MCP-05: Error Messages Propagate Raw Internal Details
Severity: MEDIUM
Affected File(s): tools.py:88-89, client.py:61-62
Description
The generic exception handler at tools.py:88-89 returns str(e) which captures the full exception chain including connection details, URLs, and HTTP response bodies. HTTP errors from raise_for_status() propagate response bodies that may contain internal error codes, IP addresses, or rate limit state.
Vulnerable Code
except Exception as e:
return {"ok": False, "error": str(e)}
Impact
Information leakage of internal server details, URLs, and error codes to MCP clients. More significant when combined with MCP-01 (network exposure).
Proof of Concept
Trigger an API error and observe the full exception chain in the error response.
Recommended Fix
Catch specific exceptions and return sanitized messages:
except requests.exceptions.HTTPError as e:
return {"ok": False, "error": f"API request failed: {e.response.status_code}"}
except Exception:
return {"ok": False, "error": "Internal error"}
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
MCP-05: Error Messages Propagate Raw Internal Details
Severity: MEDIUM
Affected File(s):
tools.py:88-89, client.py:61-62Description
The generic exception handler at tools.py:88-89 returns str(e) which captures the full exception chain including connection details, URLs, and HTTP response bodies. HTTP errors from raise_for_status() propagate response bodies that may contain internal error codes, IP addresses, or rate limit state.
Vulnerable Code
Impact
Information leakage of internal server details, URLs, and error codes to MCP clients. More significant when combined with MCP-01 (network exposure).
Proof of Concept
Recommended Fix
Catch specific exceptions and return sanitized messages:
except requests.exceptions.HTTPError as e:
return {"ok": False, "error": f"API request failed: {e.response.status_code}"}
except Exception:
return {"ok": False, "error": "Internal error"}
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.