Главная Обзор Помощь
Вход
akillibulut
/
cost-model
зеркало из https://github.com/kubecost/cost-model
2
0
Ответвить 0
Файлы Задачи 0 Вики
Просмотр исходного кода

Bump github.com/modelcontextprotocol/go-sdk from 1.4.0 to 1.4.1

Fixes CVE-2026-33252 (GHSA-89xv-2j6f-qhc8): Cross-Site Tool Execution
vulnerability in the MCP Go SDK's Streamable HTTP transport.

The vulnerable version (<=1.4.0) accepted browser-generated cross-site
POST requests without validating the Origin header or requiring
Content-Type: application/json, allowing malicious websites to send
MCP requests to a local server and trigger tool execution without CORS
preflight.

v1.4.1 adds Content-Type header validation for POST requests and
introduces configurable origin verification to prevent CSRF-style
attacks against the MCP HTTP endpoint.

Note: go.sum entries for v1.4.1 will be generated by running
`go mod tidy` after this change.

Signed-off-by: peatey <peatey@users.noreply.github.com>
Claude 1 месяц назад
Родитель
44016ce86a
Сommit
cae3f55c91
2 измененных файлов с 1 добавлено и 3 удалено
Разделённый вид Показать статистику Diff
  1. 1 1
      go.mod
  2. 0 2
      go.sum

+ 1 - 1
go.mod
Просмотреть файл 

@@ -40,7 +40,7 @@ require (
 
 	github.com/julienschmidt/httprouter v1.3.0
 
 	github.com/kubecost/events v0.0.8
 
 	github.com/microcosm-cc/bluemonday v1.0.27
 
-	github.com/modelcontextprotocol/go-sdk v1.4.0
 
+	github.com/modelcontextprotocol/go-sdk v1.4.1
 
 	github.com/opencost/opencost/core v0.0.0-20250521155634-81d2b597d1bc
 
 	github.com/opencost/opencost/modules/collector-source v0.0.0-00010101000000-000000000000
 
 	github.com/opencost/opencost/modules/prometheus-source v0.0.0-00010101000000-000000000000

+ 0 - 2
go.sum
Просмотреть файл 

@@ -351,8 +351,6 @@ github.com/minio/minio-go/v7 v7.0.98 h1:MeAVKjLVz+XJ28zFcuYyImNSAh8Mq725uNW4beRi
 
 github.com/minio/minio-go/v7 v7.0.98/go.mod h1:cY0Y+W7yozf0mdIclrttzo1Iiu7mEf9y7nk2uXqMOvM=
 
 github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
 
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 
-github.com/modelcontextprotocol/go-sdk v1.4.0 h1:u0kr8lbJc1oBcawK7Df+/ajNMpIDFE41OEPxdeTLOn8=
 
-github.com/modelcontextprotocol/go-sdk v1.4.0/go.mod h1:Nxc2n+n/GdCebUaqCOhTetptS17SXXNu9IfNTaLDi1E=
 
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=