| Titre | 54yyyu code-mcp 4cfc4643541a110c906d93635b391bf7e357f4a8 Path Traversal |
|---|
| Description | The server attempts to restrict file access to PROJECT_ROOT using is_safe_path, but relies on Path.absolute() parent membership checks. Because absolute() does not canonicalize .., crafted paths such as PROJECT_ROOT/../outside.txt can pass the parent check while resolving outside workspace boundaries in downstream file operations. This may enable out-of-workspace read/write access through MCP file tools. |
|---|
| La source | ⚠️ https://github.com/54yyyu/code-mcp/issues/4 |
|---|
| Utilisateur | CPT_Penner (UID 97246) |
|---|
| Soumission | 18/04/2026 20:28 (il y a 2 mois) |
|---|
| Modérer | 04/05/2026 23:24 (16 days later) |
|---|
| Statut | Accepté |
|---|
| Entrée VulDB | 361071 [54yyyu code-mcp MCP File src/code_mcp/server.py is_safe_path directory traversal] |
|---|
| Points | 20 |
|---|