Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Page: Security
Pages
API Reference Architecture Audit Automation Configuration Deployment Getting Started Governance Hardening Home Observability Policy Raw API Roadmap Security Troubleshooting Write Mode
Clone
1
Security
Latte edited this page 2026-06-26 12:58:15 +02:00
Unescape Escape
Table of Contents
This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Security

Core Controls

  • OAuth2/OIDC bearer-token authentication for MCP tool execution.
  • OIDC discovery + JWKS validation cache for JWT tokens.
  • Userinfo validation fallback for opaque OAuth tokens.
  • Scope enforcement:
    • read:repository for read tools.
    • write:repository for write tools.
  • Policy engine checks before tool execution.
  • Per-IP and per-token rate limiting.
  • Strict schema validation (extra=forbid).
  • Tamper-evident audit logging with hash chaining.
  • Secret sanitization for logs and tool output.
  • Production-safe error responses (no internal stack traces).

Threat Model

Why shared bot tokens are dangerous

  • A single leaked bot token can expose all repositories that bot can access.
  • Access is not naturally bounded per end user.
  • Blast radius is large and cross-tenant.

Why token-in-URL is insecure

  • URLs can be captured by reverse proxy logs, browser history, referer headers, and monitoring pipelines.
  • Bearer tokens must be passed in Authorization headers only.

Why per-user OAuth reduces lateral access

  • Each MCP request executes with the signed-in user token.
  • Gitea authorization stays source-of-truth for repository visibility.
  • A compromised token is limited to that users permissions.

Prompt Injection Hardening

Repository content is treated as untrusted data.

  • Tool outputs are bounded and sanitized.
  • No instructions from repository text are executed.
  • Text fields are size-limited before returning to LLM clients.

Secret Detection

Detected classes include:

  • API key and token patterns.
  • JWT-like tokens.
  • Private key block markers.
  • Common provider credential formats.

Behavior:

  • SECRET_DETECTION_MODE=mask: redact in place.
  • SECRET_DETECTION_MODE=block: replace secret-bearing values.
  • SECRET_DETECTION_MODE=off: disable sanitization (not recommended).

AegisGitea-MCP

Start

Operating

Internals

Security

Reference

Generated from the docs/ directory. Edit the docs, not the wiki, then re-run the wiki sync.