Exception:

                pass

        for sess in list(self._sessions.values()):

            if not sess.closed:

                try:

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.

Evidence

client_version,

                        protocol_version,

                    )

                )

            except Exception:

                pass

    return wrapper

Remediation

Log the exception at minimum (`logger.exception(e)`), emit a metric, or re-raise if the error is not recoverable. If you genuinely want to ignore an exception, say so with a comment.