fix: avoid false positives when blocking secrets in tool responses#364
Open
Pnkcaht wants to merge 1 commit intodocker:mainfrom
Open
fix: avoid false positives when blocking secrets in tool responses#364Pnkcaht wants to merge 1 commit intodocker:mainfrom
Pnkcaht wants to merge 1 commit intodocker:mainfrom
Conversation
Signed-off-by: pnkcaht <samzoovsk19@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What I did
Adjusted the secret-blocking middleware to avoid false positives for read-only tools by scoping response secret scanning to cases where secrets were already present in the tool input.
This change ensures that tools such as
get_issueno longer fail due to overly aggressive secret detection in responses, while preserving protection against real secret exfiltration scenarios.Related issue
Fixed #334
What was the problem?
When using read-only tools (e.g.
get_issue) through the MCP Gateway, users consistently hit errors indicating that secrets were being returned, even though no secrets were provided as input.This behavior was caused by the secret-blocking middleware scanning all tool responses unconditionally, regardless of whether the request itself contained sensitive data.
As a result:
How this change fixes it
The middleware now tracks whether secrets were present in the tool input and only scans the tool response when there is a real risk of secret exfiltration.
Specifically:
This preserves the original security guarantees while eliminating false positives.
Before / After (Summary)
Before
get_issuecould fail unexpectedlyAfter
Screenshot
Secret detection in tool call input
This section ensures that tool invocation arguments are scanned for secrets before the tool is executed.
The arguments are first normalized into a string representation, allowing them to be safely analyzed regardless of their original structure. If the resulting input is non-empty and a secret pattern is detected, the execution is immediately blocked.
Conditional secret scanning in tool responses
This logic ensures that tool responses are only scanned for secrets when the input originally contained sensitive data.
Instead of blindly inspecting every tool response, the middleware tracks whether a secret was detected in the input arguments (inputHadSecrets). Only in that case does it perform a secondary scan on the tool’s output.
Tracking secret presence across the tool call lifecycle
The inputHadSecrets flag is introduced to track whether sensitive data was detected in the tool input arguments.
This variable acts as state shared across the middleware execution, allowing later stages to make informed decisions based on what happened during input validation.