fix(mcp): add validation to block dangerous environment variables

Add defense-in-depth security validation for stdio transport to reject environment variables that could be used for privilege escalation attacks. Blocks the following dangerous variables (case-insensitive): - LD_PRELOAD (Linux) - LD_LIBRARY_PATH (Linux) - DYLD_INSERT_LIBRARIES (macOS) - DYLD_LIBRARY_PATH (macOS) - DYLD_FRAMEWORK_PATH (macOS) - DYLD_FALLBACK_LIBRARY_PATH (macOS) These variables can inject malicious libraries into spawned processes and should never be user-configurable for MCP servers. Add comprehensive tests: - test_rejects_relative_path: Verify existing path validation - test_rejects_dangerous_env_vars: Test all blocked variables - test_rejects_dangerous_env_vars_case_insensitive: Verify lowercase variants blocked - test_allows_safe_env_vars: Verify legitimate vars (DEBUG, PATH, API_KEY) allowed All tests passing.
2026-06-01 12:16:11 -05:00 · 2026-06-01 12:16:11 -05:00 · 2ad87b4c78
commit 2ad87b4c78
parent 82d7f350db
1 changed files with 95 additions and 0 deletions
--- a/src-tauri/src/mcp/transport/stdio.rs
+++ b/src-tauri/src/mcp/transport/stdio.rs
@ -5,6 +5,7 @@ use tokio::process::Command;

 /// Build a stdio transport from a command path, argument list, and environment variables.
 /// Rejects relative paths to prevent path traversal.
+/// Validates environment variable names to block known privilege escalation vectors.
 pub fn build_stdio_transport(
    command: &str,
    args: &[String],
@ -16,6 +17,26 @@ pub fn build_stdio_transport(
        ));
    }

+    // Validate env var names to block dangerous variables that could be used for privilege escalation
+    const DANGEROUS_ENV_VARS: &[&str] = &[
+        "LD_PRELOAD",
+        "LD_LIBRARY_PATH",
+        "DYLD_INSERT_LIBRARIES",
+        "DYLD_LIBRARY_PATH",
+        "DYLD_FRAMEWORK_PATH",
+        "DYLD_FALLBACK_LIBRARY_PATH",
+    ];
+
+    for key in env.keys() {
+        let upper_key = key.to_uppercase();
+        if DANGEROUS_ENV_VARS.contains(&upper_key.as_str()) {
+            return Err(format!(
+                "Dangerous environment variable '{key}' is not allowed for security reasons. \
+                 This variable could be used for privilege escalation attacks."
+            ));
+        }
+    }
+
    let mut cmd = Command::new(command);
    cmd.args(args);

@ -26,3 +47,77 @@ pub fn build_stdio_transport(

    TokioChildProcess::new(cmd).map_err(|e| format!("Failed to spawn stdio process: {e}"))
 }
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_rejects_relative_path() {
+        let result = build_stdio_transport("./mcp-server", &[], HashMap::new());
+        assert!(result.is_err());
+        if let Err(e) = result {
+            assert!(e.contains("absolute path"));
+        }
+    }
+
+    #[test]
+    fn test_rejects_dangerous_env_vars() {
+        let dangerous_vars = vec![
+            "LD_PRELOAD",
+            "LD_LIBRARY_PATH",
+            "DYLD_INSERT_LIBRARIES",
+            "DYLD_LIBRARY_PATH",
+            "DYLD_FRAMEWORK_PATH",
+            "DYLD_FALLBACK_LIBRARY_PATH",
+        ];
+
+        for var in dangerous_vars {
+            let mut env = HashMap::new();
+            env.insert(var.to_string(), "malicious.so".to_string());
+
+            let result = build_stdio_transport("/usr/bin/test", &[], env);
+            assert!(result.is_err(), "Should reject {}", var);
+            if let Err(err) = result {
+                assert!(
+                    err.contains("Dangerous environment variable"),
+                    "Error should mention dangerous variable: {}",
+                    err
+                );
+            }
+        }
+    }
+
+    #[test]
+    fn test_rejects_dangerous_env_vars_case_insensitive() {
+        let mut env = HashMap::new();
+        env.insert("ld_preload".to_string(), "malicious.so".to_string());
+
+        let result = build_stdio_transport("/usr/bin/test", &[], env);
+        assert!(result.is_err());
+        if let Err(err) = result {
+            assert!(err.contains("Dangerous environment variable"));
+        }
+    }
+
+    #[test]
+    fn test_allows_safe_env_vars() {
+        let mut env = HashMap::new();
+        env.insert("DEBUG".to_string(), "1".to_string());
+        env.insert("API_KEY".to_string(), "secret123".to_string());
+        env.insert("PATH".to_string(), "/usr/bin".to_string());
+
+        // Note: This will fail to spawn since /usr/bin/test may not exist,
+        // but we're testing that it doesn't reject the env vars
+        let result = build_stdio_transport("/usr/bin/test", &[], env);
+
+        // Should fail with spawn error, not env var validation error
+        if let Err(err) = result {
+            assert!(
+                !err.contains("Dangerous environment variable"),
+                "Should not reject safe env vars, got: {}",
+                err
+            );
+        }
+    }
+}