wonderwhy-er DesktopCommanderMCP Directory Traversal Vulnerability Allowing Arbitrary File Access

A directory traversal vulnerability has been identified in wonderwhy-er DesktopCommanderMCP versions through 0.2.13. The issue arises in the 'isPathAllowed' function within 'src/tools/filesystem.ts', where the application fails to properly resolve symbolic links. This oversight allows an attacker to create a symlink in an allowed directory that points to a restricted file, bypassing directory access controls. The vulnerability enables arbitrary read or write operations on files, depending on the privileges of the user running the application. This could lead to exposure of sensitive information, such as SSH keys or configuration files, and potentially allow code execution if executable files are targeted.

Impact

Exploitation of this vulnerability completely bypasses directory restrictions, allowing for arbitrary file read or write operations with the permissions of the running process. This could result in exposure of sensitive data or code execution, depending on the files accessed.

Reproduction

To reproduce this vulnerability, set up DesktopCommanderMCP with an MCP client. No 'allowedDirectory' is set by default, so configure the client to use a directory that is considered safe. After setting the allowed directory, create a symlink within it that points to a sensitive file in a restricted location. Once the symlink is established, the application will follow it, bypassing the directory restrictions and allowing access to the sensitive file.

Remediation

The vulnerability can be addressed by modifying the 'isPathAllowed' function to resolve the true, canonical path of user-provided input, including all symbolic links. In Node.js, this can be done using 'fs.realpathSync()'.