fix(security): require hostname validation in _is_github_server (#816)

Sergio Sisternes · Copilot · Sergio Sisternes · commit 93f97573276e · 2026-05-10T11:51:02.000+01:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/apm_cli/adapters/client/copilot.py b/src/apm_cli/adapters/client/copilot.py
@@ -1208,8 +1208,12 @@ def _select_best_package(self, packages):
     def _is_github_server(self, server_name, url):
         """Securely determine if a server is a GitHub MCP server.
 
-        This method uses proper URL parsing and hostname validation to prevent
-        security vulnerabilities from substring-based checks.
+        Uses proper URL parsing and hostname validation to prevent token
+        injection via poisoned registry entries.  A name-allowlist match
+        alone is **not** sufficient -- the URL hostname must also belong
+        to a verified GitHub domain.  A verified hostname on its own
+        (regardless of name) is still accepted so that custom-named
+        servers pointing at GitHub continue to work.
 
         Args:
             server_name (str): Name of the MCP server.
@@ -1220,31 +1224,41 @@ def _is_github_server(self, server_name, url):
         """
         from urllib.parse import urlparse
 
-        # Check server name against an allowlist of known GitHub MCP servers
         github_server_names = [
             "github-mcp-server",
             "github",
             "github-mcp",
             "github-copilot-mcp-server",
         ]
 
-        # Exact match check for server names (case-insensitive)
-        if server_name and server_name.lower() in [name.lower() for name in github_server_names]:
-            return True
-
-        # If URL is provided, validate the hostname
+        def _is_github_mcp_hostname(hostname: str) -> bool:
+            """Check if *hostname* belongs to GitHub (cloud, enterprise, or Copilot API)."""
+            if is_github_hostname(hostname):
+                return True
+            h = hostname.lower()
+            # Subdomains of github.com (e.g. api.github.com)
+            if h.endswith(".github.com"):
+                return True
+            # Copilot API hosts (e.g. api.githubcopilot.com, api.business.githubcopilot.com)
+            return h == "githubcopilot.com" or h.endswith(".githubcopilot.com")
+
+        name_matches = bool(
+            server_name and server_name.lower() in [n.lower() for n in github_server_names]
+        )
+
+        # Parse and validate hostname from URL
+        hostname = None
         if url:
             try:
                 parsed_url = urlparse(url)
                 hostname = parsed_url.hostname
-
-                if hostname:
-                    # Use helper to determine whether hostname is a GitHub host (cloud or enterprise)
-                    if is_github_hostname(hostname):
-                        return True
-
             except Exception:
-                # If URL parsing fails, assume it's not a GitHub server
                 return False
 
-        return False
+        host_matches = bool(hostname and _is_github_mcp_hostname(hostname))
+
+        # SECURITY: require BOTH name AND host when name matches,
+        # but allow host-only match (URL points to GitHub regardless of name).
+        if name_matches:
+            return host_matches  # name alone is no longer sufficient
+        return host_matches  # URL-only path preserved
diff --git a/tests/unit/test_copilot_adapter.py b/tests/unit/test_copilot_adapter.py
@@ -611,5 +611,53 @@ def test_handles_empty_list(self):
         self.assertIsNone(CopilotClientAdapter._select_remote_with_url([]))
 
 
+class TestIsGitHubServer(unittest.TestCase):
+    """Tests for ``_is_github_server`` hostname-validation security hardening (#816)."""
+
+    def setUp(self):
+        self.adapter = CopilotClientAdapter.__new__(CopilotClientAdapter)
+
+    # -- poisoned registry entry: name matches but URL is malicious ----------
+    def test_poisoned_name_returns_false(self):
+        result = self.adapter._is_github_server(
+            "github-mcp-server", "https://evil.example.com/mcp/"
+        )
+        self.assertFalse(result, "Name match alone must NOT be sufficient")
+
+    # -- legitimate server: both name and hostname match ---------------------
+    def test_legitimate_server_returns_true(self):
+        result = self.adapter._is_github_server(
+            "github-mcp-server", "https://api.githubcopilot.com/mcp/"
+        )
+        self.assertTrue(result)
+
+    # -- URL-only match: GitHub hostname with non-matching name --------------
+    def test_url_only_match_returns_true(self):
+        result = self.adapter._is_github_server("custom-server", "https://api.github.com/mcp")
+        self.assertTrue(result)
+
+    # -- no match: neither name nor hostname ---------------------------------
+    def test_no_match_returns_false(self):
+        result = self.adapter._is_github_server("random-server", "https://evil.example.com/mcp/")
+        self.assertFalse(result)
+
+    # -- name match but empty URL: must reject -------------------------------
+    def test_name_match_no_url_returns_false(self):
+        result = self.adapter._is_github_server("github-mcp-server", "")
+        self.assertFalse(result, "Name match with empty URL must return False")
+
+    # -- GHE hostname --------------------------------------------------------
+    def test_ghe_hostname_returns_true(self):
+        result = self.adapter._is_github_server("github", "https://mcp.myorg.ghe.com/v1")
+        self.assertTrue(result)
+
+    # -- Copilot enterprise variant ------------------------------------------
+    def test_copilot_enterprise_variant_returns_true(self):
+        result = self.adapter._is_github_server(
+            "github-mcp", "https://api.business.githubcopilot.com/mcp/"
+        )
+        self.assertTrue(result)
+
+
 if __name__ == "__main__":
     unittest.main()
