fix(ipc): tighten workload validation on utils:get-workload-available-tools

Address Copilot review on #2037: the previous guard accepted any string
for transport_type / proxy_mode and any number for port, so prototype
keys like `__proto__` would fall through into createTransport, and
`NaN` / non-http URLs could reach `new URL(...)` at the transport layer.

- Restrict `transport_type` to {stdio, streamable-http, sse} and
  `proxy_mode` to {sse, streamable-http} via explicit allowlists
- Require `port` to be a finite integer in [0, 65535]
- Require `url` to be an http(s) URL parseable by `new URL` (empty
  string still tolerated; createTransport falls back to localhost)

Author: samuv

main/src/ipc-handlers/utils.ts

@@ -4,33 +4,72 @@ import { getHeaders } from '../headers'
 import { getInstanceId, isOfficialReleaseBuild } from '../util'
 import { getWorkloadAvailableTools } from '../utils/mcp-tools'
 
+// Allowlists for fields that are later used to index into lookup tables or
+// construct URLs/connections in `createTransport`. Keeping these explicit makes
+// the IPC boundary reject unexpected values (including prototype keys like
+// `__proto__` or `constructor`) before they reach the transport layer.
+const VALID_TRANSPORT_TYPES = new Set(['stdio', 'streamable-http', 'sse'])
+const VALID_PROXY_MODES = new Set(['sse', 'streamable-http'])
+const MAX_TCP_PORT = 65535
+
 function isOptionalString(value: unknown): value is string | undefined {
   return value === undefined || typeof value === 'string'
 }
 
-function isOptionalNumber(value: unknown): value is number | undefined {
-  return value === undefined || typeof value === 'number'
-}
-
 function isOptionalBoolean(value: unknown): value is boolean | undefined {
   return value === undefined || typeof value === 'boolean'
 }
 
+function isOptionalEnum(
+  value: unknown,
+  allowed: ReadonlySet<string>
+): value is string | undefined {
+  return (
+    value === undefined || (typeof value === 'string' && allowed.has(value))
+  )
+}
+
+function isOptionalTcpPort(value: unknown): value is number | undefined {
+  if (value === undefined) return true
+  return (
+    typeof value === 'number' &&
+    Number.isInteger(value) &&
+    value >= 0 &&
+    value <= MAX_TCP_PORT
+  )
+}
+
+function isOptionalHttpUrl(value: unknown): value is string | undefined {
+  if (value === undefined) return true
+  if (typeof value !== 'string') return false
+  // Empty string is tolerated: `createTransport` treats it as "no url" and
+  // falls back to `http://localhost:<port>/mcp`.
+  if (value === '') return true
+  try {
+    const parsed = new URL(value)
+    return parsed.protocol === 'http:' || parsed.protocol === 'https:'
+  } catch {
+    return false
+  }
+}
+
 // Validates that an untrusted IPC payload matches the subset of `CoreWorkload`
-// that `getWorkloadAvailableTools` relies on. We do not exhaustively validate
-// every field on the generated type; we only enforce the shape required by the
-// consumer so malformed or malicious payloads are rejected at the boundary.
+// that `getWorkloadAvailableTools` / `createTransport` rely on. Only fields
+// consumed by the downstream code are validated; fields like labels or
+// created_at are ignored here because the consumer never reads them.
 function isCoreWorkload(value: unknown): value is CoreWorkload {
   if (typeof value !== 'object' || value === null || Array.isArray(value)) {
     return false
   }
   const workload = value as Record<string, unknown>
 
   if (!isOptionalString(workload.name)) return false
-  if (!isOptionalString(workload.url)) return false
-  if (!isOptionalString(workload.transport_type)) return false
-  if (!isOptionalString(workload.proxy_mode)) return false
-  if (!isOptionalNumber(workload.port)) return false
+  if (!isOptionalHttpUrl(workload.url)) return false
+  if (!isOptionalEnum(workload.transport_type, VALID_TRANSPORT_TYPES)) {
+    return false
+  }
+  if (!isOptionalEnum(workload.proxy_mode, VALID_PROXY_MODES)) return false
+  if (!isOptionalTcpPort(workload.port)) return false
   if (!isOptionalBoolean(workload.remote)) return false
 
   return true