fix(tui): prevent path traversal in MCP storage via server name sanitization

echobt · echobt · commit c25a1c9e3325 · 2026-02-04T15:51:53.000Z
The server_path() function was vulnerable to path traversal attacks
where a malicious server name like '../../../etc/passwd' could escape
the mcps directory and access arbitrary files.

Changes:
- Add sanitize_server_name() function that replaces dangerous characters
- Add validate_server_name() for pre-validation of untrusted input
- Only alphanumeric, hyphen, and underscore characters are allowed
- Path separators and other special chars are replaced with underscores
- Add comprehensive unit tests for path traversal prevention

Security Impact:
Prevents directory traversal attacks that could lead to unauthorized
file access or manipulation outside the MCP storage directory.

Fixes: issue #5403
diff --git a/src/cortex-tui/src/mcp_storage.rs b/src/cortex-tui/src/mcp_storage.rs
@@ -15,6 +15,37 @@ use anyhow::{Context, Result};
 use cortex_common::AppDirs;
 use serde::{Deserialize, Serialize};
 
+// ============================================================
+// SECURITY HELPERS
+// ============================================================
+
+/// Sanitize a server name to prevent path traversal attacks.
+///
+/// Only allows alphanumeric characters, hyphens, and underscores.
+/// Any other characters (including path separators) are replaced with underscores.
+fn sanitize_server_name(name: &str) -> String {
+    name.chars()
+        .map(|c| {
+            if c.is_ascii_alphanumeric() || c == '-' || c == '_' {
+                c
+            } else {
+                '_'
+            }
+        })
+        .collect()
+}
+
+/// Validate a server name for safe filesystem use.
+///
+/// Returns true if the name contains only safe characters.
+#[allow(dead_code)]
+pub fn validate_server_name(name: &str) -> bool {
+    !name.is_empty()
+        && name
+            .chars()
+            .all(|c| c.is_ascii_alphanumeric() || c == '-' || c == '_')
+}
+
 /// MCP transport type
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(rename_all = "lowercase")]
@@ -158,8 +189,11 @@ impl McpStorage {
     }
 
     /// Get the path to a server's config file
+    ///
+    /// The server name is sanitized to prevent path traversal attacks.
     fn server_path(&self, name: &str) -> PathBuf {
-        self.mcps_dir.join(format!("{}.json", name))
+        let sanitized_name = sanitize_server_name(name);
+        self.mcps_dir.join(format!("{}.json", sanitized_name))
     }
 
     /// Save an MCP server configuration
@@ -372,4 +406,44 @@ mod tests {
         let result = storage.load_server("nonexistent").unwrap();
         assert!(result.is_none());
     }
+
+    #[test]
+    fn test_sanitize_server_name() {
+        // Normal names stay the same
+        assert_eq!(sanitize_server_name("my-server"), "my-server");
+        assert_eq!(sanitize_server_name("server_123"), "server_123");
+        
+        // Path traversal attempts get sanitized
+        assert_eq!(sanitize_server_name("../../../etc"), "________etc");
+        assert_eq!(sanitize_server_name("test/subdir"), "test_subdir");
+        assert_eq!(sanitize_server_name("test\\windows"), "test_windows");
+    }
+
+    #[test]
+    fn test_validate_server_name() {
+        // Valid names
+        assert!(validate_server_name("my-server"));
+        assert!(validate_server_name("server_123"));
+        assert!(validate_server_name("ABC"));
+        
+        // Invalid names
+        assert!(!validate_server_name("../../../etc"));
+        assert!(!validate_server_name("test/subdir"));
+        assert!(!validate_server_name(""));
+        assert!(!validate_server_name("name with spaces"));
+    }
+
+    #[test]
+    fn test_server_path_traversal() {
+        let (storage, tmp) = test_storage();
+        let base_dir = tmp.path().to_path_buf();
+        
+        // Attempt path traversal
+        let malicious_name = "../../../etc/passwd";
+        let result_path = storage.server_path(malicious_name);
+        
+        // The result should still be under mcps_dir
+        assert!(result_path.starts_with(base_dir.join("mcps")));
+        assert!(!result_path.to_string_lossy().contains(".."));
+    }
 }
