Release v2.1.3 — Path confinement (security) · Wolfe-Jam/faf-mcp

Security

Path confinement on every caller-supplied path argument (CWE-22 / CWE-73 / CWE-200).

The shared getProjectPath() chokepoint (feeding the .faf tools) and the faf_read / faf_write file tools resolved a caller path straight into a filesystem read/write with no confinement — so an absolute path or ../ traversal could read any file the server process could read (e.g. /etc/passwd, ~/.ssh/id_rsa) or write outside the project.

New safe-path.ts confines reads to .faf / .fafm context files and general file ops to the project root (cwd + system temp; override with FAF_ALLOWED_ROOTS), canonicalizes through symlinks (closing the symlink bypass), and rejects traversal/absolute escapes; callTool() gains a central PATH-DENIED guard. Adds a security regression suite.

Identified by the maintainers during a sibling-server audit prompted by the coordinated disclosure of the same class of issue in grok-faf-mcp by Zhihao Zhang (Worcester Polytechnic Institute).

Upgrade: npm install -g faf-mcp@2.1.3 (or npx faf-mcp).

Assisted by Claude (Opus 4.8) · Approved by James Wolfe (@Wolfe-Jam)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

v2.1.3 — Path confinement (security)

Choose a tag to compare

Sorry, something went wrong.

Sorry, something went wrong.

Uh oh!

No results found

Security

Contributors

Uh oh!