Summary
The WindowsExecutor class in docker_executor.py uses asyncio.create_subprocess_shell() with string interpolation, allowing command injection through the project_name parameter.
Location
src/docker_mcp/docker_executor.py, lines 16-20
The project_name comes directly from user input (arguments.get("project_name")) and is injected into a shell command without any sanitization. A malicious project name like test && rm -rf / would be executed by the shell.
Since this MCP server is designed to be used with LLM agents (Claude, Cursor, etc.), a prompt injection attack could exploit this to execute arbitrary commands on the host system.
Suggested Fix
- Replace
create_subprocess_shell with create_subprocess_exec (takes a list of arguments)
- Or validate
project_name with a strict regex like ^[a-zA-Z0-9_-]+$
- The
UnixExecutor already uses create_subprocess_exec correctly — apply the same pattern to WindowsExecutor
Found during a security audit of MCP servers.
Summary
The
WindowsExecutorclass indocker_executor.pyusesasyncio.create_subprocess_shell()with string interpolation, allowing command injection through theproject_nameparameter.Location
src/docker_mcp/docker_executor.py, lines 16-20The
project_namecomes directly from user input (arguments.get("project_name")) and is injected into a shell command without any sanitization. A malicious project name liketest && rm -rf /would be executed by the shell.Since this MCP server is designed to be used with LLM agents (Claude, Cursor, etc.), a prompt injection attack could exploit this to execute arbitrary commands on the host system.
Suggested Fix
create_subprocess_shellwithcreate_subprocess_exec(takes a list of arguments)project_namewith a strict regex like^[a-zA-Z0-9_-]+$UnixExecutoralready usescreate_subprocess_execcorrectly — apply the same pattern toWindowsExecutorFound during a security audit of MCP servers.