Enhance MCP server configuration: add MCP_URL_ONLY environment variable to restrict to URL-based clients

[brainexe]

Summary

• createClientEntry in lib/server.js can spawn arbitrary local processes via the stdio command path, giving any authenticated caller effective RCE on the host.
• Added new opt-in env var MCP_URL_ONLY: when truthy, configs with command are rejected and only url-based MCP clients are accepted. So only known proxies/URL servers can be used.
• Default behavior unchanged when the var is unset.

[trungdq88]

TypingMind support MCP url directly without needing typingmind-mcp, you can enter the MCP url directly to TypingMind and it will work, right?.

This package is designed for the command use case where the MCP server need a host to run commands on. Not sure if I'm missing something here 😅

[brainexe]

We'd like to use this MCP connector on our infrastructure to run a defined list of MCPs on our defined and secure infrastructure.

So, like a proxy from the TypingMind side to the internal MCPs, without exposing all MCP endpoints to the internet (only one endpoint with IP whitelist and authentication, etc.).

So let's say we have some MCPs – they could run on our connector server in Docker containers (defined on our side and not as JSON inside the TypingMind admin panel!) and can be accessed via the IP...or some other internal MCP domains in the network which should not be reached by extern directly.

And this MR is the ultimate way to increase security: in case someone gets access to the TypingMind admin panel, he'd be able to run any command on the MCP connector server. This is something which we'd like to restrict.

-> this MR should just give us the option to block one big security issue of this kind of MCP connectors, as I don't want a remote code execution tooling running on my network (which the tool is right now, just with a password protection). And I'd like to avoid having all private MCPs connected to the internet.

Or is there another suggestion to have a MCP proxy running via Typingmind?

[brainexe]

@trungdq88 any further ideas about this topic? Right now, I don't see any other way to use internal URLs without the mcp-connector, and not having it somewhat exposed to the internet. Or is there some way within Typingmind?
This MR would make it possible to just use the typingmind-connector as a mcp-proxy only while having the option to not spawn any random command.

[mox1]

I just want to pipe in here (I have not reviewed the PR), but @brainexe is asking for a feature flag that basically turns this into a Typing Mind MCP proxy server. Its a security enhancement that allows them to access other MCP servers, but disable the execution of any local MCP agents.

Its basically a "restricted" mode or a security enhancement.

@brainexe As an alternative, I have my Typing Mind MCP server running behind Cloudflare (via a tunnel). Its exposed at an endpoint, but I have added a set of security restrictions (IP allowlisting for example). That may be an option.

[brainexe]

thanks for your answer! But that is not a complete option, as we already have hard IP restrictions in place (so server only reachable by the given public Typingmind IPs).

The attack vector that is not solved by the IP restriction: if someone gains access to the TypingMind admin console (either through our teammates or some other attack on TypingMind), it would be easily possible for attackers to run any malicious command on the given MCP gateway server.