Read a large MCP gateway response from a side-channel payloadPath.
The MCP gateway returns oversized JSON-RPC results via a file path pointer ({ "payloadPath": "/tmp/.../mcp-payload-โฆ.json" }) instead of inlining megabytes of text in the JSON-RPC envelope. That path is controlled by the MCP gateway, so a compromised or buggy gateway could direct us at arbitrary local files (e.g. /etc/passwd, ~/.copilot/mcp-config.json) and exfiltrate their contents back into RawDocument records.
Defence-in-depth โ the path is accepted only when ALL of the following hold:
it is a non-empty string;
it ends in .json;
it contains no NUL byte;
it resolves (after path.resolve) inside an allowed temp root โ either os.tmpdir() or /tmp.
On any policy violation, null is returned and the original inline parsed object is surfaced to the caller as a graceful degradation.
Read a large MCP gateway response from a side-channel
payloadPath.The MCP gateway returns oversized JSON-RPC results via a file path pointer (
{ "payloadPath": "/tmp/.../mcp-payload-โฆ.json" }) instead of inlining megabytes of text in the JSON-RPC envelope. That path is controlled by the MCP gateway, so a compromised or buggy gateway could direct us at arbitrary local files (e.g./etc/passwd,~/.copilot/mcp-config.json) and exfiltrate their contents back intoRawDocumentrecords.Defence-in-depth โ the path is accepted only when ALL of the following hold:
.json;path.resolve) inside an allowed temp root โ eitheros.tmpdir()or/tmp.On any policy violation,
nullis returned and the original inlineparsedobject is surfaced to the caller as a graceful degradation.