Harden MCP server security#5
Open
Daniel-Issen wants to merge 1 commit into
Open
Conversation
…trary exec - Remove client-settable lldb_path; use server-side LLDB_PATH (env var LLDB_MCP_LLDB_PATH or default "lldb") to prevent spawning arbitrary executables - Lock working_dir to server's CWD at startup (ALLOWED_WORKING_DIR); remove client control - Add path validation for lldb_load, lldb_load_core — reject paths outside ALLOWED_WORKING_DIR (prevents path traversal via symlinks and ../) - Strip \n and \r from all user-supplied parameters to prevent LLDB command injection via newline splitting on the PTY - Block dangerous LLDB commands (platform shell, script, command script, command source, process launch --shell) in lldb_command - Restrict lldb_attach to processes whose cwd is within ALLOWED_WORKING_DIR (supports both /proc and macOS lsof) - Add setup.sh for easy installation with venv and Claude Code registration
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
lldb_path— now server-side only (env varLLDB_MCP_LLDB_PATH, defaultlldb), preventing arbitrary executable spawningworking_dirto the server's CWD at startup; all file operations are restricted to this directory treelldb_loadandlldb_load_core— rejects paths outside the allowed directory (resolves symlinks, blocks../traversal)\n/\rfrom all user-supplied parameters to prevent LLDB command injection via PTY newline splittingplatform shell,script,command script,command source,process launch --shellinlldb_commandlldb_attachverifies the target process's cwd is within the allowed directory (supports/procon Linux,lsofon macOS)setup.shcreates a venv, installs dependencies, and registers with Claude CodeMotivation
The original server is not malicious, but by design a debugger MCP server grants broad system access. These changes restrict the attack surface so it aligns with Claude Code's directory-trust model — the server can only operate within the directory the user has already approved.
Test plan
setup.shon macOS — verify venv creation and Claude registrationlldb_path/working_dirare no longer accepted as parameterslldb_commandwithplatform shell id— should be blockedlldb_loadwith../../etc/passwd— should be rejectedlldb_attachon a process outside the working directory — should be denied\nin a breakpoint location — verify it's stripped before reaching LLDB