fix: path traversal security vulnerability in mcp tools

[jope-bm]

---

title: Path Traversal Security Vulnerability Fix
type: note
permalink: security/path-traversal-security-vulnerability-fix
tags:

• '["security"'
• '"vulnerability"'
• '"path-traversal"'
• '"mcp"'
• '"fix"]'

---

Path Traversal Security Vulnerability Fix

Overview

Fixed a critical path traversal security vulnerability in Basic Memory's MCP tools that could allow malicious file system access outside of intended project directories.

Vulnerability Details

• Type: Path Traversal (CWE-22)
• Severity: High
• Impact: Potential unauthorized file system access
• Affected Components: MCP tools that handle file paths
• Discovery: Internal security review

Root Cause

Several MCP tools were accepting user-provided file paths without proper validation, allowing potential directory traversal attacks using sequences like ../ to access files outside the intended project scope.

Affected Tools

The following MCP tools were vulnerable:

• read_content - Could read arbitrary files on the system
• write_note - Could write files outside project directories
• read_note - Could modify files outside project scope
• move_note - Could move files to/from unauthorized locations

Fix Implementation

• Protection Function: Added protect_path() function in src/basic_memory/mcp/utils.py
• Validation Logic: Ensures all file paths are within the current project directory
• Normalization: Uses os.path.normpath() to resolve path traversal sequences
• Security Check: Validates that resolved paths start with the project root
• Error Handling: Raises ValueError for invalid paths with descriptive messages

Code Changes

• Added path protection utility function
• Integrated protection into all vulnerable MCP tools
• Added comprehensive test coverage for path traversal scenarios
• Updated error messages to be security-aware

Testing

• Created test suite covering various path traversal attack vectors
• Verified protection against ../ sequences
• Tested edge cases and boundary conditions
• Confirmed legitimate file operations still work correctly
• Tested mcp tools to create new note and read note using Claude Code.

Security Impact

• Before: Attackers could potentially access any file on the system
• After: File access restricted to project directories only
• Defense: Proactive validation prevents path traversal attacks

Related Information

• Security Classification: Defensive security measure
• Review: Internal security assessment completed

[phernandez]

Good Lord, man. That is a lot of tests.

[jope-bm]

Good Lord, man. That is a lot of tests.

Yeah claude went kind of nuts and didn't mock the behavior of validate_project_path() inside the tools, and so it validated the behavior of validate_project_path() even though we have separate unit tests for that. I can have claude mock validate_project_path so the tool tests aren't so much overkill.