Skip to content

fix: add MCP input validation and filter env vars in script-runner#31

Merged
jcanizalez merged 3 commits intomainfrom
fix/script-env-leak
Mar 14, 2026
Merged

fix: add MCP input validation and filter env vars in script-runner#31
jcanizalez merged 3 commits intomainfrom
fix/script-env-leak

Conversation

@jcanizalez
Copy link
Copy Markdown
Owner

@jcanizalez jcanizalez commented Mar 14, 2026
edited
Loading

Summary

MCP Input Validation

  • Added shared validation.ts module with bounded Zod schemas (V.name, V.title, V.description, V.id, V.absolutePath, V.hexColor, V.shortText, V.prompt)
  • All MCP tool parameters across 6 files now use validated schemas:
    • tasks.ts: title (1-500), description (0-5000), name with path traversal rejection, branch (0-200)
    • projects.ts: name, path (absolute), icon, icon_color (hex format)
    • sessions.ts: name, path, prompt (0-10000), display_name, terminal data (0-50000)
    • workflows.ts: name, node labels, edge IDs, cron, icon_color (hex), prompt
    • git.ts: project_path (absolute)
  • Path traversal attack prevention: names reject .., /, \

Environment Variable Leak

  • script-runner.ts: replaced env: process.env with env: getSafeEnv() to filter sensitive vars (API keys, credentials) from spawned scripts
  • ide-detector.ts: same fix for IDE detection subprocess

Test plan

  • ESLint + Prettier pass
  • Verify MCP tools reject inputs exceeding length limits
  • Verify path traversal names are rejected (e.g. ../../etc/passwd)
  • Verify scripts don't inherit sensitive env vars

@jcanizalez
fix: use getSafeEnv() in script-runner and ide-detector
6d916f3 
script-runner.ts passed raw process.env to spawned scripts, leaking
all environment variables (API keys, tokens, credentials) to user
scripts. ide-detector.ts spawned IDE processes without specifying env,
which defaults to inheriting process.env.

Both now use getSafeEnv() which filters out sensitive prefixes
(AWS_SECRET, GITHUB_TOKEN, ANTHROPIC_API, STRIPE_, etc.) matching
the same pattern already used by pty-manager, headless-manager, and
agent-detector.
Copilot AI review requested due to automatic review settings March 14, 2026 19:53
Copilot AI reviewed Mar 14, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reduces the risk of leaking sensitive environment variables by ensuring subprocesses spawned by the server use getSafeEnv() (from process-utils.ts) instead of inheriting the full process.env.

Changes:

  • Update script-runner to spawn bash/python/node/powershell scripts with env: getSafeEnv().
  • Update ide-detector to spawn IDE launch processes with env: getSafeEnv().

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.

File Description
packages/server/src/script-runner.ts Stops passing full process.env to spawned scripts by switching to getSafeEnv().
packages/server/src/ide-detector.ts Ensures IDE processes are spawned with filtered env via getSafeEnv().

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread packages/server/src/ide-detector.ts
Comment on lines +118 to +122
const spawnOpts: import('node:child_process').SpawnOptions = {
detached: true,
stdio: 'ignore',
env: getSafeEnv()
}
@jcanizalez
fix: add input validation to all MCP tool parameters
7af5fe2 
Previously all MCP tool inputs used bare z.string() with no length
limits or content validation. This allowed:
- Unbounded strings (title, description) causing resource exhaustion
- Path traversal in project_name (../../../etc/passwd)
- Arbitrary-length prompts and terminal writes
- Invalid hex colors and non-absolute paths

Add shared validation module (packages/mcp/src/validation.ts) with
bounded schemas for all input types:
- name: 1-200 chars, no .. / \ (path traversal protection)
- title: 1-500 chars
- description: 0-5000 chars
- prompt: 0-10000 chars
- absolutePath: must start with /
- hexColor: validated regex
- id: 1-100 chars
- shortText: 0-200 chars (branches, display names, icons)

Applied across all 6 tool files: tasks, projects, sessions,
workflows, git, and config.
@jcanizalez jcanizalez changed the title fix: filter sensitive env vars from script-runner and ide-detector fix: add MCP input validation and prevent env var leakage Mar 14, 2026
@jcanizalez jcanizalez changed the title fix: add MCP input validation and prevent env var leakage fix: add MCP input validation and filter env vars in script-runner Mar 14, 2026
@jcanizalez
fix: use getSafeEnv() in commandExists() for consistent env filtering
0869cae 
The commandExists() helper used execFileSync without an explicit env,
inheriting process.env with sensitive variables. Now uses getSafeEnv()
to match the pattern already used in openInIDE().
@jcanizalez jcanizalez merged commit aa9a5a5 into main Mar 14, 2026
1 check passed
@jcanizalez jcanizalez deleted the fix/script-env-leak branch March 15, 2026 01:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jcanizalez