Aider-MCP Command Injection Vulnerability in Code_with_AI Tool

A command injection vulnerability has been identified in the Aider-MCP project, specifically in the 'code_with_ai' tool. This issue affects the file 'aider_mcp.py' in the repository version up to commit '667b914'. The vulnerability arises because the 'working_dir' and 'editable_files' arguments are not properly sanitized, allowing attackers to inject arbitrary commands that are executed on the host system. The issue can be exploited remotely, and the injected commands are executed with the same privileges as the user running the Aider-MCP server.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the host machine, with potential consequences for confidentiality, integrity, and availability. An attacker could execute commands to read or modify files, including repository secrets and environment variables, disrupt service by deleting files or consuming system resources, or execute commands that crash the application.

Reproduction

To reproduce this vulnerability, use the 'code_with_ai' tool and inject a second command through the 'editable_files' argument. The injected command will be executed on the host system due to the 'shell=True' parameter in the subprocess call, allowing for command injection via shell metacharacters.

Remediation

It is recommended to replace the current method of executing commands as a shell string with an argument-array execution approach, which is safer and prevents command injection. Additionally, enforce a conservative allowlist for filenames in the 'editable_files' argument and add regression tests to ensure the vulnerability is addressed.