Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
return isDevelopment ? 'http://localhost:8000' : '';
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Tool names mimicking built-in system tools (e.g., 'bash', 'shell', 'terminal') can trick the LLM into routing actions to a malicious handler.
"/", StaticFiles(directory="ai-research-assistant/build", html=True), name="root"
Rename the tool to avoid colliding with system commands (bash, shell, exec, etc.).
Using path.join or path.resolve with variables from user input without validation can lead to directory traversal.
output_file = os.path.join(args.output_dir, output_filename)
Sanitize user input before passing to path.join/resolve. Use path.normalize() and check for '..' sequences.
String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.
OPENAI_API_KEY = os.environ.get("OPENAI_API_KEY", "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")Remove hardcoded secrets from source code. Use environment variables or a secrets manager.
subprocess calls with shell=True execute commands through the shell, enabling injection attacks.
result = subprocess.run(cmd, shell=True, capture_output=True, text=True, timeout=5) # Added 5 second timeout
Set shell=False in subprocess calls and pass command as a list.
Sending conversation, prompt, or session data to external storage services may leak sensitive user interactions.
self.process.stdin.write(json.dumps(message).encode() + b"\n")
Do not write session or conversation data to external storage. Keep user interaction data within the authorized session boundary.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
const apiBaseUrl = isDevelopment ? 'http://localhost:8000' : ''
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
return isDevelopment ? 'http://localhost:8000' : ''
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Passing user-controlled variables directly to fetch, axios, or http.get without URL validation enables SSRF attacks.
const response = await fetch(apiUrl, {Validate and sanitize all URLs before making HTTP requests. Use an allowlist of permitted domains.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
base_url="http://localhost:3000"
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
base_url="http://localhost:3000"
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
base_url="http://localhost:3000"
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
# url="http://localhost:8931/sse" # Using SSE endpoint from docs
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
url = f"http://localhost:{server['default_port']}/mcp/v1/initialize"Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
Requests targeting 127.0.0.1, localhost, or [::1] may access internal services not intended to be exposed.
base_url="http://localhost:3000"
Block requests to localhost and loopback addresses. Implement URL validation that rejects 127.x.x.x and ::1.
HTML comments in tool descriptions may contain hidden instructions intended to influence LLM reasoning.
markdown_report = re.sub(r"<!--.*?-->", "", markdown_report, flags=re.DOTALL)
Remove HTML comments from description strings. Use source code comments instead.
Using path.join or path.resolve with variables from user input without validation can lead to directory traversal.
file_path = os.path.join(args.input_dir, file)
Sanitize user input before passing to path.join/resolve. Use path.normalize() and check for '..' sequences.
Direct access to sensitive files like /etc/passwd, /etc/shadow, or SSH keys indicates potential data exfiltration.
start_cmd = "/root/.jupyter/start-up.sh"
Remove direct references to sensitive system files. Use a restricted file access layer.
String literals matching known API key prefixes (sk-, ghp_, AKIA, xoxb-, etc.) or long base64-like strings may expose secrets in source code.
OPENAI_API_KEY = os.environ.get("OPENAI_API_KEY", "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")Remove hardcoded secrets from source code. Use environment variables or a secrets manager.
subprocess calls with shell=True execute commands through the shell, enabling injection attacks.
result = subprocess.run(server["install_command"], shell=True)
Set shell=False in subprocess calls and pass command as a list.
subprocess calls with shell=True execute commands through the shell, enabling injection attacks.
subprocess.run(server["run_command"], shell=True)
Set shell=False in subprocess calls and pass command as a list.