Skip to content

[pull] main from modelcontextprotocol:main #267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pull merged 2 commits into from
Dec 17, 2025
Merged

[pull] main from modelcontextprotocol:main #267

pull merged 2 commits into from
Dec 17, 2025

Conversation

@pull
Copy link

@pull pull bot commented Dec 17, 2025
edited
Loading

See Commits and Changes for more details.

Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

jenn-newton and others added 2 commits December 17, 2025 16:01
@jenn-newton @claude
Merge commit from fork
9e5d5b8 
Add validation to reject arguments starting with '-' and verify
arguments resolve to valid git refs via rev_parse before passing
to git CLI commands. This prevents flag-like values from being
interpreted as command-line options (e.g., --output=/path/to/file).

CWE-88: Improper Neutralization of Argument Delimiters in a Command

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
@jenn-newton @claude @pcarleton
Merge commit from fork
a37158b 
Validate that repo_path arguments in tool calls are within the
configured --repository path when the --repository flag is set.

The fix:
- Adds validate_repo_path() that resolves paths and checks
  containment using Path.relative_to()
- Resolves symlinks before comparison
- Maintains backward compatibility when --repository is not set

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Paul Carleton <paulc@anthropic.com>
@pull pull bot locked and limited conversation to collaborators Dec 17, 2025
@pull pull bot added the ⤵️ pull label Dec 17, 2025
@pull pull bot merged commit a37158b into threatcode:main Dec 17, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

⤵️ pull

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jenn-newton