gamecode-mcp2 0.7.0

Minimal, auditable Model Context Protocol server for safe LLM-to-system interaction
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187

use gamecode_mcp2::tools::ToolManager;
use serde_json::json;
use std::collections::HashMap;
use std::path::PathBuf;
use tempfile::TempDir;

#[tokio::test]
async fn test_path_traversal_prevention() {
    let _temp_dir = TempDir::new().unwrap();
    let mut tool_manager = ToolManager::new();
    let path = PathBuf::from("tests/fixtures/test_tools.yaml");
    tool_manager.load_from_file(&path).await.unwrap();

    // Try various path traversal attempts
    let traversal_attempts = vec![
        "../../../etc/passwd",
        "../../../../../../etc/shadow",
        "/etc/passwd",
        "~/.ssh/id_rsa",
    ];

    for attempt in traversal_attempts {
        let args = json!({
            "path": attempt,
            "content": "malicious content"
        });

        // Current implementation doesn't prevent this - documenting the risk
        let result = tool_manager.execute_tool("file_writer", args, &HashMap::new()).await;

        // This test documents that path traversal IS possible
        // In a secure implementation, these should all fail
        if result.is_ok() {
            println!("WARNING: Path traversal successful with: {}", attempt);
        }
    }
}

#[tokio::test]
async fn test_command_argument_injection() {
    let mut tool_manager = ToolManager::new();
    let path = PathBuf::from("tests/fixtures/test_tools.yaml");
    tool_manager.load_from_file(&path).await.unwrap();

    // Test that shell metacharacters are properly escaped
    let injection_attempts = vec![
        ("test$(whoami)", "test$(whoami)"),
        ("test`id`", "test`id`"),
        ("test;ls -la", "test;ls -la"),
        ("test|cat /etc/passwd", "test|cat /etc/passwd"),
        ("test&&rm -rf /tmp/test", "test&&rm -rf /tmp/test"),
    ];

    for (attempt, expected) in injection_attempts {
        let args = json!({
            "message": attempt
        });

        let result = tool_manager.execute_tool("echo_test", args, &HashMap::new()).await;
        assert!(result.is_ok(), "Command should execute");

        let output = result.unwrap();
        let text = output["output"].as_str().unwrap().trim();

        // Verify the injection attempt is treated as literal text
        assert_eq!(
            text, expected,
            "Injection attempt '{}' should produce literal output",
            attempt
        );

        // Verify no command execution occurred
        assert!(
            !text.contains("root"),
            "Should not contain system user info"
        );
        assert!(!text.contains("uid="), "Should not contain uid info");
    }
}

#[tokio::test]
async fn test_yaml_include_path_restrictions() {
    // Create a malicious YAML that tries to include system files
    let temp_dir = TempDir::new().unwrap();
    let malicious_yaml = temp_dir.path().join("malicious.yaml");

    tokio::fs::write(
        &malicious_yaml,
        r#"
include:
  - /etc/passwd
  - ~/.ssh/config
  - ../../../../../../../etc/shadow
tools: []
"#,
    )
    .await
    .unwrap();

    let mut tool_manager = ToolManager::new();
    let result = tool_manager.load_from_file(&malicious_yaml).await;

    // Current implementation will fail because these files aren't valid YAML
    // But it WILL try to read them, which is a security issue
    assert!(result.is_err(), "Should fail to include system files");
}

#[tokio::test]
async fn test_recursive_include_dos() {
    // Test protection against recursive includes
    let temp_dir = TempDir::new().unwrap();
    let yaml_a = temp_dir.path().join("a.yaml");
    let yaml_b = temp_dir.path().join("b.yaml");

    // Create circular reference
    tokio::fs::write(&yaml_a, "include:\n  - ./b.yaml\ntools: []")
        .await
        .unwrap();
    tokio::fs::write(&yaml_b, "include:\n  - ./a.yaml\ntools: []")
        .await
        .unwrap();

    let _tool_manager = ToolManager::new();

    // This currently causes infinite recursion - documenting the issue
    // In production, this should be detected and prevented

    // Commented out to prevent test hanging
    // let result = tool_manager.load_from_file(&yaml_a).await;
    // assert!(result.is_err(), "Should detect circular includes");
}

#[tokio::test]
async fn test_large_file_dos() {
    let temp_dir = TempDir::new().unwrap();

    // Create a very large file
    let large_file = temp_dir.path().join("large.txt");
    let _large_content = "A".repeat(100_000_000); // 100MB

    let mut _tool_manager = ToolManager::new();
    let path = PathBuf::from("tests/fixtures/test_tools.yaml");
    _tool_manager.load_from_file(&path).await.unwrap();

    let _args = json!({
        "path": large_file.to_str().unwrap(),
        "content": _large_content
    });

    // Current implementation has no size limits - documenting the risk
    // This could consume excessive memory/disk

    // Commented out to prevent actual DOS in tests
    // let result = tool_manager.execute_tool("file_writer", args).await;
}

#[tokio::test]
async fn test_symlink_traversal() {
    let temp_dir = TempDir::new().unwrap();
    let target = temp_dir.path().join("target.txt");
    let symlink = temp_dir.path().join("link.txt");

    tokio::fs::write(&target, "target content").await.unwrap();

    #[cfg(unix)]
    {
        std::os::unix::fs::symlink(&target, &symlink).unwrap();

        let mut tool_manager = ToolManager::new();
        let path = PathBuf::from("tests/fixtures/test_tools.yaml");
        tool_manager.load_from_file(&path).await.unwrap();

        // Test that symlinks can be followed (security risk)
        let args = json!({
            "path": symlink.to_str().unwrap(),
            "content": "new content"
        });

        let result = tool_manager.execute_tool("file_writer", args, &HashMap::new()).await;

        // Current implementation follows symlinks - documenting the risk
        if result.is_ok() {
            let content = tokio::fs::read_to_string(&target).await.unwrap();
            assert_eq!(content, "new content", "Symlink was followed");
        }
    }
}