Commit 427b3c1
fix(security): scan outputSchema too in the in-process scanner (Codex #770)
CodexReviewer's second finding: the in-process tpa-descriptions scanner dropped
each tool's outputSchema, so a hidden-Unicode / decoded-payload / directive
payload smuggled into the OUTPUT schema was invisible — even though Spec 076
FR-001 scans name+description+inputSchema+outputSchema and the detect checks
already inspect ToolView.OutputSchema.
- toolDef now parses `outputSchema`.
- Legacy phrase + embedded-secret text concatenation includes the output schema.
- The detect adapter populates ToolView.OutputSchema, so the structural checks
(unicode.hidden / payload.decoded) see it via the engine too.
Test: TestInProcessToolScan_DetectEngineOutputSchemaPayload — a base64 curl|sh
blob placed only in outputSchema is flagged payload.decoded end-to-end.
Verification: go test -race ./internal/security/..., golangci-lint v2 (0 issues),
go build ./... — all green.
Related #MCP-3576
Co-Authored-By: Paperclip <noreply@paperclip.ing>1 parent b3c4775 commit 427b3c1
2 files changed
Lines changed: 48 additions & 10 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
85 | 85 | | |
86 | 86 | | |
87 | 87 | | |
88 | | - | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
89 | 92 | | |
90 | | - | |
91 | | - | |
92 | | - | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
93 | 97 | | |
94 | 98 | | |
95 | 99 | | |
| |||
125 | 129 | | |
126 | 130 | | |
127 | 131 | | |
128 | | - | |
129 | | - | |
| 132 | + | |
| 133 | + | |
130 | 134 | | |
131 | 135 | | |
132 | 136 | | |
133 | 137 | | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
134 | 141 | | |
135 | 142 | | |
136 | 143 | | |
| |||
224 | 231 | | |
225 | 232 | | |
226 | 233 | | |
227 | | - | |
228 | | - | |
229 | | - | |
230 | | - | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
231 | 239 | | |
232 | 240 | | |
233 | 241 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
195 | 195 | | |
196 | 196 | | |
197 | 197 | | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
198 | 228 | | |
199 | 229 | | |
200 | 230 | | |
| |||
0 commit comments