Skip to content

Harden MCP server security#5

Open
Daniel-Issen wants to merge 1 commit into
stass:masterfrom
Daniel-Issen:security-hardening
Open

Harden MCP server security#5
Daniel-Issen wants to merge 1 commit into
stass:masterfrom
Daniel-Issen:security-hardening

Conversation

@Daniel-Issen

Copy link
Copy Markdown

Summary

  • Remove client-settable lldb_path — now server-side only (env var LLDB_MCP_LLDB_PATH, default lldb), preventing arbitrary executable spawning
  • Lock working_dir to the server's CWD at startup; all file operations are restricted to this directory tree
  • Path validation on lldb_load and lldb_load_core — rejects paths outside the allowed directory (resolves symlinks, blocks ../ traversal)
  • Newline injection prevention — strips \n/\r from all user-supplied parameters to prevent LLDB command injection via PTY newline splitting
  • Dangerous command denylist — blocks platform shell, script, command script, command source, process launch --shell in lldb_command
  • Process attach restrictionlldb_attach verifies the target process's cwd is within the allowed directory (supports /proc on Linux, lsof on macOS)
  • Setup scriptsetup.sh creates a venv, installs dependencies, and registers with Claude Code

Motivation

The original server is not malicious, but by design a debugger MCP server grants broad system access. These changes restrict the attack surface so it aligns with Claude Code's directory-trust model — the server can only operate within the directory the user has already approved.

Test plan

  • Run setup.sh on macOS — verify venv creation and Claude registration
  • Start a session and confirm lldb_path / working_dir are no longer accepted as parameters
  • Attempt lldb_command with platform shell id — should be blocked
  • Attempt lldb_load with ../../etc/passwd — should be rejected
  • Attempt lldb_attach on a process outside the working directory — should be denied
  • Inject \n in a breakpoint location — verify it's stripped before reaching LLDB

…trary exec

- Remove client-settable lldb_path; use server-side LLDB_PATH (env var
  LLDB_MCP_LLDB_PATH or default "lldb") to prevent spawning arbitrary
  executables
- Lock working_dir to server's CWD at startup (ALLOWED_WORKING_DIR);
  remove client control
- Add path validation for lldb_load, lldb_load_core — reject paths
  outside ALLOWED_WORKING_DIR (prevents path traversal via symlinks
  and ../)
- Strip \n and \r from all user-supplied parameters to prevent LLDB
  command injection via newline splitting on the PTY
- Block dangerous LLDB commands (platform shell, script, command script,
  command source, process launch --shell) in lldb_command
- Restrict lldb_attach to processes whose cwd is within
  ALLOWED_WORKING_DIR (supports both /proc and macOS lsof)
- Add setup.sh for easy installation with venv and Claude Code
  registration
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant