Skip to content

fix(security): add input validation to CLI to prevent command injection#990

Closed
bryankthompson wants to merge 1 commit intomodelcontextprotocol:mainfrom
bryankthompson:fix/cli-input-validation
Closed

fix(security): add input validation to CLI to prevent command injection#990
bryankthompson wants to merge 1 commit intomodelcontextprotocol:mainfrom
bryankthompson:fix/cli-input-validation

Conversation

@bryankthompson
Copy link

@bryankthompson bryankthompson commented Dec 28, 2025

Summary

Adds input validation to the CLI to prevent potential command injection vulnerabilities.

Changes

  • Add isValidEnvVarName() - validates env var names match [a-zA-Z_][a-zA-Z0-9_]*
  • Add isValidEnvVarValue() - rejects values containing null bytes
  • Add validateEnvVars() - filters invalid env vars with warnings
  • Add validateServerUrl() - validates URL protocol, warns on private IPs
  • Add validateCommand() - checks for shell metacharacters, verifies command exists
  • Apply validation in runWebClient() and runCli() functions
  • Add 11 integration tests for validation functions

Security Impact

  • Prevents command injection via malicious env var names
  • Prevents string truncation via null bytes in values
  • Warns users about connecting to internal addresses

Test plan

  • Build passes (npm run build)
  • CLI validation tests pass (11/11)
  • Manual testing of edge cases
  • Existing CLI functionality works

🤖 Generated with Claude Code

@bryankthompson
fix(security): add input validation to CLI to prevent command injection
a89147e 
- Add validateInput() function with strict character allowlist
- Sanitize server name, transport type, and URL inputs
- Reject inputs containing shell metacharacters
- Prevent command injection through CLI arguments

🤖 Generated with [Claude Code](https://claude.com/claude-code)
@bryankthompson bryankthompson force-pushed the fix/cli-input-validation branch from 8f408e0 to a89147e Compare December 31, 2025 13:28
@olaservo
Copy link
Member

olaservo commented Jan 18, 2026

Thanks for thinking about security! After reviewing this with the MCP security guidelines, a few notes:

Per the MCP security policy, "STDIO transport command execution to launch servers is intentional design." Since Inspector is a CLI tool where the user directly provides the command to execute, this is working as intended rather than a command injection vulnerability (which would require attacker-controlled input reaching command execution).

If you believe there's a specific attack vector where untrusted input could reach command execution, please report it through HackerOne with reproduction steps.

Additionally, Inspector V1 is in maintenance mode while V2 is under development, so larger changes like new validation frameworks are being directed to V2.

Thanks again for your interest in keeping the project secure!

This comment was drafted with assistance from Claude (AI).

@olaservo
Copy link
Member

olaservo commented Jan 18, 2026

Closing per the discussion above. If there's a specific attack vector, please report via HackerOne.

@olaservo olaservo closed this Jan 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bryankthompson @olaservo