Project Creator MCP

BUG_FIX_SUMMARY.md•2.93 kB

# Bug Fix Summary ## Bug Fixed: PowerShell Select-String Pattern Validation ### Problem The `run_command` function was blocking legitimate PowerShell commands that contained special characters (like `|` and parentheses) inside quoted strings. This was overly restrictive and prevented valid commands from running. **Example command that was incorrectly blocked:** ```powershell Select-String -Pattern "667eea|764ba2" -Path "src\components\*.css" ``` ### Root Cause The security validation was checking for dangerous patterns (command chaining operators and subshell syntax) in the entire command string, including inside quoted strings where these characters are safe. ### Solution Updated the validation logic in `src/mcp_tools/command_execution_tools.py` to: 1. **First remove all quoted strings** (both single and double quotes) from the command 2. **Then check for dangerous patterns** only in the remaining unquoted parts This approach allows special characters inside quotes (which are safe) while still blocking actual command injection attempts. ### Changes Made **File:** `src/mcp_tools/command_execution_tools.py` **Function:** `run_command()` (around line 720) **New validation logic:** ```python # Remove all quoted strings first temp_command = command temp_command = re.sub(r'"[^"]*"', '', temp_command) temp_command = re.sub(r"'[^']*'", '', temp_command) # Check for dangerous patterns only in unquoted parts if any(pattern in temp_command for pattern in [';', '&', '|', '`']): return {"success": False, "error": "..."} if '$(' in temp_command or '(' in temp_command or ')' in temp_command: return {"success": False, "error": "..."} ``` ### Test Results All test cases pass: - ✅ `Select-String -Pattern "667eea|764ba2" -Path "src\components\*.css"` - Now allowed (was blocked) - ✅ `Select-String -Pattern "(test|prod)" -Path "*.txt"` - Now allowed (was blocked) - ✅ `echo "hello (world)"` - Allowed (quotes protect the parentheses) - ✅ `Get-Item (Get-ChildItem)` - Blocked (unquoted subexpression) - ✅ `$(evil-command)` - Blocked (subshell syntax) - ✅ `Get-Item .; rm -rf /` - Blocked (command chaining) - ✅ `ls & echo done` - Blocked (command chaining) - ✅ `cat file | grep test` - Blocked (piping/chaining) ### How to Test After Reload 1. Restart/reload Claude to pick up the changes 2. Try the original failing command: ```json { "command": "Select-String -Pattern \"667eea|764ba2\" -Path \"src\\components\\*.css\"", "cwd": "D:\\Scripts and Code\\pega-log-analyzer" } ``` 3. It should now execute successfully ### Security Impact This change maintains security by: - Still blocking all command chaining operators (`;`, `&`, `|`, `` ` ``) when unquoted - Still blocking PowerShell subexpressions and subshells - Only allowing these characters when safely contained within quoted strings - No reduction in the overall security posture of the command execution system

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jackalterman/project-creator-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

BUG_FIX_SUMMARY.md•2.93 kB