Homelab MCP Server

2025-12-24-fix-ssh-command-injection.md•25.9 kB

# SSH Command Injection Vulnerability Fix - Implementation Plan **Created:** 11:11:30 AM | 12/24/2025 (UTC) > **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. **Goal:** Eliminate CVSS 9.1 CRITICAL command injection vulnerability in compose.ts by properly using execFile with argument arrays instead of shell string concatenation. **Architecture:** Replace shell string execution with proper execFile argument array passing. SSH will be invoked with individual arguments (not a concatenated command string), preventing shell interpretation of special characters. All user-controlled inputs (extraArgs) will be validated with strict allowlists. **Tech Stack:** TypeScript 5.7+, Node.js child_process.execFile, Zod validation, Vitest testing --- ## Security Context **Current Vulnerability (Lines 82-85):** ```typescript // UNSAFE: Concatenates command into shell string const composeCmd = ["docker", "compose", "-p", project, action, ...extraArgs].join(" "); const sshArgs = buildComposeArgs(host); sshArgs.push(composeCmd); // ← Executed in remote shell const { stdout } = await execFileAsync("ssh", sshArgs, { timeout: 30000 }); ``` **Attack Vector:** ```typescript // Attacker passes: extraArgs = ["up", "-d; rm -rf /"] // Results in remote execution: docker compose -p myproject up -d; rm -rf / ``` **CVSS 9.1 Classification:** - **CWE-78:** Improper Neutralization of Special Elements used in an OS Command - **Impact:** Arbitrary remote command execution on all managed Docker hosts - **Exploitability:** High - user-controlled input directly injected into shell commands --- ## Task Breakdown ### Step 1: Write failing test for semicolon injection attack **File:** `src/services/compose.test.ts` Add test that proves current vulnerability: ```typescript describe("composeExec - Security", () => { it("should reject semicolon in extraArgs (prevents command chaining)", async () => { const host = { name: "test", host: "localhost", protocol: "http" as const, port: 2375 }; await expect( composeExec(host, "myproject", "up", ["--detach; echo HACKED"]) ).rejects.toThrow(/Invalid character/); }); }); ``` **Run:** `pnpm test src/services/compose.test.ts -t "semicolon"` **Expected:** FAIL - Test does not exist yet, or passes when it should fail (proving vulnerability) --- ### Step 2: Run test to verify it exposes the vulnerability **Command:** `pnpm test src/services/compose.test.ts -t "semicolon" --reporter=verbose` **Expected Output:** ``` FAIL src/services/compose.test.ts > composeExec - Security > should reject semicolon in extraArgs Expected: Error matching /Invalid character/ Received: Promise resolved (vulnerability exists - no validation) ``` **Validation:** This confirms the security hole exists. The test should fail because the current code allows the malicious input. --- ### Step 3: Write failing tests for all shell metacharacter injections **File:** `src/services/compose.test.ts` Add comprehensive attack vector test suite: ```typescript describe("composeExec - Security", () => { const testHost = { name: "test", host: "localhost", protocol: "http" as const, port: 2375 }; it("should reject semicolon in extraArgs (prevents command chaining)", async () => { await expect( composeExec(testHost, "myproject", "up", ["--detach; rm -rf /"]) ).rejects.toThrow(/Invalid character/); }); it("should reject pipe in extraArgs (prevents command piping)", async () => { await expect( composeExec(testHost, "myproject", "up", ["--detach | cat /etc/passwd"]) ).rejects.toThrow(/Invalid character/); }); it("should reject ampersand in extraArgs (prevents background execution)", async () => { await expect( composeExec(testHost, "myproject", "up", ["--detach && malicious-cmd"]) ).rejects.toThrow(/Invalid character/); }); it("should reject backticks in extraArgs (prevents command substitution)", async () => { await expect( composeExec(testHost, "myproject", "up", ["`whoami`"]) ).rejects.toThrow(/Invalid character/); }); it("should reject dollar sign in extraArgs (prevents variable expansion)", async () => { await expect( composeExec(testHost, "myproject", "up", ["$(malicious)"]) ).rejects.toThrow(/Invalid