Skip to content

[Security] Harden CLI dev command against injection on Windows #1904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
RinZ27 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

[Security] Harden CLI dev command against injection on Windows #1904

RinZ27 wants to merge 2 commits into from
+9 −1

Conversation

@RinZ27
Copy link
Contributor

@RinZ27 RinZ27 commented Jan 17, 2026

I was looking through the CLI code and spotted a potential security risk when using the mcp dev command on Windows. Because shell=True is required for npx, passing raw arguments can lead to command injection if a user provides a file path containing shell metacharacters.

I decided to use shlex.quote to sanitize these arguments before they are joined into the final command string. This way, I ensure that any special characters are safely escaped, keeping the execution restricted to the intended command. I've verified the fix and it correctly handles paths with spaces and other characters.

@RinZ27 RinZ27 force-pushed the fix/windows-command-injection-v2 branch 2 times, most recently from f7b9f72 to a63bde1 Compare January 20, 2026 14:10
Kludex
Kludex reviewed Jan 23, 2026
View reviewed changes
src/mcp/cli/cli.py Outdated
Comment on lines 279 to 284
cmd_args = [npx_cmd, "@modelcontextprotocol/inspector"] + uv_cmd

if shell:
# On Windows with shell=True, I need to quote arguments to prevent injection
# and join them into a single string, as passing a list with shell=True is unsafe/undefined behavior
cmd_args = " ".join(shlex.quote(arg) for arg in cmd_args)
Copy link
Member

@Kludex Kludex Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can't we apply shlex on the whole thing? we don't need to check if shell, do we?

@RinZ27 RinZ27 force-pushed the fix/windows-command-injection-v2 branch from a63bde1 to 4f4dba9 Compare January 23, 2026 11:58
@RinZ27
Copy link
Contributor Author

RinZ27 commented Jan 23, 2026

@Kludex I can't apply it universally because on POSIX I'm using shell=False (passing a raw list), where subprocess handles the arguments directly. If I quoted them there, the quotes would be treated as literal parts of the filename. Manual quoting is only necessary when I'm forced to use shell=True on Windows.

Also, I realized shlex.quote uses single quotes which isn't ideal for cmd.exe. I'll update this to use list2cmdline instead to ensure it works correctly on Windows.

@RinZ27
Switch from shlex.quote to subprocess.list2cmdline for Windows support.
b6a0419 
I noticed that shlex.quote uses single quotes which cmd.exe doesn't handle correctly. Switched to list2cmdline to ensure proper escaping when shell=True is used on Windows. Also removed the unused shlex import.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Kludex Kludex Kludex left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RinZ27 @Kludex