lhumina_code/hero_aibroker
4
0
Fork 0
Code Issues 65 Pull requests 2 Projects Releases 4 Packages Wiki Activity Actions

Security: MCP server config enables arbitrary command execution #75

New issue
Open
opened 2026-05-11 13:48:49 +00:00 by thabeta · 0 comments
thabeta commented 2026-05-11 13:48:49 +00:00
Owner
Copy link

Severity: Critical

Location

crates/hero_aibroker_lib/src/mcp.rsMcpServerConfig with command and args

Finding

MCP servers are spawned as arbitrary child processes from YAML config:

pub struct McpServerConfig {
    pub name: String,
    pub command: String,
    pub args: Vec<String>,
    pub env: Option<HashMap<String, String>>,
}

let mut child = Command::new(&config.command)
    .args(&config.args)
    .stdin(Stdio::piped())
    .stdout(Stdio::piped())
    .stderr(Stdio::piped())
    .spawn()?;

Attack Scenario

  • If YAML config is user-modifiable, arbitrary commands execute as the broker user
  • No sandboxing, seccomp, or capability restrictions
  • Child processes inherit all broker environment variables (potentially including API keys)
  • No resource limits (memory, CPU, network) on spawned processes

Recommendation

  • Whitelist allowed commands/paths
  • Add optional seccomp/AppArmor profiles
  • Drop unnecessary capabilities before spawn
  • Resource limits via cgroups or rlimit
  • Validate config against a schema before execution
## Severity: Critical ## Location `crates/hero_aibroker_lib/src/mcp.rs` — `McpServerConfig` with `command` and `args` ## Finding MCP servers are spawned as arbitrary child processes from YAML config: ```rust pub struct McpServerConfig { pub name: String, pub command: String, pub args: Vec<String>, pub env: Option<HashMap<String, String>>, } ``` ```rust let mut child = Command::new(&config.command) .args(&config.args) .stdin(Stdio::piped()) .stdout(Stdio::piped()) .stderr(Stdio::piped()) .spawn()?; ``` ## Attack Scenario - If YAML config is user-modifiable, arbitrary commands execute as the broker user - No sandboxing, seccomp, or capability restrictions - Child processes inherit all broker environment variables (potentially including API keys) - No resource limits (memory, CPU, network) on spawned processes ## Recommendation - Whitelist allowed commands/paths - Add optional seccomp/AppArmor profiles - Drop unnecessary capabilities before spawn - Resource limits via cgroups or `rlimit` - Validate config against a schema before execution
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
develop_usage_api
development
development_align_chat_drop_sdk_specs
development_drop_stale_openrpc_artifacts
latest
lab-latest
v0.1.1
v0.1.0
Labels
Clear labels   
prio_critical

   
prio_low

   
type_bug

   
type_contact

   
type_issue

   
type_lead

   
type_question

   
type_story

   
type_task
No labels
prio_critical
prio_low
type_bug
type_contact
type_issue
type_lead
type_question
type_story
type_task
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
lhumina_code/hero_aibroker#75
No description provided.