skudskud/test-repo-mcp
criticalTest repository for MCP server code
MCP server (purpose undetermined)
80@mcp.tool()
81async def find_menu_options(search_term: str, context: Context) -> str:
82 """Search Uber Eats for restaurants or food items.
83
84 Args:
85 search_term: Food or restaurant to search for
86 """
87
88 # Create the search task
89 task = f"""
900. Start by going to: https://www.ubereats.com/se-en/
911. Type "{search_term}" in the global search bar and press enter
922. Go to the first search result (this is the most popular restaurant).
933. When you can see the menu options for the resturant, we need to use the specific search input for the resturant located under the banned (identify it by the placeholder "Search in [restaurant name]"
944. Click the input field and type "{search_term}", then press enter
955. Check for menu options related to "{search_term}"
966. Get the name, url and price of the top 3 items related to "{search_term}". URL is very important
97"""// Exploitable by any user sending a crafted search_term to the MCP server.
The find_menu_options tool constructs a browser automation task by directly embedding the user-provided search_term into a prompt string that is executed by a browser agent. The search_term is not sanitized or validated, allowing an attacker to inject arbitrary instructions into the browser automation task. This can lead to the browser agent performing actions beyond the intended scope, such as navigating to malicious sites, submitting forms, or exfiltrating data.
ImpactAn attacker could craft a search_term that causes the browser agent to perform arbitrary actions on the web, including accessing internal services, stealing credentials, or performing actions on behalf of the user (e.g., placing orders, changing settings). Since the MCP is network-exposed, this is a high-severity issue.
FixSanitize and validate the search_term input to ensure it only contains expected characters (e.g., alphanumeric and spaces). Avoid embedding user input directly into task prompts; instead, use parameterized templates or restrict the actions the browser agent can perform.
141@mcp.tool()
142async def order_food(item_url: str, item_name: str, context: Context) -> str:
143 """Order food from a restaurant.
144
145 Args:
146 restaurant_url: URL of the restaurant
147 item_name: Name of the item to order
148 """
149
150 task = f"""
1511. Go to {item_url}
1522. Click "Add to order"
1533. Wait 3 seconds
1544. Click "Go to checkout"
1555. If there are upsell modals, click "Skip"
1566. Click "Place order"
157"""// Exploitable by any user sending a crafted item_url to the MCP server.
The order_food tool constructs a browser automation task by embedding the user-provided item_url directly into the task prompt. The URL is not validated or sanitized, allowing an attacker to inject arbitrary instructions or navigate to malicious sites. This can lead to the browser agent performing actions beyond ordering food, such as accessing internal resources or executing unwanted actions.
ImpactAn attacker could provide a malicious URL that causes the browser agent to navigate to a phishing site, submit forms, or perform actions on other web services. Since the MCP is network-exposed, this is a high-severity issue.
FixValidate the item_url to ensure it matches an expected pattern (e.g., a valid Uber Eats URL). Use a whitelist of allowed domains or sanitize the input to prevent injection of additional instructions.
56logger.debug("Current working directory: %s", os.getcwd())
57logger.debug("Environment variables: %s", os.environ)// Exploitable if an attacker gains access to the log file (e.g., via path traversal or other vulnerability).
The server logs all environment variables at debug level during startup. If the .env file contains sensitive information such as API keys, passwords, or tokens, these will be written to the log file (mcp_debug.log). An attacker with access to the log file could retrieve these credentials.
ImpactExposure of sensitive credentials stored in environment variables, potentially allowing unauthorized access to external services or systems.
FixRemove the logging of environment variables or redact sensitive values before logging. Ensure log files are stored securely with restricted access.
80@mcp.tool()
81async def find_menu_options(search_term: str, context: Context) -> str:
82 """Search Uber Eats for restaurants or food items.
83
84 Args:
85 search_term: Food or restaurant to search for
86 """
87
88 # Create the search task
89 task = f"""
900. Start by going to: https://www.ubereats.com/se-en/
911. Type "{search_term}" in the global search bar and press enter
92...// Exploitable by any user sending crafted inputs to the MCP server.
Both find_menu_options and order_food accept user-provided strings (search_term, item_url) without any validation or sanitization. This allows injection of arbitrary text into the browser automation task, which can be exploited to modify the behavior of the browser agent.
ImpactAn attacker can inject arbitrary instructions into the browser automation task, potentially leading to unintended actions such as navigating to arbitrary URLs, exfiltrating data, or performing actions on behalf of the user.
FixImplement input validation to restrict allowed characters and patterns. For URLs, validate against a whitelist of allowed domains. For search terms, limit to alphanumeric characters and spaces.