fix(security): Add URL scheme validation to prevent credential interception#169
Open
DennisTraub wants to merge 2 commits intoaws:mainfrom
Open
fix(security): Add URL scheme validation to prevent credential interception#169DennisTraub wants to merge 2 commits intoaws:mainfrom
DennisTraub wants to merge 2 commits intoaws:mainfrom
Conversation
DennisTraub
force-pushed
the
fix/url-scheme-validation
branch
from
a113a12 to
6d4e41c
Compare
wzxxing
previously approved these changes
Feb 13, 2026
JacquesPotgieter
previously approved these changes
Feb 13, 2026
Contributor
|
Thanks, but the formatting failed. Could you please run then run |
…eption AWS credentials must be transmitted over HTTPS to prevent interception via man-in-the-middle attacks. This adds validation to reject HTTP endpoints for remote hosts while allowing HTTP for localhost during local development. - Add validate_endpoint_url() function to utils.py - Integrate validation into get_service_name_and_region_from_endpoint() - Integrate validation into aws_iam_streamablehttp_client() - Add comprehensive tests for URL scheme validation 🤖 Generated with [Claude Code](https://claude.com/claude-code)
auto-merge was automatically disabled
February 13, 2026 13:42
Head branch was pushed to by a user without write access
DennisTraub
dismissed stale reviews from JacquesPotgieter and wzxxing
via
c59770e
DennisTraub
force-pushed
the
fix/url-scheme-validation
branch
from
6d4e41c to
c59770e
Compare
Contributor
Author
|
Fixed the style issues, should be ready to be merged now. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
validate_endpoint_url()function to enforce HTTPS for remote endpointsFixes #168
Problem
Endpoint URLs were not validated for HTTPS scheme, which could expose AWS credentials via man-in-the-middle attacks since SigV4 signing headers would be transmitted unencrypted.
Changes
mcp_proxy_for_aws/utils.pyvalidate_endpoint_url()functionmcp_proxy_for_aws/utils.pyget_service_name_and_region_from_endpoint()mcp_proxy_for_aws/client.pyaws_iam_streamablehttp_client()tests/unit/test_utils.pytests/unit/test_client.pyTesting
Backward Compatibility