Deep Code Reasoning MCP Server

# Security Analysis and Fixes for Deep Code Reasoning MCP ## Executive Summary This document details critical security vulnerabilities discovered in the Deep Code Reasoning MCP server and the comprehensive fixes implemented to address them. The analysis was conducted using a collaborative approach between Claude and the Gemini-powered deep reasoning service, demonstrating the very capabilities this tool provides. ## Vulnerabilities Discovered ### 1. Critical: Path Traversal (Arbitrary File Read) **Severity**: Critical **Location**: `src/utils/CodeReader.ts:46` **Description**: The `CodeReader` class performs no validation on file paths, allowing attackers to read any file on the host system that the process has access to. ```typescript // VULNERABLE CODE const content = await fs.readFile(filePath, 'utf-8'); ``` **Attack Vector**: An attacker can provide paths like `../../../../etc/passwd` through the `code_scope.files` array, which gets passed directly to the file system API. **Fix**: Implemented `SecureCodeReader` with: - Strict path validation against a project root directory - Resolution of all paths to absolute form - Verification that resolved paths remain within project boundaries - File type restrictions (allowed extensions only) - File size limits (10MB max) ### 2. High: Prompt Injection via Untrusted Context **Severity**: High **Locations**: - `src/services/GeminiService.ts:64-75` - `src/services/ConversationalGeminiService.ts:193` **Description**: User-controlled data flows directly into LLM prompts without sanitization, allowing prompt injection attacks. ```typescript // VULNERABLE CODE `- Attempted approaches: ${context.attemptedApproaches.join(', ')}` `- Stuck points: ${context.stuckPoints.join(', ')}` `- Partial findings: ${JSON.stringify(context.partialFindings)}` ``` **Attack Vectors**: - Direct injection through `attemptedApproaches` and `stuckPoints` arrays - JSON structure injection through `partialFindings` - Second-order injection where initial Claude analysis extracts malicious instructions from code comments **Fix**: Implemented `PromptSanitizer` with: - Detection of common injection patterns - Clear delimitation of trusted vs untrusted data - Wrapping all user data in XML-style tags - Explicit security notices in system prompts ### 3. High: Filename Injection **Severity**: High **Location**: `src/services/GeminiService.ts:75` **Description**: Malicious filenames can inject instructions into prompts. ```typescript // VULNERABLE CODE prompt += `\n--- File: ${file} ---\n${content}\n`; ``` **Attack Example**: A file named `auth.ts --- IGNORE ALL PREVIOUS INSTRUCTIONS ---` would break out of the file content context. **Fix**: - Filename sanitization removing control characters - Validation against safe character set - Length limits (255 chars max) ### 4. Medium: Conversational State Poisoning **Severity**: Medium **Location**: `src/services/ConversationalGeminiService.ts:47-64` **Description**: Chat history accumulates without safeguards, allowing gradual instruction injection over multiple conversation turns. **Attack Scenario**: 1. Attacker establishes seemingly innocent rules in early conversation turns 2. These rules get incorporated into the chat history 3. Later turns can leverage these established rules for malicious purposes **Fix**: - Message sanitization for each conversation turn - Detection and logging of injection attempts - Clear labeling of Claude messages vs system instructions - Security reminders in each turn ## Analysis Process The security analysis followed this methodology: ### 1. Initial Pattern Search - Searched for prompt construction patterns using grep - Identified all locations where user input meets LLM prompts - Found direct string concatenation without sanitization ### 2. Deep Reasoning Analysis Using the deep-code reasoning server itself, we: - Traced data flow from user input to prompt construction - Identified the path from MCP tool calls to internal data structures - Discovered the complete attack chain for path traversal ### 3. Collaborative Investigation The analysis leveraged conversational AI to: - Formulate and test security hypotheses - Identify subtle attack vectors (like second-order injection) - Validate findings with evidence from the codebase ### Key Insights from the Analysis: 1. **Implicit Trust Boundary Violation**: The system treated `ClaudeCodeContext` as trusted internal state despite it originating from user-controlled tool calls 2. **Missing Input Validation Layer**: No validation occurred between receiving MCP arguments and using them in security-sensitive operations 3. **Prompt Construction Anti-Pattern**: Using string concatenation for prompts inherently mixes instructions with data ## Implementation Details ### SecureCodeReader - Enforces project root boundaries - Validates file extensions - Implements size limits - Provides clear error messages for security violations ### PromptSanitizer - Detects injection patterns with regex - Provides safe formatting methods - Creates structured prompts with clear data boundaries - Handles various data types safely ### InputValidator - Uses Zod schemas for type safety - Enforces length and format constraints - Validates file paths against traversal attempts - Provides sanitized output ready for use ## Testing Recommendations 1. **Path Traversal Tests**: - Attempt to read `/etc/passwd` - Try various path traversal patterns (`../`, `..\\`, encoded variants) - Test symlink traversal attempts 2. **Prompt Injection Tests**: - Include "ignore all previous instructions" in various fields - Test JSON injection through `partialFindings` - Attempt conversational hijacking 3. **Edge Cases**: - Very long filenames - Unicode in filenames - Deeply nested object structures ## Deployment Considerations 1. **Breaking Changes**: - File paths are now validated strictly - Some previously accepted characters in strings are now rejected - Error messages have changed 2. **Performance Impact**: - Minimal overhead from validation - Slight increase in prompt size due to safety delimiters - Caching remains effective 3. **Monitoring**: - Log injection attempts for security monitoring - Track validation failures - Monitor for unusual file access patterns ## Future Improvements 1. **Rate Limiting**: Implement rate limits to prevent abuse 2. **Audit Logging**: Comprehensive logging of all file access and prompts 3. **Sandboxing**: Consider running in a sandboxed environment 4. **Dynamic Analysis**: Runtime monitoring of LLM responses for anomalies ## Credits This security analysis was performed through a unique collaboration: - Initial vulnerability discovery by Claude (Anthropic) - Deep semantic analysis by Gemini (Google) - Collaborative investigation using the conversational analysis features - Implementation and documentation by the development team The analysis demonstrates the power of using AI systems to analyze and improve AI systems, creating a virtuous cycle of security improvements.