maohuihua123/swagger-mcp-server
highSwagger-MCP-Server 基于 Swagger 文档作为接口约束标准,允许用户通过自然语言方式与大模型(如 ChatGPT)对话,触发网站接口调用,完成数据的查询、分析和处理,具备即席分析、实时反馈等特点,为用户提供了全新的体验。
This MCP server dynamically parses OpenAPI/Swagger specifications to expose API endpoints as callable tools. It allows users to query available interf...
82async def call_api(
83 url: str,
84 method: str,
85 query_params: Optional[Dict] = None,
86 body: Optional[Dict] = None,
87 headers: Optional[Dict] = None
88):
89 """Make an HTTP request or call to an external API.
90 ...
91 async with httpx.AsyncClient() as client:
92 try:
93 response = await client.request(
94 method=method.upper(),
95 url=url,
96 params=query_params or {},
97 json=body or {},
98 headers=headers or {}
99 )// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The call_api tool accepts a user-supplied URL without any validation or restriction. It allows making arbitrary HTTP requests to any internal or external host, including private network addresses (e.g., 127.0.0.1, 10.x.x.x). This is a classic Server-Side Request Forgery (SSRF) vulnerability.
ImpactAn attacker (via a compromised LLM or malicious prompt) can make the server send HTTP requests to internal services, cloud metadata endpoints, or other unintended targets, potentially leading to information disclosure, lateral movement, or further exploitation.
FixRestrict the allowed URLs to those derived from the OpenAPI specification. Validate that the URL matches the expected base URL and path patterns. Alternatively, use a whitelist of allowed domains or enforce that the URL must be one of the parsed interfaces.
82async def call_api(
83 url: str,
84 method: str,
85 query_params: Optional[Dict] = None,
86 body: Optional[Dict] = None,
87 headers: Optional[Dict] = None
88):
89 ...
90 async with httpx.AsyncClient() as client:
91 try:
92 response = await client.request(
93 method=method.upper(),
94 url=url,
95 params=query_params or {},
96 json=body or {},
97 headers=headers or {}
98 )// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The call_api tool accepts arbitrary HTTP methods (GET, POST, PUT, DELETE) and custom headers without restriction. This allows an attacker to craft requests that may bypass security controls, such as adding malicious headers (e.g., X-Forwarded-For) or using methods that modify server state (PUT, DELETE) on unintended endpoints.
ImpactAn attacker could perform unauthorized state-changing operations on internal services, inject headers to spoof identity or bypass authentication, or exploit HTTP method-specific vulnerabilities.
FixRestrict the allowed methods to those defined in the OpenAPI specification for the given endpoint. Validate headers against a whitelist or disallow dangerous headers (e.g., Authorization, Cookie).
135async def get_detail_interface(summary: str) -> dict | None:
136 """
137 Retrieve the details of the first API interface that matches the given summary.
138 ...
139 for item in OPENER.interfaces:
140 if summary.lower() in item.get('summary', '').lower():
141 return item
142 return None// Exploitable if MCP is exposed to untrusted prompts (network_exposed) or if LLM is compromised (local_only).
The get_detail_interface tool accepts a user-supplied substring and performs a case-insensitive search across all interface summaries. While not directly exploitable for injection, it lacks input validation and could be used to enumerate interface details by probing with different substrings, potentially leaking information about the API structure.
ImpactAn attacker could use this tool to discover all available API endpoints and their details by brute-forcing summary substrings, leading to information disclosure about the API surface.
FixConsider restricting the search to exact matches or requiring the full summary. Alternatively, implement rate limiting or authentication for this tool.