spring-documentation-mcp-server

The application uses Spring Security for authentication (API keys and users), with BCrypt hashing for API keys and passwords. External HTTP requests to Spring.io, GitHub, and Initializr are performed using WebClient with timeouts and retry logic. URL validation is implemented for documentation fetching to prevent SSRF by restricting domains to known Spring-related sites. Jsoup is used for HTML parsing, and HTML to Markdown conversion is handled with cleaning steps to mitigate XSS. No obvious hardcoded secrets, 'eval' usage, or malicious patterns were found in the provided code snippets. Robust input validation with `jakarta.validation` is used across DTOs. A potential concern is the logging of full request parameters in `McpRequestLoggerService`, which could contain sensitive data depending on tool usage, but this is a data privacy/retention concern rather than a direct code vulnerability.