security: harden API clients, config and MCP tools#1
Open
Valisthea wants to merge 1 commit intoasterdex:mainfrom
Open
security: harden API clients, config and MCP tools#1Valisthea wants to merge 1 commit intoasterdex:mainfrom
Valisthea wants to merge 1 commit intoasterdex:mainfrom
Conversation
- Fix POST/DELETE signed params sent in body instead of URL (client.py, spot_client.py) - Fix v3 nonce generation: use direct microsecond timestamps - Add strict private key regex validation for EIP-712 accounts - Add rate-limit retry with exponential backoff (429/418) on all clients - Use split connect/read timeout tuple (5s, 15s) on all clients - Add dry_run parameter to create_order and create_spot_order tools - Use string type for quantity parameters to preserve decimal precision - Remove account IDs exposure from get_server_info response - Hide API key input in CLI prompts - Replace direct _config access with public API in CLI - Add backup warning about missing .key file for encrypted fields - Document chainId 1666 as AsterDex off-chain signing identifier
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Security hardening of the aster-mcp codebase based on a comprehensive audit covering API clients, configuration management, CLI, and MCP tool interfaces.
Changes applied (12 fixes across 7 files)
API Clients (client.py, spot_client.py, v3_client.py)
data=) instead of URL query string (params=), preventing credential leakage in server logs and browser historyRetry-Afterheader supporttimeout=30with split(5s connect, 15s read)tuple to fail fast on connection issues while allowing adequate read timeV3 Client (v3_client.py)
int(time.time() * 1000) * 1_000_000(milliseconds x 1M, causing overflow) toint(time.time() * 1_000_000)(direct microsecond precision)^(0x)?[0-9a-fA-F]{64}$) at initialization to reject malformed keys earlyMCP Tools (simple_server.py, tools.py)
dry_run: bool = Falsetocreate_orderandcreate_spot_order— when True, returns an order preview without executing, enabling safe AI agent validationquantityparameter type fromfloattostracross tool signatures to preserve decimal precision (critical for small-amount crypto orders)accountslist fromget_server_info()response — only returns the count, preventing enumeration of configured account IDsCLI (cli.py)
hide_input=Falsetohide_input=Truefor API Key prompts (API Secret was already hidden)cm._config["accounts"]access withcm.list_accounts()public API throughoutConfig (config.py)
logger.warning()inbackup_config()alerting that the backup does NOT include the.keyencryption file, and encrypted fields will be unrecoverable without itWhat was NOT changed
Test plan
pytest tests/ -v— 2/2 passed)