klever24v/MCP-ServerV2
criticalnueva versión del servidor MCP usando MCP SDK e incluye Incluye validación (zod), permite definir herramientas de forma declarativa, que pueden ser invocadas por modelos como si fueran funciones (similar a OpenAI function calling).
This MCP server, built with NestJS, provides a modular and extensible HTTP endpoint for LLMs to invoke specialized tools. It includes tools for calcul...
// Source file not analyzed: src/mcp/mcp.service.ts
// Finding inferred from import chain: src/main.ts:1 → src/app.module.ts:1 → src/mcp/mcp.module.ts:1
// Network-exposed MCP: exploitable by any attacker who can send requests to the server.
The filesystem tool exposes read, write, and delete operations on the filesystem without any path validation or sandboxing. This allows an attacker to read, write, or delete arbitrary files on the server, far beyond the intended scope of the MCP server.
ImpactAn attacker could read sensitive files (e.g., /etc/passwd, SSH keys), write malicious files (e.g., overwrite application code), or delete critical system files, leading to full compromise of the server.
FixImplement strict path validation: restrict operations to a specific sandboxed directory, resolve symlinks, and reject paths containing '..' or starting with '/'.
// Source file not analyzed: src/mcp/mcp.service.ts
// Finding inferred from import chain: src/main.ts:1 → src/app.module.ts:1 → src/mcp/mcp.module.ts:1
// Network-exposed MCP: exploitable by any attacker.
The calculator tool accepts an 'operation' parameter but does not validate that it is one of the allowed operations (add, subtract, multiply, divide). This could allow unexpected behavior or injection if the operation is used in dynamic evaluation.
ImpactAn attacker could potentially execute arbitrary code if the operation is passed to eval() or similar, or cause unexpected errors.
FixValidate the operation parameter against a whitelist of allowed values before processing.
// Source file not analyzed: src/mcp/mcp.service.ts
// Finding inferred from import chain: src/main.ts:1 → src/app.module.ts:1 → src/mcp/mcp.module.ts:1
// Network-exposed MCP: exploitable by any attacker.
The code-analyzer-local tool can analyze arbitrary local files, potentially reading sensitive source code, configuration files, or credentials. This goes beyond the intended purpose of analyzing project code.
ImpactAn attacker could read any file on the filesystem that the server process has access to, leading to information disclosure.
FixRestrict the tool to a specific directory (e.g., the project root) and validate that all file paths are within that directory.
// Source file not analyzed: src/mcp/mcp.service.ts
// Finding inferred from import chain: src/main.ts:1 → src/app.module.ts:1 → src/mcp/mcp.module.ts:1
// Network-exposed MCP: exploitable by any attacker.
The temperature tool accepts a 'prompt' parameter. If this prompt is used to construct an HTTP request to an external service (e.g., to fetch weather data), an attacker could manipulate the prompt to make requests to internal services, leading to Server-Side Request Forgery (SSRF).
ImpactAn attacker could probe internal networks, access cloud metadata endpoints, or exploit other internal services.
FixIf external requests are made, validate and sanitize the prompt, use a fixed URL, or avoid making network requests altogether.