Merge pull request #52 from zinja-coder/6.3

Combined all points from PR #48 and PR #49 and PR #51

Author: zinja-coder

README.md

@@ -275,6 +275,43 @@ Demo: **Perform Code Review to Find Vulnerabilities locally**
 
 https://github.com/user-attachments/assets/4cd26715-b5e6-4b4b-95e4-054de6789f42
 
+### Advanced CLI Options
+
+| Flag | Default | Description |
+|------|---------|-------------|
+| `--http` | off | Serve over HTTP instead of stdio |
+| `--host` | `127.0.0.1` | Bind address for `--http` mode |
+| `--port` | `8651` | Port for `--http` mode |
+| `--jadx-host` | `127.0.0.1` | Hostname/IP of the JADX AI MCP Plugin |
+| `--jadx-port` | `8650` | Port of the JADX AI MCP Plugin |
+
+**Docker / Remote VM example:**
+```bash
+uv run jadx_mcp_server.py --http --host 0.0.0.0 --port 8651
+```
+
+**JADX running on a different machine:**
+```bash
+uv run jadx_mcp_server.py --http --jadx-host 192.168.1.100 --jadx-port 8650
+```
+
+> [!CAUTION]
+> ### ⚠️ Security Warning — Remote Binding
+>
+> When using `--host 0.0.0.0` (or any non-localhost address), the MCP server binds to **all network interfaces** over **plain HTTP with no authentication**. This means:
+>
+> - **Anyone on the network** can connect and invoke all MCP tools
+> - There is **no TLS encryption** — traffic can be intercepted
+> - An attacker can use the server to **read decompiled code**, **rename classes/methods**, and **access debug info**
+>
+> **Mitigations:**
+> - Only bind to `0.0.0.0` on **trusted, isolated networks** (e.g., Docker bridge, local VM)
+> - Use a **firewall** to restrict access to the MCP port
+> - Consider an **SSH tunnel** instead: `ssh -L 8651:127.0.0.1:8651 remote-host`
+>
+> Similarly, `--jadx-host` with a non-localhost address means the MCP server will make **unauthenticated HTTP requests** to that host. Ensure the target is trusted.
+
+
 ## 🛣️ Future Roadmap
 
 - [x] Add Support for apktool

jadx_mcp_server.py

@@ -19,6 +19,7 @@
 # Initialize MCP Server
 mcp = FastMCP("JADX-AI-MCP Plugin Reverse Engineering Server")
 
+# Bootstrap logger — always writes to stderr to keep stdout clean for stdio transport
 logger = logging.getLogger("jadx-mcp-server.bootstrap")
 if not logger.handlers:
     handler = logging.StreamHandler(sys.stderr)
@@ -291,9 +292,10 @@ def main():
         default=False,
     )
     parser.add_argument(
-        "--host", 
-        help="Host address to bind for --http (default: 127.0.0.1, use 0.0.0.0 for remote access)", 
-        default="127.0.0.1", 
+        "--host",
+        help="Host address to bind for --http (default: 127.0.0.1, use 0.0.0.0 for remote access). "
+             "WARNING: non-localhost binds expose the server over plain HTTP with no authentication.",
+        default="127.0.0.1",
         type=str
     )
     parser.add_argument(
@@ -305,29 +307,50 @@ def main():
         default=8650,
         type=int,
     )
+    parser.add_argument(
+        "--jadx-host",
+        help="JADX AI MCP Plugin host (default:127.0.0.1). "
+             "Security: non-localhost may expose plugin to network; use trusted network/firewall.",
+        default="127.0.0.1",
+        type=str,
+    )
     args = parser.parse_args()
 
