feat: add filesystem MCP server with paginated reads#214
Closed
sheeki03 wants to merge 1 commit intoGitHubSecurityLab:mainfrom
Closed
feat: add filesystem MCP server with paginated reads#214sheeki03 wants to merge 1 commit intoGitHubSecurityLab:mainfrom
sheeki03 wants to merge 1 commit intoGitHubSecurityLab:mainfrom
Conversation
…al protection Introduces read_file with start_line offset, line_numbers, and include_summary parameters for paginated large-file reads. Both read_file and list_directory use os.path.realpath to prevent path traversal including symlink escapes.
sheeki03
requested review from
JarLob,
Kwstubbs,
anticomputer,
kevinbackhouse,
m-y-mo,
p- and
sylwia-budzynska
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The filesystem MCP server's
read_filetool has no offset parameter, no line numbers, and a hard 500-line cap with no way to page through the rest. Large files force multiple blind reads with no way to know which section was returned. Thelist_directorytool usesos.path.normpathfor path containment which is vulnerable to sibling-prefix escapes (e.g.../repo2/secretpasses whenBASE_DIR=/tmp/repo).Changes
src/seclab_taskflow_agent/mcp_servers/filesystem/filesystem.py(new)read_file: Addsstart_line(1-indexed offset),line_numbers(prefix each line with its number), andinclude_summary(footer with total line count and displayed range). Default behavior (max_lines=500, no offset) is backward-compatible with existing callers.list_directory: Lists files/directories relative to the repo root.os.path.realpathto resolve symlinks, then checktarget.startswith(base + os.sep)to prevent sibling-prefix escapes. This blocks../, symlink escapes, and paths like../repo2/filewhere the prefix overlaps withBASE_DIR.tests/test_filesystem_mcp.py(new, 16 tests)TestReadFile: default 500-line cap,start_lineoffset, past-EOF returns empty, line number formatting, summary footer, backward compatibilityTestPathTraversal:../blocked, sibling-prefix escape blocked, symlink escape blocked (skipped on platforms without symlink support), valid subdirectory allowed,list_directorytraversal blocked