feat: block direct MCP imports and unsanctioned keychain access (Closes #558)

Require a sanctioned MCP daemon (or pytest) before get_auth_header and
keychain credential fill so raw shell imports cannot bypass preflight gates.
This commit is contained in:
2026-07-08 22:49:03 -04:00
parent 9a2e585a9e
commit 8ff1924047
7 changed files with 209 additions and 0 deletions
+11
View File
@@ -104,6 +104,10 @@ def get_credentials(host):
# 3. Optional fallback to macOS Keychain via git credential fill
if not user and not password and os.environ.get("GITEA_USE_KEYCHAIN") == "1":
# #558: block raw keychain dumps outside the sanctioned MCP daemon.
import mcp_daemon_guard
mcp_daemon_guard.assert_keychain_access_allowed()
cmd_parts = ["git", "creden" + "tial", "fi" + "ll"]
try:
p = subprocess.Popen(
@@ -116,6 +120,8 @@ def get_credentials(host):
user = line.split("=", 1)[1]
elif line.startswith("password="):
password = line.split("=", 1)[1]
except mcp_daemon_guard.UnsanctionedRuntimeError:
raise
except Exception:
pass
@@ -124,6 +130,11 @@ def get_credentials(host):
def get_auth_header(host):
"""Return an ``Authorization`` header value for *host*."""
# #558: resolving credentials for API mutation must not happen via ad-hoc
# direct imports that bypass the MCP daemon preflight wall.
import mcp_daemon_guard
mcp_daemon_guard.assert_sanctioned_mutation_runtime("get_auth_header")
host_key = host.lower().strip()
# 1. Try Token-based auth from dynamic configs