Skip to content

Comments

feat(mcp): security hardening — command allowlist and env var validation#670

Merged
bug-ops merged 2 commits intomainfrom
feat/623-mcp-security-hardening
Feb 19, 2026
Merged

feat(mcp): security hardening — command allowlist and env var validation#670
bug-ops merged 2 commits intomainfrom
feat/623-mcp-security-hardening

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 19, 2026

Summary

  • Validate MCP server commands against configurable allowlist before spawning child processes (default: npx, uvx, node, python3, python, docker, deno, bun; extendable via mcp.allowed_commands)
  • Block 21 dangerous environment variables (LD_PRELOAD, DYLD_, NODE_OPTIONS, PYTHONPATH, JAVA_TOOL_OPTIONS, etc.) and BASH_FUNC_ prefix from MCP server processes
  • Reject commands containing path separators to prevent symlink-based bypasses

Closes #623, closes #651, closes #652

Changes

  • New crates/zeph-mcp/src/security.rs with validate_command() and validate_env()
  • New McpError::CommandNotAllowed and McpError::EnvVarBlocked variants
  • McpClient::connect() validates command and env before Command::new()
  • McpManager::new() accepts allowed_commands from config

Test plan

  • 111 zeph-mcp tests pass (including 20 new security validation tests)
  • 2045 workspace tests pass
  • clippy zero warnings, fmt clean
  • Default allowlist permits standard MCP runtimes
  • Path separators rejected (no symlink bypass)
  • All 21 blocked env vars individually tested
  • BASH_FUNC_* prefix injection blocked

@github-actions github-actions bot added documentation Improvements or additions to documentation rust core enhancement New feature or request size/L labels Feb 19, 2026
@bug-ops
feat(mcp): add command allowlist and env var validation for server pr…
1e0858b 
…ocesses

Validate MCP server commands against a configurable allowlist before
spawning child processes. Block dangerous environment variables
(LD_PRELOAD, DYLD_*, NODE_OPTIONS, PYTHONPATH, etc.) to prevent
code injection via config tampering.

Closes #651, closes #652
@bug-ops
docs: update CHANGELOG with MCP security hardening
14b346c
@bug-ops bug-ops force-pushed the feat/623-mcp-security-hardening branch from d7e3fff to 14b346c Compare February 19, 2026 23:23
@bug-ops bug-ops enabled auto-merge (squash) February 19, 2026 23:23
@bug-ops bug-ops merged commit 7140185 into main Feb 19, 2026
20 checks passed
@bug-ops bug-ops deleted the feat/623-mcp-security-hardening branch February 19, 2026 23:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core documentation Improvements or additions to documentation enhancement New feature or request rust size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Restrict MCP env var injection to safe subset Validate MCP server command against allowlist Epic: MCP security hardening

1 participant

@bug-ops