Project
cortex
Description
The URL host extraction logic in both src/cortex-cli/src/utils/validation.rs (line 146) and src/cortex-cli/src/mcp_cmd/validation.rs (line 148) uses host_port.split(':').next() to separate the host from the port. For IPv6 URLs like http://[::1]:8080/path, host_port is [::1]:8080. The split(':') call splits on the first colon — which is inside the IPv6 address — producing [ as the "host" instead of [::1].
// Line 146 of src/cortex-cli/src/utils/validation.rs
let host = host_port.split(':').next().unwrap_or(host_port);
For http://[2001:db8::1]:8080/path:
- host_port = [2001:db8::1]:8080
- split(':').next() = [ (just the opening bracket)
- All subsequent host-based checks run against [ instead of [2001:db8::1]
This affects IPv6 addresses NOT in the blocked patterns list, including:
- ULA (Unique Local Address) ranges like fd00::/8 — private IPv6 equivalent to 10.x.x.x, but NOT in BLOCKED_URL_PATTERNS
- Any public IPv6 address
- IPv6 loopback [::1] when --allow-local is used (blocked patterns skipped)
Error Message
Debug Logs
System Information
Screenshots
Steps to Reproduce
- ULA (private IPv6) accepted when it shouldn't be:
cortex mcp add testipv6 --url "http://[fd12:3456:789a::1]:8080/mcp"
✓ Added HTTP MCP server 'testipv6'
ULA (fd00::/8) is private IPv6, but passes validation because
the host is extracted as "[" which matches no blocked pattern
cortex mcp remove testipv6 -y
2. any non-blocked IPv6 accepted with broken host check:
cortex mcp add testipv6 --url "http://[2001:db8::1]:8080/mcp"
✓ Added HTTP MCP server 'testipv6'
Host extracted as "[" — no meaningful host validation possible
cortex mcp remove testipv6 -y
3. loopback with --allow-local skips blocked patterns, host extraction broken:
cortex mcp add testipv6 --url "http://[::1]:8080/mcp" --allow-local
✓ Added HTTP MCP server 'testipv6'
Blocked patterns skipped, host extracted as "[", no loopback detection
cortex mcp remove testipv6 -y
Expected Behavior
IPv6 URLs with bracketed notation should have their host correctly extracted as the full [::1] or [2001:db8::1] portion. The code should handle brackets before splitting on : to separate host from port. For example:
let host = if host_port.starts_with('[') {
// IPv6: extract up to closing bracket
host_port.split(']').next().map(|h| &h[..]).unwrap_or(host_port)
} else {
host_port.split(':').next().unwrap_or(host_port)
};
ULA ranges (fd00::/8, fc00::/7) should also be added to BLOCKED_URL_PATTERNS.
Actual Behavior
split(':').next() splits on the first colon inside the IPv6 address, extracting [ as the host. All host-based security checks then run against a single bracket character, making them ineffective. Private IPv6 ULA addresses (fd00::/8) pass validation despite being the IPv6 equivalent of RFC1918 private space.
Additional Context
No response
Project
cortex
Description
The URL host extraction logic in both src/cortex-cli/src/utils/validation.rs (line 146) and src/cortex-cli/src/mcp_cmd/validation.rs (line 148) uses host_port.split(':').next() to separate the host from the port. For IPv6 URLs like http://[::1]:8080/path, host_port is [::1]:8080. The split(':') call splits on the first colon — which is inside the IPv6 address — producing [ as the "host" instead of [::1].
For http://[2001:db8::1]:8080/path:
This affects IPv6 addresses NOT in the blocked patterns list, including:
Error Message
Debug Logs
System Information
Screenshots
Steps to Reproduce
cortex mcp add testipv6 --url "http://[fd12:3456:789a::1]:8080/mcp"
✓ Added HTTP MCP server 'testipv6'
ULA (fd00::/8) is private IPv6, but passes validation because
the host is extracted as "[" which matches no blocked pattern
cortex mcp remove testipv6 -y
2. any non-blocked IPv6 accepted with broken host check:
cortex mcp add testipv6 --url "http://[2001:db8::1]:8080/mcp"
✓ Added HTTP MCP server 'testipv6'
Host extracted as "[" — no meaningful host validation possible
cortex mcp remove testipv6 -y
3. loopback with --allow-local skips blocked patterns, host extraction broken:
cortex mcp add testipv6 --url "http://[::1]:8080/mcp" --allow-local
✓ Added HTTP MCP server 'testipv6'
Blocked patterns skipped, host extracted as "[", no loopback detection
cortex mcp remove testipv6 -y
Expected Behavior
IPv6 URLs with bracketed notation should have their host correctly extracted as the full [::1] or [2001:db8::1] portion. The code should handle brackets before splitting on : to separate host from port. For example:
ULA ranges (fd00::/8, fc00::/7) should also be added to BLOCKED_URL_PATTERNS.
Actual Behavior
split(':').next() splits on the first colon inside the IPv6 address, extracting [ as the host. All host-based security checks then run against a single bracket character, making them ineffective. Private IPv6 ULA addresses (fd00::/8) pass validation despite being the IPv6 equivalent of RFC1918 private space.
Additional Context
No response