bug(mcp): unsanitized prefix in WithPrefix enables arbitrary command execution

[Elvand-Lie]

Bug Report

Description

The buildArgs function in pkg/mcp/mcp.go uses strings.Fields(prefix) to split the command prefix, then passes parts[0] directly to exec.CommandContext. The WithPrefix() option does not validate the prefix string, so a caller can provide a value containing shell metacharacters or a path to an arbitrary binary.

Steps to Reproduce

// A malicious or misconfigured prefix
s := mcp.New(mcp.WithPrefix("func; rm -rf /"))
// buildArgs will split this and pass it to exec.CommandContext

Impact

In practice, the prefix is set by cmd/mcp.go using the compiled-in cobra root command name (rootCmd.Use), so exploitation requires control of the server construction. However, as a library (pkg/mcp), any consumer can call WithPrefix() with arbitrary input.

Note that exec.CommandContext does not invoke a shell, so the semicolon example above would not actually execute rm. The real risk is that an arbitrary binary path could be specified as the first field of the prefix.

Proposed Fix

Validate the prefix at construction time in WithPrefix() to reject disallowed shell metacharacters and empty/whitespace-only values.

Environment

• Component: pkg/mcp/mcp.go
• Lines: 37-42 (WithPrefix), 169-176 (buildArgs)

[lkingland]

Closing again — PR #3760 landed 05-16 and addressed this. The reopen earlier today was a spurious push from a tooling bug (now fixed in our triage tooling).