From 48f9ab3ffed6363d275311d4985987fe8bed7e3c Mon Sep 17 00:00:00 2001 From: shunfeng8421 Date: Mon, 29 Jun 2026 09:12:52 +0800 Subject: [PATCH] security: fix command injection via project_name in WindowsExecutor _build_windows_command() builds a shell command string that is executed via create_subprocess_shell(shell=True). Three user- controlled values were interpolated without quoting: - self.project_name (from MCP tool argument) - command (from MCP tool argument) - args (from MCP tool argument) On Windows an attacker-controlled project_name such as 'test && calc.exe' results in arbitrary command execution. Fix: wrap all three interpolations with shlex.quote(). The Linux path (_build_unix_command) passes arguments as a list and was not affected. --- src/docker_mcp/docker_executor.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/docker_mcp/docker_executor.py b/src/docker_mcp/docker_executor.py index e554905..d7810a7 100644 --- a/src/docker_mcp/docker_executor.py +++ b/src/docker_mcp/docker_executor.py @@ -74,10 +74,11 @@ async def run_command(self, command: str, *args) -> Tuple[int, str, str]: return await self.executor.execute(cmd) def _build_windows_command(self, command: str, *args) -> str: + import shlex compose_file = self.compose_file.replace('\\', '/') return (f'cd "{os.path.dirname(compose_file)}" && docker compose ' f'-f "{os.path.basename(compose_file)}" ' - f'-p {self.project_name} {command} {" ".join(args)}') + f'-p {shlex.quote(self.project_name)} {shlex.quote(command)} {" ".join(map(shlex.quote, args))}') def _build_unix_command(self, command: str, *args) -> list[str]: return [