Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-24 13:45:24 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
5ce2056521bb68c18f7ddd882cc9a9c18ba8f417
odysseus/tests/test_manage_mcp_command_allowlist.py
T
Kenny Van de Maele 5ce2056521 refactor(tools): migrate config/integration admin tools to the registry (#4742) 
Part of #3629 (the `admin_tools.py` bullet). Moves the config/integration admin
tools off the legacy elif dispatch chain in tool_implementations.py onto the
agent_tools registry:

  manage_endpoints, manage_mcp, manage_webhooks, manage_tokens, manage_settings

The do_* implementations (and manage_mcp's command-allowlist / RCE guard:
_validate_mcp_command, _mcp_allowed_commands, and the _MCP_* constants) move
verbatim into the new src/agent_tools/admin_tools.py. They register through a
single ADMIN_TOOL_HANDLERS map that TOOL_HANDLERS.update()s, and the five elif
branches plus their imports are dropped from tool_execution.py, so these tools
now flow through _direct_fallback like the other migrated clusters. The names
are re-exported from src.agent_tools for back-compat.

Dedup:
  - _parse_tool_args was duplicated in tool_implementations.py and
    document_tools.py. It now lives once in src.tool_utils (which imports nothing
    from the project beyond src.constants, so this introduces no cycle) and both
    call sites import it from there. The orphaned `import json` in document_tools
    is removed with it.
  - The five tools share one _owner_adapter(fn) factory that threads ctx["owner"]
    into the owner-taking do_* signature, instead of five near-identical wrappers.

Tests: new tests/test_admin_tools_registry.py pins the registration, the
re-export back-compat, the owner-threading adapter, and the single-source
_parse_tool_args (across admin_tools and document_tools). Existing MCP /
settings / webhook suites are repointed at the new module.
2026-06-24 09:29:10 +02:00