character/); }); it("should reject greater-than in extraArgs (prevents file redirection)", async () => { await expect( composeExec(testHost, "myproject", "up", ["--detach > /tmp/output"]) ).rejects.toThrow(/Invalid character/); }); it("should reject less-than in extraArgs (prevents file input)", async () => { await expect( composeExec(testHost, "myproject", "up", ["< /etc/passwd"]) ).rejects.toThrow(/Invalid character/); }); it("should reject newline in extraArgs (prevents multi-line injection)", async () => { await expect( composeExec(testHost, "myproject", "up", ["--detach\nmalicious-cmd"]) ).rejects.toThrow(/Invalid character/); }); it("should accept valid docker compose flags", async () => { // This will fail with SSH error (expected), but should NOT fail validation await expect( composeExec(testHost, "myproject", "up", ["--detach", "--build", "--force-recreate"]) ).rejects.toThrow(/SSH failed|Compose command failed/); // NOT: /Invalid character/ }); it("should accept service names in extraArgs", async () => { await expect( composeExec(testHost, "myproject", "up", ["web-service", "api-service_v2"]) ).rejects.toThrow(/SSH failed|Compose command failed/); // NOT: /Invalid character/ }); }); ``` **Run:** `pnpm test src/services/compose.test.ts -t "Security"` **Expected:** ALL FAIL (8 malicious inputs pass, 2 valid inputs may fail for wrong reason) --- ### Step 4: Run comprehensive security test suite **Command:** `pnpm test src/services/compose.test.ts -t "Security" --reporter=verbose` **Expected Output:** ``` FAIL (8 tests) ✗ should reject semicolon ✗ should reject pipe ✗ should reject ampersand ✗ should reject backticks ✗ should reject dollar sign ✗ should reject greater-than ✗ should reject less-than ✗ should reject newline UNKNOWN (2 tests) - may fail with SSH error instead of passing validation ? should accept valid docker compose flags ? should accept service names ``` **Validation:** All injection attacks currently pass through unvalidated (CRITICAL vulnerability confirmed). --- ### Step 5: Write validation function for extraArgs **File:** `src/services/compose.ts` Add validation function BEFORE `composeExec()`: ```typescript /** * Validate extra arguments for docker compose commands * Rejects shell metacharacters to prevent command injection */ function validateComposeArgs(args: string[]): void { const SHELL_METACHARACTERS = /[;&|`$()<>{}[\]\\"\'\n\r\t]/; for (const arg of args) { if (SHELL_METACHARACTERS.test(arg)) { throw new Error(`Invalid character in compose argument: ${arg}`); } // Additional safety: reject extremely long arguments (DoS prevention) if (arg.length > 500) { throw new Error(`Compose argument too long: ${arg.substring(0, 50)}...`); } } } ``` **Run:** `pnpm run build` **Expected:** SUCCESS (compiles with no type errors) --- ### Step 6: Verify validation function compiles **Command:** `pnpm run build` **Expected Output:** ``` > homelab-mcp-server@0.3.0 build > tsc (no errors) ``` **Validation:** TypeScript compilation succeeds, types are correct. --- ### Step 7: Refactor composeExec to use proper SSH argument passing **File:** `src/services/compose.ts` Replace lines 79-94 with secure implementation: ```typescript export async function composeExec( host: HostConfig, project: string, action: string, extraArgs: string[] = [] ): Promise<string> { validateProjectName(project); validateComposeArgs(extraArgs); // ← NEW: Validate before use // Build SSH connection arguments const sshArgs = buildComposeArgs(host); // Build docker compose command as separate arguments (NOT concatenated string) // SSH will receive: ssh [options] host docker compose -p project action arg1 arg2 ... sshArgs.push("docker", "compose", "-p", project, action, ...extraArgs); try { const { stdout } = await execFileAsync("ssh", sshArgs, { timeout: 30000 }); return stdout.trim(); } catch (error) { throw new Error( `Compose command failed: ${error instanceof Error ? error.message : "Unknown error"}` ); } } ``` **Changes:** 1. Call `validateComposeArgs(extraArgs)` to reject malicious input 2. Replace `join(" ")` with direct argument spreading 3. SSH receives individual arguments, NOT a shell command string **Run:** `pnpm run build` **Expected:** SUCCESS --- ### Step 8: Verify refactored code compiles **Command:** `pnpm run build` **Expected Output:** ``` > homelab-mcp-server@0.3.0 build > tsc (no errors) ``` **Validation:** No type errors, refactoring is syntactically correct. --- ### Step 9: Run security tests to verify injection prevention **Command:** `pnpm test src/services/compose.test.ts -t "Security"` **Expected Output:** ``` PASS (8 injection tests) ✓ should reject semicolon ✓ should reject pipe ✓ should reject ampersand ✓ should reject backticks ✓ should reject dollar sign ✓ should reject greater-than ✓ should reject less-than ✓ should reject newline ``` **Validation:** All malicious inputs are now rejected with "Invalid character" errors. --- ### Step 10: Run tests for valid argument acceptance **Command:** `pnpm test src/services/compose.test.ts -t "should accept"` **Expected Output:** ``` PASS (2 tests) ✓ should accept valid docker compose flags ✓ should accept service names in extraArgs ``` **Note:** Tests will fail with SSH/connection errors (expected in test environment), but should NOT fail with validation errors. --- ### Step 11: Fix listComposeProjects() - Same vulnerability pattern **File:** `src/services/compose.ts` Refactor line 102 from string to argument array: ```typescript export async function listComposeProjects(host: HostConfig): Promise<ComposeProject[]> { const sshArgs = buildComposeArgs(host); // OLD: sshArgs.push("docker compose ls --format json"); // NEW: Pass as separate arguments sshArgs.push("docker", "compose", "ls", "--format", "json"); try { const { stdout } = await execFileAsync("ssh", sshArgs, { timeout: 15000 }); // ... rest unchanged ``` **Run:** `pnpm run build` **Expected:** SUCCESS --- ### Step 12: Fix getComposeStatus() - Same vulnerability pattern **File:** `src/services/compose.ts` Refactor line 154 to use argument array: ```typescript export async function getComposeStatus(host: HostConfig, project: string): Promise<ComposeProject> { validateProjectName(project); const sshArgs = buildComposeArgs(host); // OLD: sshArgs.push(`docker compose -p ${project} ps --format json`); // NEW: Pass as separate arguments sshArgs.push("docker", "compose", "-p", project, "ps", "--format", "json"); try { const { stdout } = await execFileAsync("ssh", sshArgs, { timeout: 15000 }); // ... rest unchanged ``` **Run:** `pnpm run build` **Expected:** SUCCESS --- ### Step 13: Verify all fixes compile **Command:** `pnpm run build` **Expected Output:** ``` > homelab-mcp-server@0.3.0 build > tsc (no errors) ``` **Validation:** All three functions now use secure argument passing. --- ### Step 14: Run full compose.test.ts suite **Command:** `pnpm test src/services/compose.test.ts` **Expected Output:** ``` ✓ src/services/compose.test.ts (20 tests) ✓ validateProjectName (6 tests) ✓ composeBuild (2 tests) ✓ composePull (2 tests) ✓ composeRecreate (2 tests) ✓ composeExec - Security (10 tests) Test Files 1 passed (1) Tests 20 passed (20) ``` **Validation:** All existing tests still pass, new security tests pass. --- ### Step 15: Write edge case tests **File:** `src/services/compose.test.ts` Add tests for edge cases: ```typescript describe("composeExec - Edge Cases", () => { const testHost = { name: "test", host: "localhost", protocol: "http" as const, port: 2375 }; it("should handle empty extraArgs array", async () => { await expect( composeExec(testHost, "myproject", "ps", []) ).rejects.toThrow(/SSH failed|Compose command failed/); // Should NOT throw validation error }); it("should reject argument longer than 500 chars", async () => { const longArg = "a".repeat(501); await expect( composeExec(testHost, "myproject", "up", [longArg]) ).rejects.toThrow(/too long/); }); it("should accept arguments with hyphens and underscores", async () => { await expect( composeExec(testHost, "myproject", "up", ["my-service_name", "--force-recreate"]) ).rejects.toThrow(/SSH failed|Compose command failed/); // Should NOT throw validation error }); it("should accept arguments with dots and equals", async () => { await expect( composeExec(testHost, "myproject", "up", ["--scale", "web=3"]) ).rejects.toThrow(/SSH failed|Compose command failed/); // Should NOT throw