yogeshkk2/mcp-server
highDemo MCP Server for Project
This MCP server provides utility tools for temperature conversion (Celsius to Fahrenheit), percentage calculations, and fetching real-time news articl...
57@mcp.tool()
58def get_latest_news(
59 query: str = "technology",
60 language: str = "en",
61 max_results: int = 5
62) -> str:
63 """
64 Fetch the latest news articles based on a search query.
65 ...
66 """
67 return news.get_latest_news(query, language=language, max_results=max_results)// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
The get_latest_news tool accepts user-controlled parameters (query, language, max_results) and passes them directly to the news module without any validation. The news module likely constructs a URL to NewsAPI using these parameters. An attacker could inject malicious values (e.g., special characters, newlines, or URL parameters) to manipulate the API request, potentially causing SSRF or accessing unintended endpoints.
ImpactAn attacker could potentially perform Server-Side Request Forgery (SSRF) by crafting a query that alters the API request URL, leading to requests to internal services or arbitrary external hosts. This could also result in data exfiltration or bypassing intended API restrictions.
FixValidate and sanitize all user inputs before constructing API requests. Use allowlists for language codes and max_results range. Ensure the query parameter is properly URL-encoded and does not allow injection of additional URL components.
76@mcp.tool()
77def get_top_headlines(
78 country: str = "us",
79 category: str = "general",
80 max_results: int = 5
81) -> str:
82 """
83 Fetch top headlines for a specific country and category.
84 ...
85 """
86 return news.get_top_headlines(country, category=category if category != "general" else None, max_results=max_results)// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
The get_top_headlines tool accepts user-controlled parameters (country, category, max_results) and passes them to the news module without validation. The country and category parameters could be manipulated to inject unexpected values into the API request URL, potentially leading to SSRF or unauthorized API access.
ImpactSimilar to get_latest_news, an attacker could manipulate the API request to perform SSRF, access internal resources, or bypass intended API restrictions. The country parameter is particularly sensitive as it directly influences the URL path.
FixValidate country against a list of valid ISO country codes, category against a predefined list, and max_results within an allowed range. Use strict input validation and URL encoding.
44@mcp.tool()
45def convert_celsius_to_fahrenheit(celsius: float) -> str:
46 """Forward the Celsius-to-Fahrenheit conversion to the calculator module."""
47 return calculator.convert_celsius_to_fahrenheit(celsius)
48
49@mcp.tool()
50def calculate_percentage(part: float, total: float) -> str:
51 """Forward percentage calculations to the calculator module."""
52 return calculator.calculate_percentage(part, total)// Exploitable if MCP is exposed to untrusted prompts (network_exposed).
The calculator tools accept float inputs without any validation. While the intended purpose is mathematical calculation, lack of validation could lead to unexpected behavior if extreme values or NaN/Infinity are passed. This is a low-severity issue but indicates missing input validation.
ImpactAn attacker could pass NaN, Infinity, or extremely large numbers, potentially causing errors, resource exhaustion, or unexpected results. However, the impact is limited to the calculator module's behavior.
FixAdd input validation to ensure values are finite numbers within reasonable ranges. For percentage, ensure total is not zero to avoid division by zero.