Skip to content

Fix McpApiController namespace and security issues#47

Open
Snider wants to merge 4 commits intodevfrom
fix/mcp-api-security-and-namespace-17974347744158043436
Open

Fix McpApiController namespace and security issues#47
Snider wants to merge 4 commits intodevfrom
fix/mcp-api-security-and-namespace-17974347744158043436

Conversation

@Snider
Copy link
Contributor

@Snider Snider commented Feb 4, 2026

This submission fixes a critical namespace mismatch in the McpApiController and addresses several security vulnerabilities:

  1. Namespace Correction: Updated Mod\Api\Controllers to Core\Mcp\Controllers to align with the package's PSR-4 structure.
  2. Authorization: Integrated McpQuotaService to check workspace quotas before tool execution.
  3. Rate Limiting: Added a 60 requests per minute rate limit per workspace/IP.
  4. Injection Prevention: Refactored proc_open to use an array of arguments, preventing shell command injection.
  5. Input Validation: Added regex constraints to server and tool parameters to ensure they follow expected formats.
  6. Syntax & Imports: Added RateLimiter and Str imports and verified syntax with php -l.

Fixes #11

PR created automatically by Jules for task 17974347744158043436 started by @Snider

@Snider
fix(mcp): resolve namespace mismatch and enhance security in McpApiCo…
c82afb4 
…ntroller

- Corrected namespace from Mod\Api\Controllers to Core\Mcp\Controllers
- Added workspace quota enforcement via McpQuotaService
- Implemented rate limiting using RateLimiter facade (60 calls/min)
- Hardened artisan command execution in proc_open to prevent injection
- Added strict regex validation for server and tool input parameters
- Improved input sanitization and added necessary imports (RateLimiter, Str)
@google-labs-jules
Copy link

google-labs-jules bot commented Feb 4, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@gemini-code-assist
Copy link

gemini-code-assist bot commented Feb 4, 2026

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@google-labs-jules google-labs-jules bot mentioned this pull request Feb 4, 2026
Closed
@github-actions
Copy link

github-actions bot commented Feb 4, 2026

QA Pipeline Results

Check Status Details
Tests tests, assertions
PHPStan errors
Psalm issues
Code Style files need formatting
Security vulnerabilities
Artifacts
  • test-results.xml - JUnit test results
  • phpstan.json - PHPStan analysis
  • psalm.json / psalm.sarif - Psalm analysis
  • pint.json - Code style report
  • audit.json - Security audit

Generated by core php qa pipeline

Snider added 3 commits February 4, 2026 18:11
@Snider
fix(mcp): resolve namespace mismatches and enhance security in McpApi…
044fc68 
…Controller

- Corrected namespace from Mod\Api\Controllers to Core\Mcp\Controllers in McpApiController
- Corrected namespaces in AgentToolRegistry and AgentSessionService to Core\Mcp\Services
- Fixed numerous internal references from Mod\Mcp to Core\Mcp across the package
- Implemented workspace quota enforcement via McpQuotaService in McpApiController
- Implemented rate limiting using RateLimiter facade (60 calls/min)
- Hardened artisan command execution in proc_open to prevent injection
- Added strict regex validation for server and tool input parameters
- Improved input sanitization and added necessary imports (RateLimiter, Str)
@Snider
fix(mcp): resolve namespace mismatches and enhance security in McpApi…
2efd6fd 
…Controller

- Corrected namespace from Mod\Api\Controllers to Core\Mcp\Controllers in McpApiController
- Standardized namespaces across the package to Core\Mcp and Core\Website\Mcp
- Fixed inconsistent internal references from Mod\Mcp to Core\Mcp
- Updated external references (Agentic, Uptelligence, Api, Tenant) to use Core\ prefix
- Implemented workspace quota enforcement via McpQuotaService in McpApiController
- Implemented rate limiting using RateLimiter facade (60 calls/min)
- Hardened artisan command execution in proc_open to prevent injection
- Added strict regex validation for server and tool input parameters
- Improved input sanitization and added necessary imports (RateLimiter, Str)
- Resolved Mockery use statement warning in tests
@Snider
fix(mcp): resolve namespace mismatches and enhance security in McpApi…
53823e8 
…Controller

- Corrected namespace from Mod\Api\Controllers to Core\Mcp\Controllers in McpApiController
- Standardized namespaces across the package to Core\Mcp and Core\Website\Mcp
- Fixed inconsistent internal and external references from Mod\ to Core\Mod\ or Core\
- Implemented workspace quota enforcement via McpQuotaService in McpApiController
- Implemented rate limiting using RateLimiter facade (60 calls/min) for tool calls
- Hardened artisan command execution in proc_open to prevent injection
- Added strict regex validation for server and tool input parameters
- Improved input sanitization and added necessary imports (RateLimiter, Str)
- Cleaned up redundant Mockery use statement in tests
- Verified syntax across all modified files
@Snider Snider marked this pull request as ready for review February 5, 2026 03:24
@coderabbitai
Copy link

coderabbitai bot commented Feb 5, 2026

Warning

Rate limit exceeded

@Snider has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 49 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/mcp-api-security-and-namespace-17974347744158043436

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security: McpApiController namespace mismatch and missing authorization

1 participant

@Snider