atlassian-mcp-server

The server implements OAuth 2.0 with PKCE for strong authentication. However, several security risks were identified in the project's own `SECURITY_ASSESSMENT.md` and through code analysis: 1. **Hardcoded Localhost Callback Server**: The OAuth callback server binds to `localhost:8080` without configuration, posing risks of port conflicts and potential local hijacking. 2. **Client Secret in Environment Variables**: Storing the OAuth client secret in plain text environment variables makes it visible in process lists and logs. 3. **Credential File Storage**: Access and refresh tokens are stored in a local JSON file (`~/.atlassian_mcp_credentials.json`) with `0600` permissions, but without encryption at rest, allowing access by anyone with access to the user's account and potentially persisting indefinitely. 4. **Limited HTTP Callback Server Security**: The temporary HTTP server for OAuth callbacks has minimal security, lacking comprehensive request validation and robust timeouts, making it potentially vulnerable to manipulation or DoS during the callback window. 5. **Error Information Disclosure**: Detailed error messages could potentially leak sensitive system information in a production environment. While the code itself does not appear to contain malicious patterns like `eval` or obfuscation, the handling of sensitive credentials locally and the network configuration for the OAuth callback require careful consideration for production deployments.