169 lines
6.5 KiB
Python
Raw Blame History

"""RCE guard for manage_mcp 'add' (#438).
do_manage_mcp("add", ...) used to pass model / prompt-injection-controlled
command/args/env straight to a stdio subprocess spawn with no allowlist, so a
payload smuggled into a skill description, memory entry, fetched page, or email
body could register an MCP server running arbitrary code as the app UID.
_validate_mcp_command now gates the agent path before any DB write or spawn:
interpreters, runtimes, package runners, shells, and exec-wrappers are
hard-denied (even if an operator allowlists one); the command must otherwise be
a bare basename in ODYSSEUS_MCP_ALLOWED_COMMANDS; code-exec flags are rejected
by prefix (catching glued forms like -cimport os and --eval=); remote-URL args
and code-injecting env vars (LD_PRELOAD, NODE_OPTIONS, PYTHONPATH, ...) are
rejected too.
"""
import asyncio
import json
import pytest
from unittest.mock import MagicMock, AsyncMock
from tests.helpers.import_state import clear_fake_database_modules
from tests.helpers.sqlite_db import make_temp_sqlite
clear_fake_database_modules()
import core.database as cdb
from core.database import McpServer
import src.agent_tools.admin_tools as ti # do_manage_mcp/get_mcp_manager moved here in the registry migration
from src.agent_tools.admin_tools import _validate_mcp_command
_TS, _ENGINE, _TMPDB = make_temp_sqlite(cdb.Base.metadata)
@pytest.fixture(autouse=True)
def _env(monkeypatch):
monkeypatch.setattr(cdb, "SessionLocal", _TS)
# Allow one benign launcher (so the positive path is reachable) and also
# python3 (to prove the hard-deny still wins over an operator allowlist).
monkeypatch.setenv("ODYSSEUS_MCP_ALLOWED_COMMANDS", "mcp-server-demo,python3")
db = _TS()
try:
db.query(McpServer).delete()
db.commit()
finally:
db.close()
yield
# ── validator: the RCE forms from the #438 review must all be rejected ──
@pytest.mark.parametrize("command,args", [
("sh", ["-c", "id>/tmp/pwn"]),
("bash", ["-c", "id"]),
("python3", ["/tmp/payload.py"]), # interpreter + script path
("python3", ["-m", "pip", "install", "evilpkg"]), # -m pip
("python3", ["-cimport os; os.system('x')"]), # glued -c (NubsCarson)
("node", ["-erequire('child_process')"]), # glued -e
("node", ["--eval=console.log(1)"]),
("node", ["-p", "process.env"]),
("deno", ["eval", "console.log(1)"]),
("npx", ["-y", "evil-mcp"]),
("uvx", ["evil"]),
("pipx", ["run", "evil"]),
("yarn", ["evil"]),
("env", ["sh", "-c", "id"]), # exec wrapper
("/tmp/payload", []), # path, not a basename
("mcp-server-demo;id", []), # shell metachar in command
("mcp-server-demo", ["-c", "code"]), # code-exec flag on allowed cmd
("mcp-server-demo", ["-cglued()"]), # glued code-exec flag
("mcp-server-demo", ["--eval=x"]), # long glued eval
("mcp-server-demo", ["https://evil.example/x.js"]),# remote URL arg
])
def test_validator_rejects_rce_forms(command, args):
assert _validate_mcp_command(command, args, {}) is not None
@pytest.mark.parametrize("key", ["LD_PRELOAD", "NODE_OPTIONS", "PYTHONPATH", "DYLD_INSERT_LIBRARIES", "PATH"])
def test_validator_rejects_dangerous_env(key):
assert _validate_mcp_command("mcp-server-demo", [], {key: "x"}) is not None
def test_denied_command_rejected_even_when_operator_allowlists_it():
# python3 is in ODYSSEUS_MCP_ALLOWED_COMMANDS for this test; hard-deny wins.
assert _validate_mcp_command("python3", ["server.py"], {}) is not None
@pytest.mark.parametrize("command", [
"python3.11", "python3.12", "node18", "node20", "pip3", "ruby3.2",
"java", "javac", "bunx", "tsx", "ts-node", "pypy3", "deno1",
])
def test_versioned_and_alias_runtimes_are_denied(command):
# Versioned / alias runtime forms must collapse to the family and be denied,
# not slip past exact-name matching (RaresKeY review on #4433).
assert _validate_mcp_command(command, [], {}) is not None
def test_alias_runtime_denied_even_if_operator_allowlists_it(monkeypatch):
# The exact scenario from review: an operator allowlists a versioned alias.
# Hard-deny by family must still win, before the allowlist is consulted.
monkeypatch.setenv("ODYSSEUS_MCP_ALLOWED_COMMANDS", "python3.11,node18,java,bunx")
for command in ("python3.11", "node18", "java", "bunx"):
assert _validate_mcp_command(command, [], {}) is not None, command
def test_command_not_in_allowlist_rejected():
assert _validate_mcp_command("some-random-binary", [], {}) is not None
def test_validator_allows_safe_allowlisted_server():
assert _validate_mcp_command("mcp-server-demo", ["--port", "3000"], {"FOO": "bar"}) is None
# ── integration: the real do_manage_mcp('add') path ──
def _add(command, args=None, env=None):
payload = {"action": "add", "name": "x", "command": command,
"args": args if args is not None else [], "env": env or {}}
return asyncio.run(ti.do_manage_mcp(json.dumps(payload)))
def test_add_rejects_rce_with_no_db_write_and_no_connect(monkeypatch):
mcp = MagicMock()
mcp.connect_server = AsyncMock()
monkeypatch.setattr(ti, "get_mcp_manager", lambda: mcp)
res = _add("sh", ["-c", "id>/tmp/pwn"])
assert res["exit_code"] == 1
assert "refused" in res["error"]
mcp.connect_server.assert_not_called()
db = _TS()
try:
assert db.query(McpServer).count() == 0, "rejected add must not persist an enabled row"
finally:
db.close()
def test_add_rejects_versioned_runtime_alias_no_row_no_connect(monkeypatch):
# Versioned alias on the real add path must also write no row and not connect.
mcp = MagicMock()
mcp.connect_server = AsyncMock()
monkeypatch.setattr(ti, "get_mcp_manager", lambda: mcp)
res = _add("python3.11", ["server.py"])
assert res["exit_code"] == 1
mcp.connect_server.assert_not_called()
db = _TS()
try:
assert db.query(McpServer).count() == 0
finally:
db.close()
def test_add_allows_safe_server_writes_row_and_connects(monkeypatch):
mcp = MagicMock()
mcp.connect_server = AsyncMock()
mcp.get_server_status = MagicMock(return_value={"tool_count": 2})
monkeypatch.setattr(ti, "get_mcp_manager", lambda: mcp)
res = _add("mcp-server-demo", ["--port", "3000"])
assert res["exit_code"] == 0
mcp.connect_server.assert_called_once()
db = _TS()
try:
assert db.query(McpServer).count() == 1
finally:
db.close()
Reference in New Issue View Git Blame Copy Permalink