| عنوان | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Path Traversal |
|---|
| الوصف | The server attempts to restrict file access to PROJECT_ROOT using is_safe_path, but relies on Path.absolute() parent membership checks. Because absolute() does not canonicalize .., crafted paths such as PROJECT_ROOT/../outside.txt can pass the parent check while resolving outside workspace boundaries in downstream file operations. This may enable out-of-workspace read/write access through MCP file tools. |
|---|
| المصدر | ⚠️ https://github.com/54yyyu/code-mcp/issues/4 |
|---|
| المستخدم | CPT_Penner (UID 97246) |
|---|
| ارسال | 18/04/2026 08:28 PM (2 أشهر منذ) |
|---|
| الاعتدال | 04/05/2026 11:24 PM (16 days later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 361071 [54yyyu code-mcp حتى 4cfc4643541a110c906d93635b391bf7e357f4a8 MCP File src/code_mcp/server.py is_safe_path اجتياز الدليل] |
|---|
| النقاط | 20 |
|---|