     # Configure
+    config.set_jadx_host(args.jadx_host)
     config.set_jadx_port(args.jadx_port)
 
+    # Security warning for non-localhost bind address
+    if args.host not in ("127.0.0.1", "localhost", "::1"):
+        logger.warning(
+            "\n⚠️  SECURITY WARNING: Binding to non-localhost address '%s'.\n"
+            "   The MCP server uses plain HTTP with NO authentication.\n"
+            "   Anyone on the network can connect and use all MCP tools.\n"
+            "   Only use this on trusted networks or behind a firewall.",
+            args.host
+        )
+
+    # Banner & Health Check — always logs to stderr to keep stdout clean for stdio transport
+    try:
+        logger.info(jadx_mcp_server_banner())
+    except Exception:
+        logger.info(
+            "[JADX AI MCP Server] v3.3.5 | MCP Port: %s | JADX Host: %s | JADX Port: %s",
+            args.port,
+            args.jadx_host,
+            args.jadx_port,
+        )
+
+    logger.info("Testing JADX AI MCP Plugin connectivity...")
+    result = config.health_ping()
+    logger.info("Health check result: %s", result)
+
     # Run Server
     if args.http:
-        try:
-            logger.info(jadx_mcp_server_banner())
-        except Exception:
-            logger.info(
-                "[JADX AI MCP Server] starting in HTTP mode on port %s (JADX port %s)",
-                args.port,
-                args.jadx_port,
-            )
-
-        logger.info("Testing JADX AI MCP Plugin connectivity...")
-        result = config.health_ping()
-        logger.info("Health check result: %s", result)
-        mcp.run(transport="streamable-http", port=args.port, show_banner=False)
+        mcp.run(transport="streamable-http", host=args.host, port=args.port)
     else:
         # StdIO transport must keep stdout reserved for MCP frames.
-        mcp.run(show_banner=False)
+        mcp.run()
 
 
 if __name__ == "__main__":

src/PaginationUtils.py

@@ -118,6 +118,12 @@ async def get_paginated_data(
             if response.get("error"):
                 return response
 
+            # Propagate upstream errors instead of silently building empty results
+            if not isinstance(response, dict):
+                return {"error": f"Unexpected response type from {endpoint}: {type(response).__name__}"}
+            if response.get("error"):
+                return response
+
             # Parse JSON response
             try:
                 # Extract data using custom extractor or default behavior

src/server/__init__.py

@@ -1,2 +1,2 @@
 """JADX MCP Server"""
-from .config import set_jadx_port, health_ping
+from .config import set_jadx_host, set_jadx_port, health_ping

src/server/config.py

@@ -16,8 +16,9 @@
 from typing import Union, Dict, Any
 
 # Default Configuration
+JADX_HOST = "127.0.0.1"
 JADX_PORT = 8650
-JADX_HTTP_BASE = f"http://127.0.0.1:{JADX_PORT}"
+JADX_HTTP_BASE = f"http://{JADX_HOST}:{JADX_PORT}"
 
 # Logging Setup
 logger = logging.getLogger("jadx-mcp-server")
@@ -29,6 +30,27 @@
 logger.propagate = False
 
 
+def _rebuild_jadx_http_base():
+    """Rebuild the base URL used for all requests to the JADX plugin."""
+    global JADX_HTTP_BASE
+    JADX_HTTP_BASE = f"http://{JADX_HOST}:{JADX_PORT}"
+
+
+def set_jadx_host(host: str):
+    """
+    Updates the JADX plugin host.
+
+    Args:
+        host: Hostname or IP where JADX AI MCP plugin is reachable
+
+    Side Effects:
+        Updates global JADX_HOST and JADX_HTTP_BASE configuration
+    """
+    global JADX_HOST
+    JADX_HOST = host
+    _rebuild_jadx_http_base()
+
+
 def set_jadx_port(port: int):
     """
     Updates the JADX plugin port.
@@ -39,9 +61,9 @@ def set_jadx_port(port: int):
     Side Effects:
         Updates global JADX_PORT and JADX_HTTP_BASE configuration
     """
-    global JADX_PORT, JADX_HTTP_BASE
+    global JADX_PORT
     JADX_PORT = port
-    JADX_HTTP_BASE = f"http://127.0.0.1:{JADX_PORT}"
+    _rebuild_jadx_http_base()
 
 
 def health_ping() -> Union[str, Dict[str, Any]]: