pabasara-samarakoon-4176/learning-assistant-mcp-server
highNo description
MCP server (purpose undetermined)
65@mcp.tool()
66async def read_local_pdf(path: str) -> Dict[str, Any]:
67 """Read text content from a local PDF file."""
68 try:
69 with open(path, 'rb') as file:
70 text = extract_text_from_pdf(file)
71 return {
72 "success": True,
73 "data": {
74 "text": text
75 }
76 }// Exploitable if MCP is exposed to untrusted prompts (network_exposed). For local-only, requires compromised LLM.
The read_local_pdf tool accepts an arbitrary file path from the user and reads the file without any validation or restriction. An attacker can read any file on the system that the server process has access to, such as /etc/passwd, SSH keys, or other sensitive files.
ImpactAn attacker could read arbitrary files on the server, leading to information disclosure of sensitive data.
FixRestrict file access to a specific directory (e.g., a 'uploads' folder) and validate that the resolved path stays within that directory. Use os.path.abspath and ensure it starts with the allowed base path.
22@mcp.tool()
23def scrape_webpage(url: str) -> dict:
24 """
25 Scrape a webpage and extract its title and paragraphs using httpx.
26 """
27 try:
28 # Send GET request using httpx
29 response = httpx.get(url, timeout=10)
30 response.raise_for_status()// Exploitable if MCP is exposed to untrusted prompts (network_exposed). For local-only, requires compromised LLM.
The tools scrape_webpage, read_pdf_url, and extract_text_from_url accept a URL parameter from the user without any validation or sanitization. An attacker can provide arbitrary URLs, including internal network addresses (e.g., http://169.254.169.254/latest/meta-data/ for cloud metadata) or file:// URLs (though httpx may not support file://, requests does). This allows Server-Side Request Forgery (SSRF).
ImpactAn attacker could make the server send requests to internal services, cloud metadata endpoints, or other unintended destinations, potentially leaking sensitive information or enabling further attacks.
FixValidate the URL against an allowlist of permitted domains or URL schemes. Reject URLs pointing to private IP ranges (RFC 1918) and loopback addresses. Use a URL parser to ensure only http/https schemes are allowed.
116load_dotenv()
117SERPER_API_KEY = os.getenv("SERPER_API_KEY")
118if not SERPER_API_KEY:
119 raise ValueError("Please set the SERPER_API_KEY environment variable.")// Local-only MCP, requires compromised LLM to exploit. For network_exposed, risk is higher.
The server loads API keys (SERPER_API_KEY and X_RAPIDAPI_KEY) from environment variables and uses them directly in HTTP requests. While environment variables are a standard practice, the keys are exposed in plaintext in the process memory and could be leaked through error messages or logs. Additionally, the keys are sent over HTTPS but not encrypted at rest.
ImpactIf an attacker gains access to the server's environment or memory, they could extract the API keys and use them to incur charges or access services.
FixConsider using a secrets manager or encrypting the keys at rest. Ensure that error messages do not include the keys. Use environment variables with restricted access.