Javadocs.dev MCP

All 12 findings

1. medium
   Tool `get_latest_version` accepts unconstrained string input· get_latest_versionunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `artifactId`, `groupId`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

2. medium
   Tool `get_latest_version` description mentions money but no `money` side-effect is declared· get_latest_versionexcessive agency

   Description: "Resolves the latest published version of a Maven Central artifact (any groupId:artifactId — Java, Kotlin, or Scala library). Call this first when you only know the artifact but not the version: the version it returns feeds into every other tool here that takes a concrete version. Works against the live Maven Central catalog — no local install, build tool, or repository checkout required." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

   fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

3. medium
   Tool `get_javadoc_index` accepts unconstrained string input· get_javadoc_indexunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `artifactId`, `groupId`, `version`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

4. medium
   Tool `get_javadoc_index` fetches external web content -- indirect-injection surface· get_javadoc_indexindirect injection

   Description: "Fetches the rendered Javadoc/Scaladoc index page for a specific Maven Central artifact version, converted to plain text/markdown. Useful for orienting yourself in an unfamiliar library: it lists the top-level packages, modules, and (for Scaladoc) often a curated overview. Use this before drilling into specific symbols. Works against the live Maven Central catalog — you do not need to download the javadoc jar." -- this tool pulls externally-controlled content into the agent's context window, the canonical indirect-injection vector. Even when the user supplies the URL, content at that URL can carry hostile instructions.

   fix: Sandbox the fetched content: strip prompts before forwarding to the model, constrain to an allow-list of domains, and route through capframe-guard with a `domain in [...]` caveat.

5. medium
   Tool `get_javadoc_content_list` accepts unconstrained string input· get_javadoc_content_listunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `artifactId`, `groupId`, `version`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

6. medium
   Tool `get_javadoc_symbol_contents` accepts unconstrained string input· get_javadoc_symbol_contentsunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `artifactId`, `groupId`, `link`, `version`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

7. medium
   Tool `get_source_contents` accepts unconstrained string input· get_source_contentsunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `artifactId`, `groupId`, `link`, `version`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

8. medium
   Tool `get_source_contents` description mentions money but no `money` side-effect is declared· get_source_contentsexcessive agency

   Description: "Reads one source file from a Maven Central library's sources jar (the `-sources.jar` artifact). Pass the `link` value returned by list_source_contents. Use this whenever you need the exact source text of a JVM library — tracing behavior into a dependency, confirming a public API's implementation, finding a definition, or comparing two library versions. Strongly preferred over locating the jar in a local build cache and unzipping it: it works for any Maven Central artifact, no local checkout or build needed." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

   fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

9. medium
   Tool `list_source_contents` accepts unconstrained string input· list_source_contentsunconstrained input

   The following string parameter(s) have no `maxLength` constraint: `artifactId`, `groupId`, `version`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

   fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

10. medium
    Tool `list_source_contents` description mentions money but no `money` side-effect is declared· list_source_contentsexcessive agency

    Description: "Lists every file inside the **sources jar** (the `-sources.jar` publishers attach alongside the binary) of a Maven Central artifact version. Each returned path can be fed to get_source_contents to read the file. Prefer this any time you would otherwise locate a `-sources.jar` in your local Coursier/Ivy/Maven cache and `unzip` it: this tool works directly against Maven Central, requires no local install or build, and works for libraries you've never depended on. Use it whenever you need to read the actual source of a JVM library (Java, Kotlin, Scala) — for example to understand an implementation detail, find where a method is defined, see how a feature is wired internally, or work with a library that doesn't publish javadocs." -- this references money/payment/refund/etc., but the declared side_effects ([]) don't include `money`. A capframe-bind policy that relies on declared side_effects to scope spend caveats will under-scope this tool.

    fix: Add `money` to the tool's `side_effects` declaration, or rewrite the description to clarify that no actual money moves.

11. medium
    Tool `search_artifacts` accepts unconstrained string input· search_artifactsunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.

12. medium
    Tool `symbol_to_artifact` accepts unconstrained string input· symbol_to_artifactunconstrained input

    The following string parameter(s) have no `maxLength` constraint: `query`. Unbounded strings let an attacker stuff arbitrary payloads through the tool, including indirect-injection content.

    fix: Add a `maxLength` to each string property, or constrain with an `enum` or `pattern`. Most legitimate tool inputs fit under a few hundred bytes.