Why
All existing MCP firewalls match patterns on literal strings. Attackers trivially bypass by encoding payloads:
rm -rf / → base64: cm0gLXJmIC8=.ssh/id_rsa → URL-encoded: .ssh%2Fid_rsa- Unicode homoglyphs and zero-width characters
The mcpwall DEV article explicitly lists this as an unaddressed gap.
What
Decode and normalize tool call arguments before running static checks.
Acceptance Criteria
- Detect and decode base64-encoded strings in arguments
- Detect and decode URL-encoded strings
- Normalize Unicode (NFC/NFKC) before pattern matching
- Run all static checks (forbidden tools, protected paths, injection patterns) on decoded values
- Configurable:
decode_arguments: true in policy (default on)
- Tests: encoded bypass attempts that should be caught
Competitive advantage
Addresses a gap acknowledged by mcpwall and mcp-firewall communities.
Why
All existing MCP firewalls match patterns on literal strings. Attackers trivially bypass by encoding payloads:
rm -rf /→ base64:cm0gLXJmIC8=.ssh/id_rsa→ URL-encoded:.ssh%2Fid_rsaThe mcpwall DEV article explicitly lists this as an unaddressed gap.
What
Decode and normalize tool call arguments before running static checks.
Acceptance Criteria
decode_arguments: truein policy (default on)Competitive advantage
Addresses a gap acknowledged by mcpwall and mcp-firewall communities.