Feature request: unix sockets #121
Description
- Port Security
- The plugin communicates with MCP Hub on a local port
- Default port (37373) can be configured
- Creates Express server at
http://localhost:[config.port]or atconfig.server_url- Ensure firewall rules don't expose the port externally
I don't believe that's secure enough:
- On a multi-user system, this lets other users talk to mcp-hub.
- On any kind of system, it still relies on browsers and other web components (such as Electron apps, webkitgtk in RSS readers, etc.) not letting any external actor access localhost, which has not historically been something one can rely on (and quite likely still is not):
- https://github.blog/security/application-security/dns-rebinding-attacks-explained-the-lookup-is-coming-from-inside-the-house/
- https://www.tenable.com/blog/how-tenable-research-discovered-a-critical-remote-code-execution-vulnerability-on-anthropic
- https://www.straiker.ai/blog/agentic-danger-dns-rebinding-exposing-your-internal-mcp-servers
As a mitigation, I propose that mcp-hub listens on a Unix socket in $XDG_RUNTIME_DIR (or the equivalent on other platforms) by default.
Alternatively, a cookie-based authentication should be implemented, such as the one used in pulseaudio or X11. The server would not talk to anyone who didn't send a special header containing the magic cookie, and this magic cookie would be stored in a location inaccessible to other users and malicious web actors.