Conversation
- Default bind address is now 127.0.0.1 (localhost only), preventing unintended network exposure of the server and GITLAB_TOKEN - Docker environments explicitly set HOST=0.0.0.0 where required: Dockerfile, docker-compose.yml, CLI-generated compose files - Updated documentation with clear security notes explaining when and why to use each value Closes #333
Test Coverage ReportOverall Coverage: 95.86%
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
There was a problem hiding this comment.
Pull request overview
This PR hardens the default server binding to localhost to reduce accidental network exposure of the MCP server (and any configured GITLAB_TOKEN), while keeping Docker deployments reachable by explicitly setting HOST=0.0.0.0 where port publishing is expected.
Changes:
- Change default
HOSTfrom0.0.0.0to127.0.0.1in runtime config and unit tests. - Ensure Docker entrypoints (Dockerfile, docker-compose, CLI-generated compose) explicitly set
HOST=0.0.0.0. - Update documentation and examples to reflect the new default and explain the security implications.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
src/config.ts |
Updates default HOST to 127.0.0.1 to prevent unintended network binding. |
tests/unit/config.test.ts |
Adjusts expected default HOST in config unit test. |
src/cli/docker/docker-utils.ts |
Ensures CLI-generated docker-compose includes HOST=0.0.0.0. |
tests/unit/cli/docker/docker-utils.test.ts |
Updates compose-generation test expectations for the added HOST env entry. |
docker-compose.yml |
Explicitly sets HOST: "0.0.0.0" in Docker services to preserve reachability via port mapping. |
Dockerfile |
Sets ENV HOST=0.0.0.0 for container runtime default binding. |
.env.example |
Updates example to default to 127.0.0.1 and adds clear security guidance. |
docs/guide/configuration.md |
Documents the new default and adds a security note explaining Docker vs local binding. |
docs/deployment/docker-standalone.md |
Updates documented default and clarifies Docker should use 0.0.0.0. |
SSL.md |
Updates the environment variable reference default for HOST. |
polaz
deleted the
feat/#333-security-change-default-host-from-0000-to-127001
branch
|
🎉 This PR is included in version 6.62.1 🎉 The release is available on: Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
HOSTchanged from0.0.0.0to127.0.0.1, preventing unintended network exposure of the MCP server andGITLAB_TOKENto anyone on the same networkDockerfile,docker-compose.yml, CLI-generated compose) explicitly setHOST=0.0.0.0where required for port mappingReference
Upstream fix: zereight/gitlab-mcp#289
Closes #333