Skip to content

Add host allowlisting and IP blocking to Fetch server #2568

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add host allowlisting and IP blocking to Fetch server #2568

wants to merge 2 commits into from
+217 −3

Conversation

olaservo
Copy link
Member

Implements security feature to prevent access to local/internal IP addresses by default. Addresses issue #2317.

Changes

  • Block access to private IP ranges by default
  • Add host allowlisting with wildcard support
  • Add configuration options for security customization
  • Implement socket-level validation to prevent TOCTOU attacks
  • Update documentation with security examples

Generated with Claude Code

@claude @olaservo
Add host allowlisting and IP blocking to Fetch server
a1226d4 
Implements security feature to prevent access to local/internal IP
addresses by default. Addresses the security risk mentioned in issue #2317.

Key changes:
- Block access to private IP ranges (127.0.0.0/8, 10.0.0.0/8, etc.) by default
- Add --allowed-hosts argument for domain allowlisting with wildcard support
- Add --allow-private-ips flag for development environments
- Add --blocked-ip-ranges for custom IP restrictions
- Implement socket-level hostname resolution to prevent TOCTOU attacks
- Update README with security documentation and configuration examples

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Ola Hungerford <olaservo@users.noreply.github.com>
@olaservo olaservo requested review from jenn-newton and dend August 17, 2025 17:13
@olaservo olaservo added server-filesystem Reference implementation for the Filesystem MCP server - src/filesystem server-fetch Reference implementation for the Fetch MCP server - src/fetch enhancement New feature or request and removed server-filesystem Reference implementation for the Filesystem MCP server - src/filesystem labels Aug 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jenn-newton jenn-newton Awaiting requested review from jenn-newton

@dend dend Awaiting requested review from dend

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
enhancement New feature or request server-fetch Reference implementation for the Fetch MCP server - src/fetch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@olaservo