Chore/Custom MCP Validation (#4996)

- Updated `validateMCPServerSecurity` to only allow whitelisted commands, removing the extensive list of dangerous commands.
- Introduced `validateArgsForLocalFileAccess` to check for potential local file access patterns and null byte injections.
- Updated `Supergateway_MCP` to utilize the new argument validation function.
- Added a warning in `CustomMCP` regarding upcoming changes to Remote MCP support.

Author: HenryHengZJ

packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts

@@ -72,7 +72,11 @@ class Custom_MCP implements INode {
                     label: 'How to use',
                     value: howToUseCode
                 },
-                placeholder: mcpServerConfig
+                placeholder: mcpServerConfig,
+                warning:
+                    process.env.CUSTOM_MCP_SECURITY_CHECK === 'true'
+                        ? 'In next release, only Remote MCP with url is supported. Read more <a href="https://docs.flowiseai.com/tutorials/tools-and-mcp#streamable-http-recommended" target="_blank">here</a>'
+                        : undefined
             },
             {
                 label: 'Available Actions',

packages/components/nodes/tools/MCP/Supergateway/SupergatewayMCP.ts

@@ -1,7 +1,7 @@
 import { Tool } from '@langchain/core/tools'
 import { ICommonObject, INode, INodeData, INodeOptionsValue, INodeParams } from '../../../../src/Interface'
 import { getNodeModulesPackagePath } from '../../../../src/utils'
-import { MCPToolkit, validateMCPServerSecurity } from '../core'
+import { MCPToolkit, validateArgsForLocalFileAccess } from '../core'
 
 class Supergateway_MCP implements INode {
     label: string
@@ -108,7 +108,7 @@ class Supergateway_MCP implements INode {
 
         if (process.env.CUSTOM_MCP_SECURITY_CHECK === 'true') {
             try {
-                validateMCPServerSecurity(serverParams)
+                validateArgsForLocalFileAccess(processedArgs)
             } catch (error) {
                 throw new Error(`Security validation failed: ${error.message}`)
             }