You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix(security): force --only-binary on python package fetch — never build/execute sdist (MCP-2391)
A plain 'pip download' / 'uv pip download' of an sdist invokes the
package's PEP 517 build backend (setup.py egg_info) to resolve metadata,
which executes code from the package being scanned — violating the
download-and-unpack-NEVER-execute invariant of the source fetch.
- Add --only-binary=:all: to uvDownloadArgs and pipDownloadArgs so only a
prebuilt wheel is ever fetched; a package with no wheel fails the fetch
and falls back to tool-definitions-only.
- Refuse a non-wheel archive in fetchPythonPackage (defense-in-depth);
drop the sdist extraction branch.
- Add positive tests asserting --only-binary=:all: on both Python builders
(the prior NoExecution tests only asserted absence of verbs).
- Align comments + docs (security-scanner-plugins.md, swagger.yaml).
Co-Authored-By: Paperclip <noreply@paperclip.ing>
Copy file name to clipboardExpand all lines: docs/features/security-scanner-plugins.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -254,7 +254,7 @@ Package-runner servers (`npx`, `uvx`) are the **primary** quarantine/scan target
254
254
**The source is fetched but never executed.** A scanner must not run the untrusted code it is scanning. The fetch only ever downloads and unpacks archives:
255
255
256
256
-**npm (`npx`)** — `npm pack <pkg>@<version> --ignore-scripts` downloads the published tarball without running any lifecycle scripts (`install`/`postinstall`), then it is extracted (`source_method=npm_pack`).
257
-
-**PyPI (`uvx`)** — `uv pip download <pkg>==<version> --no-deps` (falling back to `pip download`) fetches the wheel or sdist; wheels (preferred) and sdists are unpacked **without building** or running `setup.py` (`source_method=pip_download`).
257
+
-**PyPI (`uvx`)** — `uv pip download <pkg>==<version> --no-deps --only-binary=:all:` (falling back to `pip download`) fetches **only a prebuilt wheel**, which is unpacked without building or running `setup.py` (`source_method=pip_download`). `--only-binary=:all:` is mandatory: downloading an sdist would invoke the package's PEP 517 build backend (`setup.py egg_info`) to resolve metadata, executing the untrusted code. A package that ships **no wheel** therefore fails the fetch and falls back to tool definitions only — sdists are never built or extracted.
258
258
259
259
Extraction is hardened against path traversal (zip-slip), symlink escape, and decompression bombs (bounded file count and total size). If the toolchain is missing, the host is offline, or the fetch fails, resolution falls through to **tool definitions only** with no regression.
0 commit comments