Skip to content

Harden che-word-mcp wrapper with sha256 + code-signature verification (security follow-up from #112 push review) #116

Description

@kiki830621

Problem

Push security review(#112 / PR #115)指出 plugins/che-word-mcp/bin/che-word-mcp-wrapper.sh 下載 binary 後直接 exec,無 sha256 / code-signature 驗證(supply-chain / unverified remote code execution class)。同 review 中兩個新 wrapper(che-pdf-mcp、che-pptx-mcp)已在 PR #115 內修復;che-word-mcp 的 wrapper 是自 psychquant-claude-plugins 逐字複製的既有生產 pattern,未在該 PR 內動的原因:

  1. 修改會破壞「複製 = byte-identical」的遷移驗證契約(audit trail 已記錄)
  2. shell plugin.json version 綁 binary 下載契約(wrapper 以 plugin.json version 挑 release tag)— bump shell 版本會讓 wrapper 去抓不存在的 v3.20.1 binary tag 再 fallback latest,sidecar 記錄錯亂。乾淨修法需要 shell/binary 版本解耦(如 binary_version 欄位)

Expected

che-word-mcp wrapper 具備與 PR #115 兩個新 wrapper 相同的雙重驗證(sha256 asset 比對 fail-closed + codesign TeamIdentifier=6W377FS7BS 硬閘),且版本語意正確(binary 下載仍鎖 v3.20.0)。

Actual

Wrapper 下載後直接 exec(HTTPS 為唯一防線)。

Impact

中高 — release asset 遭掉包(GitHub 帳號被入侵情境)時使用者端無第二道防線。che-word-mcp 是 4 個 plugins 中安裝基數最大者。


Source: surfaced during #112 push security review disposition


Current Status

Phase: closed
Last updated: 2026-07-02 by idd-all batch

PR #121(off main,stacked train 基底)。Verify: 6-AI PASS(Codex P2 fail-closed 修)。

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions