# Security Policy
## Supported Versions
We release security updates for the following versions:
| Version | Supported |
| ------- | ------------------ |
| 2.0.x | :white_check_mark: |
| < 2.0 | :x: |
## Security Features
The Patch MCP Server implements comprehensive security measures:
### File Security
- **Symlink Protection**: Symlinks are automatically rejected (security policy)
- **Binary File Detection**: Binary files are detected and rejected
- **Path Traversal Protection**: Prevents directory escaping attacks
- **File Size Limits**: 10MB maximum file size to prevent resource exhaustion
- **Disk Space Validation**: Ensures sufficient disk space (100MB minimum + 110% file size)
### Operation Security
- **Permission Checks**: Read/write permissions validated before operations
- **Atomic Operations**: File replacements use atomic rename where possible
- **No Code Execution**: Server does not execute arbitrary code
- **Input Validation**: All inputs validated using Pydantic models
- **Error Type Classification**: 10 distinct error types for precise error handling
### Security Constants
```python
MAX_FILE_SIZE = 10 * 1024 * 1024 # 10MB
MIN_FREE_SPACE = 100 * 1024 * 1024 # 100MB
BINARY_CHECK_BYTES = 8192 # First 8KB checked
NON_TEXT_THRESHOLD = 0.3 # 30% non-text = binary
```
## Known Security Limitations
### Intentional Restrictions
1. **Symlinks Rejected**: The server rejects all symlinks as a security policy
2. **Binary Files Rejected**: Binary files are not supported (detected and rejected)
3. **File Size Limit**: 10MB maximum to prevent resource exhaustion
4. **UTF-8 Only**: Only UTF-8 encoded text files are supported
### User Responsibility
The security of your system depends on:
- **Source Trust**: Only apply patches from trusted sources
- **File Permissions**: Set appropriate file system permissions
- **Input Validation**: Validate patch sources before application
- **Monitoring**: Monitor server operations and logs
## Security Audit History
| Date | Auditor | Scope | Status |
|------------|---------|----------------------|--------|
| 2025-01-18 | Internal| Full codebase review | ā Pass |
## Disclosure Policy
- We follow **coordinated disclosure**
- Security issues are fixed before public disclosure
- We credit security researchers (unless they prefer anonymity)
- We publish security advisories for all confirmed vulnerabilities
## Security Updates
Security updates will be:
- Released as patch versions (e.g., 2.0.1)
- Documented in CHANGELOG.md
- Announced via GitHub Security Advisories
- Tagged with `[SECURITY]` in release notes
## Contact
For security-related questions (non-vulnerabilities):
- Open a [Discussion](https://github.com/shenning00/patch_mcp/discussions)
- Create an [Issue](https://github.com/shenning00/patch_mcp/issues) (for non-sensitive questions)
---
Thank you for helping keep Patch MCP Server secure! š
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/shenning00/patch_mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server