Skip to content

[security][medium] MCPServer spec.readOnly not enforced on federated provider tools #399

Description

@mjudeikis

Summary

MCPServer.spec.readOnly is honored by in-tree tool families (kubernetes/linux) but not by federated provider tools, which are all registered as callable pass-throughs regardless. The documented "block destructive ops in prod" knob is silently partial.

Details

  • providers/mcp/aggregate/aggregatemcp.go:308 threads ReadOnly into the in-tree FamilyContext (honored).
  • providers/mcp/aggregate/provider_proxy.go:81-170 registerProviderTools registers every federated provider tool as a pass-through proxy with no cfg.ReadOnly check.
  • Result: a tenant who sets readOnly: true still gets mutating federated tools like infrastructure__provision / kro_provision exposed and callable.

Fix

In registerOneProxyTool, when cfg.ReadOnly is set, skip/hide tools whose Annotations.ReadOnlyHint is not true (or hide all federated tools in read-only mode).

Severity

Medium (safety-control bypass).

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingsecuritySecurity vulnerability or concern

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions