mcp-jira-go

Several critical security risks are present if deployed without careful hardening: - `JIRA_INSECURE_SKIP_VERIFY`: This environment variable, if set to true, disables TLS certificate verification for Jira API calls, making the connection vulnerable to Man-in-the-Middle (MiTM) attacks. This is a severe risk in production. - `Access-Control-Allow-Origin: *`: The server explicitly allows requests from any origin for its HTTP and Server-Sent Events (SSE) endpoints. This, combined with `websocket.Upgrader.CheckOrigin: true` for WebSockets, disables critical browser-level security mechanisms, potentially exposing the server to Cross-Site Request Forgery (CSRF) and other client-side attacks if not adequately protected by external layers or client-side logic. - Basic Authentication: Relies on basic authentication for Jira API calls. While compatible, it is only secure over HTTPS. If `JiraURL` is HTTP or `JIRA_INSECURE_SKIP_VERIFY` is enabled with HTTPS, credentials could be exposed in plaintext. - Lack of explicit input validation: While `json.Unmarshal` handles basic structure, deep input validation for tool parameters (e.g., preventing injection attacks into JQL queries if `search_issues` were implemented) is not explicitly detailed in the provided snippets. The current exposed tools (`list_projects`, `get_issue`) have simpler parameters, reducing immediate risk, but it's a general concern for future expansions. - No visible rate limiting or abuse prevention mechanisms.