Skip to content

docs: threat model and attack surface analysis (OSPS-SA-03.02) #90

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
paradoxbound merged 1 commit into from
Mar 9, 2026
Merged

docs: threat model and attack surface analysis (OSPS-SA-03.02) #90

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 20 additions & 2 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,9 +35,27 @@ This project uses no manually stored CI/CD secrets. The only secret in the pipel

If you discover that credentials have been accidentally committed or exposed, rotate them immediately, then report the incident privately using the process in the [Reporting a Vulnerability](#reporting-a-vulnerability) section below.

## Security Assessment
## Threat Model and Attack Surface Analysis

This section documents the most likely and impactful security risks for this project.
This section documents the attack surface, trust boundaries, and identified threats for this project. It is reviewed and updated at each release.

### Attack Surface

**Trust boundaries:**
- **MCP client → MCP server (stdio):** The server is spawned as a local subprocess by the MCP client (e.g. Claude Desktop, LibreChat). Communication is over stdio; no network socket is exposed. The client is considered trusted.
- **MCP server → BookStack API (HTTPS):** All requests are authenticated with a Bearer token. The server enforces HTTPS and rejects plain-HTTP base URLs at startup.
- **Operator → MCP server (environment variables):** `BOOKSTACK_BASE_URL`, `BOOKSTACK_TOKEN_ID`, `BOOKSTACK_TOKEN_SECRET`, and `BOOKSTACK_ENABLE_WRITE` are supplied at deployment time by the operator. They are not accepted from MCP clients or end users.

**Entry points:**
- MCP tool input parameters (validated by Zod schemas before use)
- Environment variables (read once at startup; never re-read or logged)
- BookStack API responses (relayed to the MCP client; not interpreted by the server)

**Critical code paths:**
- Credential loading and HTTP request construction (`packages/core/src/bookstack-client.ts`)
- Write operation gating — `BOOKSTACK_ENABLE_WRITE` check before registering write tools (`packages/stdio/src/index.ts`)
- HTTPS enforcement — URL validation at startup rejects non-HTTPS base URLs
- Tool input validation — Zod schemas on all MCP tool parameters

### 1. API credential exposure (HIGH)

Expand Down