Security hardening: fix auth bypass, SSRF, MCP vulnerabilities (issue #68)

[janhilgard]

Summary

Comprehensive security hardening addressing 17 of the 25 vulnerabilities identified in #68. This PR fixes all actionable items in a single commit.

CRITICAL fixes:

• Auth bypass on Anthropic endpoints: Added verify_api_key + check_rate_limit dependencies to /v1/messages, /v1/messages/count_tokens, /v1/status, /v1/cache/stats, /v1/cache
• MCP skip_security_validation bypass: Removed the field entirely from MCPServerConfig — security validation always runs
• SSRF via URL fetching: Added _validate_url_safety() that blocks private IPs, localhost, link-local, and cloud metadata endpoints before download_image()/download_video()

HIGH fixes:

• Path traversal in multimodal input: Removed Path.exists() local file checks from process_image_input()/process_video_input() — API only accepts URLs and base64
• trust_remote_code=True default: Changed to False in SimpleEngine, BatchedEngine, and MLXMultimodalLM; added --trust-remote-code CLI flag for explicit opt-in
• /v1/mcp/execute sandbox bypass: Now routes through ToolSandbox.validate_tool_execution() before executing
• MCP allow_unsafe bypass: Removed allow_unsafe parameter and all bypass code from MCPCommandValidator
• MCP regex bypass: Added newline/CR detection and ${} expansion patterns to dangerous command/arg patterns; added interpreter argument validation (-c, -e, --eval)

MEDIUM fixes:

• No audio file size limit: Added 100MB upload limit
• No TTS text length limit: Added 10K character limit
• Default bind to 0.0.0.0: Changed to 127.0.0.1 with warning when 0.0.0.0 used without --api-key
• No max_tokens upper bound: Added 128K cap in SamplingParams.__post_init__()
• MCP config from CWD: Removed ./mcp.json and ./mcp.yaml from search paths (only ~/.config/ now)
• High-risk MCP tools only warned: Changed _check_high_risk_tool() to raise MCPSecurityError instead of just logging
• Arbitrary model loading for STT/TTS: Reject unknown models instead of passing through to HuggingFace

LOW fixes:

• Rate limiter unbounded growth: Added periodic GC of stale clients (every 5 minutes)
• Exception details leaked: Replaced detail=str(e) with "Internal server error" in 500 responses

NOT included (separate PRs):

• Log injection (fix(mllm): concatenate text parts instead of overwriting in chat() #12) — moderate refactoring scope
• Race condition in global STT/TTS engines (Fix token metrics in streaming, and improve token tracking #14) — requires architectural change
• MD5 cache collision (Add multi-format tool call parser (bracket, raw JSON) #15), disk cache integrity (KV cache Quantization. #17), TOCTOU (Add MedGemma to MLLM detection patterns and fix the mllm flag #22), hash truncation (Missing 'pytz' dependency for vllm-mlx-chat #23), thread safety (Add missing pytz dependency for vllm-mlx-chat #24) — separate concerns
• Spoofed User-Agent (Q: Does vLLM support niche models? #25) — informational

Test plan

• Verify /v1/messages returns 401 without API key when --api-key is set
• Verify SSRF protection blocks http://169.254.169.254/ and http://localhost/
• Verify local file paths are rejected by process_image_input()
• Verify MCPServerConfig(skip_security_validation=True) raises TypeError
• Verify --trust-remote-code flag is required for models needing it
• Run uvx black vllm_mlx/ — passes
• Run existing test suite

Closes #68

🤖 Generated with Claude Code