fix(security): remove shell=True to prevent command injection on Windows#2351
Open
xr843 wants to merge 1 commit intomodelcontextprotocol:mainfrom
Open
fix(security): remove shell=True to prevent command injection on Windows#2351xr843 wants to merge 1 commit intomodelcontextprotocol:mainfrom
xr843 wants to merge 1 commit intomodelcontextprotocol:mainfrom
Conversation
Replaces shell=True subprocess calls with explicit argument lists to prevent command injection vulnerabilities, particularly on Windows where shell metacharacters can be exploited. In _get_npx_command(), replaced subprocess.run() with shutil.which() to locate the npx executable without spawning a shell process. This is both safer and more efficient. In dev(), removed the conditional shell=True for Windows since _get_npx_command() already resolves the correct executable name (e.g. npx.cmd), making shell dispatch unnecessary. Fixes modelcontextprotocol#1257 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #1257 — removes
shell=Truefrom subprocess calls inmcp devto prevent command injection on Windows._get_npx_command(): Replacedsubprocess.run([cmd, "--version"], shell=True)withshutil.which(cmd)to locate the npx executable without spawning a shell. This is both safer (no shell metacharacter interpretation) and more efficient (no subprocess overhead just to check existence).dev()command: Removed the conditionalshell=True(shell = sys.platform == "win32") from thesubprocess.run()call that launches the MCP Inspector. Since_get_npx_command()already resolves the platform-specific executable name (e.g.npx.cmdon Windows), shell dispatch is unnecessary.test_get_npx_windowsandtest_get_npx_returns_none_when_npx_missingto mockshutil.whichinstead ofsubprocess.run.Why this matters
On Windows,
shell=Truepasses commands throughcmd.exe, which interprets shell metacharacters (&,|,%, etc.). If any part of the command string contains these characters (e.g. a crafted file path likeserver&calc.py), arbitrary commands could be executed. The Python documentation explicitly warns against this.Test plan
shutil.which()approachmcp dev server.pystill launches the inspector correctly on Windows🤖 Generated with Claude Code