Skip to content

Fix T-1004 false positives in logging statements #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hello-args merged 2 commits into from
Jun 11, 2026
Merged

Fix T-1004 false positives in logging statements #147

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a59effa
Fix T-1004 false positives in logging statements
Jun 10, 2026
230617e
Fix ruff format check: add missing trailing newlines.
hello-args Jun 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions src/mcts/analyzers/data_leakage.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,24 @@

HIDDEN_CHAR_PATTERN = re.compile(r"[\u200b-\u200f\ufeff\u202a-\u202e]")

LOGGING_CALL_PATTERN = re.compile(
r"""
^\s*
(?:
print
|console\.(?:log|info|warn|warning|error|debug)
|(?:logger|logging|log)\.(?:log|info|warn|warning|error|debug|exception|critical)
|(?:self\.)?logger\.(?:log|info|warn|warning|error|debug|exception|critical)
)
\s*\(
""",
re.VERBOSE,
)


def _is_logging_statement(line: str) -> bool:
return bool(LOGGING_CALL_PATTERN.search(line))


class DataLeakageAnalyzer(BaseAnalyzer):
"""Scans tool metadata and source files for exposed secrets."""
Expand Down Expand Up @@ -101,6 +119,8 @@ def _scan_source_files(self, server: MCPServerInfo) -> list[Finding]:
for label, pattern, severity in SECRET_PATTERNS:
if not pattern.search(line):
continue
if label == "Internal URL" and _is_logging_statement(line):
continue
finding_id = f"leak-src-{file_path}-{line_no}-{label.lower().replace(' ', '-')}"
if finding_id in seen:
continue
Expand Down
24 changes: 24 additions & 0 deletions tests/test_analyzers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,10 @@
from pathlib import Path

from mcts.analyzers.command_execution import CommandExecutionAnalyzer
from mcts.analyzers.data_leakage import DataLeakageAnalyzer
from mcts.core.config import ScanConfig
from mcts.discovery.static import StaticDiscovery
from mcts.mcp.models import MCPServerInfo
from mcts.reporting.models import Severity


Expand All @@ -24,3 +26,25 @@ def test_data_leakage_scans_source_files(example_server_path: Path) -> None:
report = Scanner(ScanConfig(target=example_server_path)).run()
source_findings = [f for f in report.findings if f.analyzer == "data_leakage" and f.location]
assert source_findings or any(f.analyzer == "data_leakage" for f in report.findings)


def test_data_leakage_ignores_loopback_urls_in_log_messages() -> None:
server = MCPServerInfo(
name="perseus",
source_files={
"mcp.py": "\n".join(
[
"print(f'Perseus MCP SSE server listening on http://127.0.0.1:{port}')",
"print(f' SSE endpoint: http://127.0.0.1:{port}/sse')",
"logger.info('Server card: http://localhost:9000/.well-known/mcp/server-card.json')",
"callback_url = 'http://127.0.0.1:9000/message'",
]
)
},
)

findings = DataLeakageAnalyzer().analyze(server)

assert len(findings) == 1
assert findings[0].location
assert findings[0].location.line == 4
Loading