validation error }); }); ``` **Run:** `pnpm test src/services/compose.test.ts -t "Edge Cases"` **Expected:** All PASS (may throw SSH errors, but NOT validation errors for valid input) --- ### Step 16: Run edge case tests **Command:** `pnpm test src/services/compose.test.ts -t "Edge Cases" --reporter=verbose` **Expected Output:** ``` PASS (4 tests) ✓ should handle empty extraArgs array ✓ should reject argument longer than 500 chars ✓ should accept arguments with hyphens and underscores ✓ should accept arguments with dots and equals ``` **Validation:** Edge cases handled correctly - legitimate input passes validation, malicious input rejected. --- ### Step 17: Update validation regex to allow safe characters **File:** `src/services/compose.ts` Update `validateComposeArgs()` to allow necessary docker compose characters: ```typescript function validateComposeArgs(args: string[]): void { // Allow: alphanumeric, hyphen, underscore, dot, equals, colon, forward slash, comma, space // Reject: all shell metacharacters const SHELL_METACHARACTERS = /[;&|`$()<>{}[\]\\"\'\n\r\t]/; for (const arg of args) { if (SHELL_METACHARACTERS.test(arg)) { throw new Error(`Invalid character in compose argument: ${arg}`); } if (arg.length > 500) { throw new Error(`Compose argument too long: ${arg.substring(0, 50)}...`); } } } ``` **Note:** Spaces are allowed because SSH with execFile properly escapes arguments. The shell metacharacters regex already covers the dangerous characters. **Run:** `pnpm run build && pnpm test src/services/compose.test.ts -t "Edge Cases"` **Expected:** All PASS --- ### Step 18: Run full test suite across all service files **Command:** `pnpm test src/services/` **Expected Output:** ``` ✓ src/services/compose.test.ts (24 tests) ✓ src/services/docker.test.ts (X tests) ✓ src/services/ssh.test.ts (X tests) Test Files 3 passed (3) Tests XX passed (XX) ``` **Validation:** All service tests pass, no regressions introduced. --- ### Step 19: Run full project test suite **Command:** `pnpm test` **Expected Output:** ``` ✓ src/lint.test.ts ✓ src/schemas/unified.test.ts ✓ src/formatters/formatters.test.ts ✓ src/services/compose.test.ts (24 tests) ✓ src/services/docker.test.ts ✓ src/services/ssh.test.ts ✓ src/tools/unified.test.ts ✓ src/tools/unified.integration.test.ts Test Files 8 passed (8) Tests XXX passed (XXX) ``` **Validation:** Zero regressions across entire codebase. --- ### Step 20: Run type checking **Command:** `pnpm run build && pnpm run lint` **Expected Output:** ``` > homelab-mcp-server@0.3.0 build > tsc > homelab-mcp-server@0.3.0 lint > eslint . (no errors) ``` **Validation:** Type safety and code quality maintained. --- ### Step 21: Write integration test for end-to-end security **File:** `src/services/compose.integration.test.ts` (new file) Create integration test demonstrating full attack prevention: ```typescript import { describe, it, expect } from "vitest"; import { composeExec } from "./compose.js"; describe("Compose Security - Integration", () => { it("should prevent command injection through entire call chain", async () => { const maliciousHost = { name: "test-host", host: "localhost", protocol: "http" as const, port: 2375 }; // Attempt realistic attack: stop legitimate service, then delete data const attackVector = ["down", "-v;", "rm", "-rf", "/var/lib/docker"]; await expect( composeExec(maliciousHost, "production-db", "up", attackVector) ).rejects.toThrow(/Invalid character/); // Verify error message contains security context try { await composeExec(maliciousHost, "production-db", "up", attackVector); } catch (error) { expect(error).toBeInstanceOf(Error); expect((error as Error).message).toMatch(/Invalid character/); expect((error as Error).message).toMatch(/down/); // Shows which arg failed } }); }); ``` **Run:** `pnpm test src/services/compose.integration.test.ts` **Expected:** PASS --- ### Step 22: Run integration security test **Command:** `pnpm test src/services/compose.integration.test.ts --reporter=verbose` **Expected Output:** ``` PASS src/services/compose.integration.test.ts ✓ Compose Security - Integration ✓ should prevent command injection through entire call chain Test Files 1 passed (1) Tests 1 passed (1) ``` **Validation:** End-to-end attack prevention verified. --- ### Step 23: Add JSDoc security documentation **File:** `src/services/compose.ts` Update function documentation to highlight security: ```typescript /** * Validate extra arguments for docker compose commands * * SECURITY: Prevents command injection by rejecting shell metacharacters. * Only allows alphanumeric, hyphens, underscores, dots, equals, colons, * forward slashes, commas, and spaces. * * @throws {Error} If argument contains shell metacharacters or exceeds 500 chars */ function validateComposeArgs(args: string[]): void { // ... implementation } /** * Execute docker compose command on remote host * * SECURITY: Uses execFile with argument arrays (not shell strings) to prevent * command injection. All extraArgs are validated before execution. * * @param host - Host configuration with SSH details * @param project - Docker Compose project name (validated, alphanumeric only) * @param action - Compose action (up, down, restart, etc.) * @param extraArgs - Additional arguments (validated for shell metacharacters) * @returns Command output * @throws {Error} If validation fails or SSH execution fails */ export async function composeExec( host: HostConfig, project: string, action: string, extraArgs: string[] = [] ): Promise<string> { // ... implementation } ``` **Run:** `pnpm run build` **Expected:** SUCCESS (documentation doesn't affect compilation) --- ### Step 24: Verify documentation compiles **Command:** `pnpm run build` **Expected Output:** ``` > homelab-mcp-server@0.3.0 build > tsc (no errors) ``` **Validation:** JSDoc is syntactically correct. --- ### Step 25: Create security audit checklist **File:** `docs/SECURITY.md` (update or create) Add section documenting the fix: ```markdown ## Command Injection Prevention ### Fixed Vulnerabilities #### CVE-INTERNAL-2025-001: SSH Command Injection in compose.ts - **Severity:** CRITICAL (CVSS 9.1) - **CWE:** CWE-78 (Improper Neutralization of Special Elements) - **Status:** FIXED (2025-12-24) **Summary:** The `composeExec()` function concatenated user-controlled arguments into a shell command string, allowing arbitrary command execution on remote Docker hosts. **Fix:** 1. Replaced shell string concatenation with execFile argument arrays 2. Added `validateComposeArgs()` to reject shell metacharacters 3. Applied same fix to `listComposeProjects()` and `getComposeStatus()` **Testing:** - 10 attack vector tests covering all shell metacharacters - 4 edge case tests for legitimate argument patterns - 1 end-to-end integration test **Validation:** ```bash pnpm test src/services/compose.test.ts -t "Security" pnpm test src/services/compose.integration.test.ts ``` ### Security Checklist for Compose Operations - [x] User input validated before execution - [x] Shell metacharacters rejected - [x] execFile used with argument arrays (not shell strings) - [x] Project names validated with strict regex - [x] Service names validated with strict regex - [x] Argument length limits enforced (DoS prevention) - [x] Comprehensive test coverage for attack vectors ### Safe Argument Patterns **Allowed characters in extraArgs:** - Alphanumeric: `a-zA-Z0-9` - Separators: `-_.=/:` - Whitespace: ` ` (space) **Rejected characters (shell metacharacters):** - Command chaining: `;`, `|`, `&&`, `||` - Substitution: `` ` ``, `$()` - Redirection: `<`, `>`, `<<`, `>>` - Expansion: `*`, `?`, `{`, `}`, `[`, `]` - Quoting: `"`, `'`, `\` - Control: `\n`, `\r`, `\t` ``` **Run:** `ls docs/SECURITY.md` **Expected:** File exists --- ### Step 26: Run final verification - all tests **Command:** `pnpm test --coverage` **Expected Output:** ``` ✓ All test suites passed Test Files 8 passed (8) Tests XXX passed (XXX) Coverage: compose.ts: 100% statements, 100% branches, 100% functions (other files...) ``` **Validation:** Full test coverage, all security tests passing. --- ### Step 27: Commit the security fix **Command:** ```bash git add src/services/compose.ts src/services/compose.test.ts src/services/compose.integration.test.ts docs/SECURITY.md git commit -m "$(cat <<'EOF' security: fix CRITICAL SSH command injection in compose.ts (CVE-INTERNAL-2025-001) Fixed CVSS 9.1 command