dilip8700/ai-coding-mcp-server
criticalNo description
MCP server (purpose undetermined)
246async def handle_read_resource(self, request: ReadResourceRequest) -> ReadResourceResult:
247 """Handle resource read request."""
248 try:
249 self.state.metrics.record_request("read_resource")
250 uri = request.uri
251
252 # Route to file tools for file resources
253 if uri.startswith("file://"):
254 result = await self.state.file_tools.read_resource(uri)
255 return ReadResourceResult(
256 contents=[TextContent(type="text", text=result)]
257 )
258 else:
259 raise Exception(f"Unsupported resource URI: {uri}")// Network-exposed MCP server; resource URIs are attacker-controlled.
The server exposes a resource read endpoint that accepts arbitrary file:// URIs and passes them to file_tools.read_resource without any path restriction. This allows reading any file on the system.
ImpactAn attacker can read sensitive files such as /etc/passwd, SSH keys, configuration files, or source code by providing a file:// URI.
FixRestrict file:// URIs to a specific allowed directory (e.g., the project workspace). Validate that the resolved path is within the allowed directory using path canonicalization.
266async def handle_write_resource(self, request: WriteResourceRequest) -> WriteResourceResult:
267 """Handle resource write request."""
268 try:
269 self.state.metrics.record_request("write_resource")
270 uri = request.uri
271 contents = request.contents
272
273 # Route to file tools for file resources
274 if uri.startswith("file://"):
275 content_text = contents[0].text if contents else ""
276 await self.state.file_tools.write_resource(uri, content_text)
277 return WriteResourceResult()
278 else:
279 raise Exception(f"Unsupported resource URI: {uri}")// Network-exposed MCP server; resource URIs and content are attacker-controlled.
The server exposes a resource write endpoint that accepts arbitrary file:// URIs and writes content to them without any path restriction. This allows writing to any file on the system.
ImpactAn attacker can overwrite critical system files (e.g., /etc/passwd, SSH authorized_keys, startup scripts) or plant malicious files, leading to privilege escalation or persistent compromise.
FixRestrict file:// URIs to a specific allowed directory. Validate that the resolved path is within the allowed directory. Consider disallowing write operations entirely if not needed.
131def get_tools(self) -> List[Tool]:
132 """Get all available tools."""
133 tools = []
134
135 # File tools
136 tools.extend(self.state.file_tools.get_tools())
137
138 # System tools
139 tools.extend(self.state.system_tools.get_tools())
140
141 # Web tools
142 tools.extend(self.state.web_tools.get_tools())
143
144 # Code tools
145 tools.extend(self.state.code_tools.get_tools())
146
147 # Git tools
148 tools.extend(self.state.git_tools.get_tools())
149
150 # Database tools
151 tools.extend(self.state.database_tools.get_tools())
152
153 # AI tools
154 tools.extend(self.state.ai_tools.get_tools())// Network-exposed MCP server; any client can call these tools.
The server registers tools from multiple modules (file, system, web, code, git, database, AI) without any restriction or validation of the tools' capabilities. The intended purpose is an AI coding assistant, but the server exposes tools that can execute system commands, make web requests, and interact with databases, which goes beyond typical coding assistance.
ImpactAn attacker (or compromised LLM) can use system tools to execute arbitrary commands, web tools to perform SSRF, database tools to access or modify databases, and file tools to read/write arbitrary files, leading to full system compromise.
FixRestrict the set of tools exposed based on the intended purpose. For a coding assistant, only expose file editing, code analysis, and git tools. Remove or disable system, web, database, and AI tools unless explicitly required and documented.
170async def handle_call_tool(self, request: CallToolRequest) -> CallToolResult:
171 """Handle tool call request."""
172 start_time = time.time()
173 tool_name = request.name
174 arguments = request.arguments
175
176 try:
177 # Security check
178 if not self.state.security.is_tool_allowed(tool_name):
179 raise Exception(f"Tool '{tool_name}' is not allowed")
180
181 # Rate limiting
182 if not self.state.security.check_rate_limit(tool_name):
183 raise Exception(f"Rate limit exceeded for tool '{tool_name}'")
184
185 # Record metrics
186 self.state.metrics.record_request("call_tool", tool_name)
187
188 # Route to appropriate tool handler
189 result = await self._route_tool_call(tool_name, arguments)// Network-exposed MCP server; arguments are attacker-controlled.
The server passes the raw arguments dictionary directly to tool handlers without any validation or sanitization. This allows injection of malicious input (e.g., path traversal, command injection) into the underlying tool implementations.
ImpactAn attacker can craft arguments that exploit vulnerabilities in the tool handlers, such as reading arbitrary files, executing commands, or performing SSRF attacks.
FixImplement input validation for each tool's arguments based on a defined schema. Use allowlists for paths, commands, and URLs. Reject arguments that do not match expected patterns.
223elif tool_name.startswith("web_"):
224 return await self.state.web_tools.handle_tool_call(tool_name, arguments)// Network-exposed MCP server; tool arguments are attacker-controlled.
The server routes web_* tool calls to WebTools without any restriction. Web tools typically make HTTP requests to URLs provided in arguments. Without validation, this can be used for Server-Side Request Forgery (SSRF).
ImpactAn attacker can make the server send requests to internal services (e.g., localhost, cloud metadata endpoints) or external systems, potentially accessing sensitive data or performing attacks.
FixRemove web tools if not required. If needed, implement a blocklist/allowlist for URLs, restrict to HTTPS, and prevent access to private IP ranges.
220elif tool_name.startswith("system_"):
221 return await self.state.system_tools.handle_tool_call(tool_name, arguments)// Network-exposed MCP server; tool arguments are attacker-controlled.
The server routes system_* tool calls to SystemTools without any restriction. System tools typically include command execution capabilities. Without proper input validation, this can lead to arbitrary command execution.
ImpactAn attacker can execute arbitrary system commands on the server, leading to full compromise.
FixRemove system tools if not required. If needed, implement strict allowlisting of commands and validate all arguments. Use subprocess with shell=False and avoid passing user input directly to the shell.
235elif tool_name.startswith("db_"):
236 return await self.state.database_tools.handle_tool_call(tool_name, arguments)// Network-exposed MCP server; tool arguments are attacker-controlled.
The server exposes database tools that can execute arbitrary SQL queries or interact with databases. This goes beyond the intended purpose of a coding assistant and could allow data exfiltration or modification.
ImpactAn attacker can read, modify, or delete database contents, potentially accessing sensitive data or causing data loss.
FixRemove database tools if not required. If needed, restrict to read-only operations and validate all queries against an allowlist.
239elif tool_name.startswith("ai_"):
240 return await self.state.ai_tools.handle_tool_call(tool_name, arguments)// Network-exposed MCP server; tool arguments are attacker-controlled.
The server exposes AI tools that may allow calling external AI APIs or executing AI-related operations. This could be abused for resource consumption or data exfiltration.
ImpactAn attacker could use AI tools to make expensive API calls, exfiltrate data via API responses, or perform prompt injection attacks on downstream AI services.
FixRemove AI tools if not required. If needed, implement strict rate limiting and input validation.