lintai docs

Appearance

Rule Reference

SEC319lintai-ai-securitystableserver_jsonwarn

server.json remotes: insecure or private URL

server.json remotes entry uses an insecure or non-public remote URL

Provider
lintai-ai-security
Surface
server_json
Scope
per_file
Tier
stable
Severity
warn
Confidence
high
Detection
structural
Remediation
message_only

Activation Model

Preset Membership

This rule is part of the builtin activation graph through these preset memberships.

basemembership
mcpmembership

Lifecycle

Stable Lifecycle Contract

State

stable_gated

Graduation rationale

Checks MCP registry remotes[] URLs for insecure HTTP and non-public host literals without inspecting local package transport URLs.

Deterministic signal basis

ServerJsonSignals remotes[] URL analysis limited to streamable-http and sse entries.

Malicious corpus
server-json-insecure-remote-url
Benign corpus
server-json-loopback-package-transport-safe
structured evidence required remediation reviewed
Canonical note

Structural stable rule intended as a high-precision check with deterministic evidence.

Nearby Signals

Related Rules

SEC320server.json remotes: undefined template variableserver.json remotes URL references an undefined template variableserver_jsonstable
SEC321server.json remotes: literal auth headerserver.json remotes header commits literal authentication materialserver_jsonstable
SEC322server.json remotes: undefined header variableserver.json remotes header value references an undefined template variableserver_jsonstable
SEC323server.json auth: missing explicit secret flagserver.json auth header carries material without an explicit secret flagserver_jsonpreview

Why It Matters

server.json remotes are intended to describe public registry endpoints. Insecure HTTP or non-public host literals weaken transport trust or leak private topology into published registry metadata.

What Triggers

SEC319 applies to server.json remotes[] entries and triggers when a remote URL is:

  • explicitly http://, or
  • a non-public host literal in the registry remote entry

It does not inspect package transport URLs.

Example that triggers:

json
{
  "remotes": [
    {
      "type": "streamable-http",
      "url": "http://example.com/mcp"
    }
  ]
}

Example that stays clean:

json
{
  "packages": [
    {
      "transport": {
        "type": "streamable-http",
        "url": "http://localhost:8080/mcp"
      }
    }
  ]
}

False Positives

This rule is intentionally scoped to registry remotes[] entries, not all URL fields in the document. That avoids flagging local package transport details that are outside the public remote surface.

Remediation

Use a public HTTPS remote URL in the registry entry or remove the non-public literal from the remote definition.