Skip to content

Add Path validation #3164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
0dd wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add Path validation #3164

0dd wants to merge 3 commits into from
+2 −1

Conversation

@0dd
Copy link
Contributor

@0dd 0dd commented Dec 30, 2025
edited
Loading

Path Validation for GitPython inconsistent implementation

Description

Server Details

  • Server: Git Server
  • Changes to: Git Add Tool

Motivation and Context

Fix Security Issue

How Has This Been Tested?

Existing Git Server Python Test cases, and Local MCP test.

Breaking Changes

No

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Protocol Documentation
  • My changes follows MCP security best practices
  • I have updated the server's README accordingly
  • I have tested this with an LLM client
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have documented all environment variables and configuration options

Additional context

0dd added 3 commits December 29, 2025 15:33
@0dd
git: improve file path validation in add operation
3269185 
Add validation to ensure file paths are within repository boundaries
before staging. This prevents potential issues with relative paths
and improves overall robustness of the git_add function.
@0dd
git: improve file path validation in add operation
db96050 
Use Git CLI directly instead of GitPython index API to ensure proper
path validation and prevent option injection. The '--' separator ensures
file paths starting with '-' are handled correctly.
@0dd
Merge remote-tracking branch 'origin/fix-git-add-validation' into fix…
3827fd0 
…-git-add-validation

# Conflicts:
#	src/git/src/mcp_server_git/server.py
@0dd
Copy link
Contributor Author

0dd commented Dec 30, 2025
edited
Loading

@cliffhall @olahungerford @domdomegg

Please take a look on this propose fix
Same again, private access added for review

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@0dd