injection vulnerability in composeExec() and related functions. Changes: - Add validateComposeArgs() to reject shell metacharacters - Replace shell string concatenation with execFile argument arrays - Apply fix to composeExec(), listComposeProjects(), getComposeStatus() - Add 10 attack vector tests covering all shell injection patterns - Add 4 edge case tests for legitimate argument validation - Add end-to-end integration test for attack prevention - Document security fix in docs/SECURITY.md Attack vectors prevented: - Command chaining (;, &&, ||) - Command substitution (backticks, $()) - Pipe redirection (|, <, >) - Variable expansion ($VAR) - Control characters (\n, \r, \t) Testing: pnpm test src/services/compose.test.ts (24 tests, all passing) pnpm test src/services/compose.integration.test.ts (1 test, passing) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> EOF )" ``` **Expected:** Commit created successfully --- ### Step 28: Verify commit was created **Command:** `git log -1 --oneline` **Expected Output:** ``` abc1234 security: fix CRITICAL SSH command injection in compose.ts (CVE-INTERNAL-2025-001) ``` **Validation:** Security fix committed with detailed context. --- ### Step 29: Run git status to confirm clean state **Command:** `git status` **Expected Output:** ``` On branch fix/bugs Your branch is ahead of 'origin/fix/bugs' by 1 commit. (use "git push" to publish your local commits) nothing to commit, working tree clean ``` **Validation:** All changes committed, working directory clean. --- ### Step 30: Final security verification - manual inspection **Manual Review:** 1. Open `src/services/compose.ts` and verify: - Line 82: NO `join(" ")` present - Line 85: Uses `sshArgs.push("docker", "compose", ...)` with individual arguments - `validateComposeArgs()` function exists before `composeExec()` - All three functions (composeExec, listComposeProjects, getComposeStatus) use argument arrays 2. Open `src/services/compose.test.ts` and verify: - "composeExec - Security" test suite exists - At least 10 test cases covering shell metacharacters - "Edge Cases" test suite exists with valid argument tests 3. Run final security test: ```bash pnpm test src/services/compose.test.ts -t "should reject" ``` Expected: All 8 "should reject" tests PASS **Validation:** Manual code review confirms no shell string concatenation remains. --- ## Summary **Security Improvements:** - ✅ Eliminated CVSS 9.1 command injection vulnerability - ✅ Added input validation for all user-controlled arguments - ✅ Replaced shell string execution with safe argument arrays - ✅ Comprehensive test coverage (15+ security tests) - ✅ Documentation of security fix and safe patterns **Files Modified:** - `src/services/compose.ts` - Added validation, refactored 3 functions - `src/services/compose.test.ts` - Added 14 security tests - `src/services/compose.integration.test.ts` - NEW, end-to-end security test - `docs/SECURITY.md` - NEW/UPDATED, security documentation **Test Coverage:** - 10 attack vector tests (all shell metacharacters) - 4 edge case tests (legitimate argument patterns) - 1 integration test (end-to-end attack prevention) - 0 regressions in existing tests **Verification Commands:** ```bash # Security tests pnpm test src/services/compose.test.ts -t "Security" # Edge cases pnpm test src/services/compose.test.ts -t "Edge Cases" # Integration pnpm test src/services/compose.integration.test.ts # Full suite pnpm test --coverage ``` **Risk Assessment:** - **Before:** CRITICAL - Arbitrary command execution on all managed hosts - **After:** NONE - All shell metacharacters rejected, safe argument passing **Breaking Changes:** NONE - Existing legitimate usage patterns still work - Only malicious inputs are rejected (as intended)

Loading blob content...

Latest Blog Posts

How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash
What is Streamable HTTP in MCP?
By punkpeye on January 2, 2026.
Streamable HTTP
What Is Context Bloat in MCP?
By Om-Shree-0709 on December 16, 2025.
mcp
Context Bloat

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jmagar/homelab-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

2025-12-24-fix-ssh-command-injection.md•25.9 kB