roerohan/remote-mcp-server-authless

// Network-exposed MCP without authentication; any user can invoke the github-prs tool and trigger the error, but no token is leaked. However, if a token were hardcoded, it would be a critical credential exposure.

The GitHub PAT is hardcoded as an empty string, and the subsequent check always returns an error. This indicates the developer intended to use an environment variable but left a placeholder. The code is dead, but the pattern suggests credentials could be hardcoded in the future.

ImpactIf a real token were hardcoded, it would be exposed to anyone who can read the source code or decompile the worker. Currently, the tool is non-functional due to missing token.

FixRemove the hardcoded empty string and use the environment variable from the Env interface (e.g., extra.env.GITHUB_PAT). Ensure the token is injected securely via Cloudflare Workers secrets.

// Network-exposed MCP without authentication; any user can invoke the github-prs tool and inject into the query.

The githubUsername parameter is directly interpolated into the URL without sanitization. Although the base URL is fixed to api.github.com, an attacker could inject special characters to manipulate the query (e.g., adding extra parameters or breaking the query syntax). More critically, if the base URL were ever changed or if the token were present, an attacker could potentially redirect the request or exploit GitHub API quirks. However, the primary risk is that the username is not validated, allowing injection into the GitHub search query.

ImpactAn attacker could manipulate the GitHub search query to include additional search terms or potentially access different API endpoints if the URL construction were altered. With the current fixed base URL, the impact is limited to query manipulation, but it could lead to information disclosure or bypassing intended restrictions.

FixValidate the githubUsername parameter to ensure it contains only allowed characters (e.g., alphanumeric, hyphens, underscores). Use URL encoding or a parameterized approach to prevent injection.

// Network-exposed MCP without authentication; any user can invoke the tool with arbitrary input.

The startDate and endDate parameters are validated as datetime strings using Zod, but the githubUsername is only validated as a string with no further constraints. This allows arbitrary strings, including special characters, to be passed. While the datetime validation is good, the username field lacks any pattern or length restriction.

ImpactAn attacker could provide a very long string or special characters in the username, potentially causing issues in the URL or response handling. Combined with the SSRF potential, this increases the attack surface.

FixAdd a regex pattern to the githubUsername schema to restrict it to valid GitHub usernames (e.g., alphanumeric, hyphens, max length).

// Network-exposed MCP without authentication; any user can query any GitHub username's PRs.

The tool returns PR titles, URLs, creation dates, and states. While this matches the documented purpose, the underlying GitHub API response may contain additional fields (e.g., body, labels, assignees) that are not filtered out at the API level. However, the code explicitly maps only the intended fields, so this is not a vulnerability per se. But the tool's purpose is to search PRs by username, and it does not restrict the user to only their own PRs; any username can be queried, potentially enabling reconnaissance.

ImpactAn attacker could query PRs for any GitHub username, potentially gathering information about a user's activity, project involvement, or sensitive discussions in PR titles. This is a privacy concern but within the documented purpose.

FixConsider adding authentication or rate limiting to prevent abuse. Alternatively, restrict the tool to only query PRs for the authenticated user if authentication is added.