fix(security): harden MCP config endpoint (#3425)

* fix(security): harden MCP config endpoint

* Potential fix for pull request finding

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: greatmengqi <chenmengqi.0376@bytedance.com>
Co-authored-by: Willem Jiang <willem.jiang@gmail.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>

backend/app/gateway/routers/mcp.py

@@ -1,9 +1,10 @@
 import json
 import logging
+import os
 from pathlib import Path
 from typing import Literal
 
-from fastapi import APIRouter, HTTPException
+from fastapi import APIRouter, HTTPException, Request, status
 from pydantic import BaseModel, Field
 
 from deerflow.config.extensions_config import ExtensionsConfig, get_extensions_config, reload_extensions_config
@@ -12,6 +13,11 @@ logger = logging.getLogger(__name__)
 router = APIRouter(prefix="/api", tags=["mcp"])
 
 
+_MCP_STDIO_COMMAND_ALLOWLIST_ENV = "DEER_FLOW_MCP_STDIO_COMMAND_ALLOWLIST"
+_DEFAULT_MCP_STDIO_COMMAND_ALLOWLIST = frozenset({"npx", "uvx"})
+_SHELL_METACHARS = frozenset(";|&`$<>\n\r")
+
+
 class McpOAuthConfigResponse(BaseModel):
     """OAuth configuration for an MCP server."""
 
@@ -66,6 +72,78 @@ class McpConfigUpdateRequest(BaseModel):
 _MASKED_VALUE = "***"
 
 
+async def _require_admin_user(request: Request) -> None:
+    """Require the authenticated caller to be an admin user.
+
+    ``AuthMiddleware`` normally stamps ``request.state.user`` before the
+    request reaches this router. Falling back to the strict dependency keeps
+    this route safe even in tests or alternative ASGI compositions that mount
+    the router without the global middleware.
+    """
+    user = getattr(request.state, "user", None)
+    if user is None:
+        from app.gateway.deps import get_current_user_from_request
+
+        user = await get_current_user_from_request(request)
+
+    if getattr(user, "system_role", None) != "admin":
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin privileges required to manage MCP configuration.",
+        )
+
+
+def _allowed_stdio_commands() -> set[str]:
+    """Return executable names allowed for API-managed stdio MCP servers."""
+    raw = os.environ.get(_MCP_STDIO_COMMAND_ALLOWLIST_ENV)
+    base = set(_DEFAULT_MCP_STDIO_COMMAND_ALLOWLIST)
+    if raw is None:
+        return base
+    extra = {item.strip() for item in raw.split(",") if item.strip()}
+    return base | extra
+
+
+def _stdio_command_name(command: str | None, *, server_name: str) -> str:
+    """Normalize and validate a stdio command field from the API boundary."""
+    if command is None or not command.strip():
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"MCP server '{server_name}' with stdio transport requires a command.",
+        )
+
+    stripped = command.strip()
+    has_path_separator = "/" in stripped or "\\" in stripped
+    if stripped != command or has_path_separator or any(ch.isspace() for ch in stripped) or any(ch in stripped for ch in _SHELL_METACHARS):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=(f"MCP server '{server_name}' command must be a single executable name; put parameters in args instead."),
+        )
+
+    return stripped
+
+
+def _validate_mcp_update_request(request: McpConfigUpdateRequest) -> None:
+    """Validate API-submitted MCP config before it is persisted.
+
+    Local config files can still express arbitrary advanced setups, but the
+    HTTP API is an untrusted boundary. Restricting stdio commands here reduces
+    the blast radius of a compromised authenticated browser session.
+    """
+    allowed_commands = _allowed_stdio_commands()
+    for name, server in request.mcp_servers.items():
+        transport_type = (server.type or "stdio").lower()
+        if transport_type != "stdio":
+            continue
+
+        command_name = _stdio_command_name(server.command, server_name=name)
+        if command_name not in allowed_commands:
+            allowed = ", ".join(sorted(allowed_commands)) or "<none>"
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail=(f"MCP server '{name}' uses disallowed stdio command '{command_name}'. Allowed commands: {allowed}. Configure {_MCP_STDIO_COMMAND_ALLOWLIST_ENV} to extend this list."),
+            )
+
+
 def _mask_server_config(server: McpServerConfigResponse) -> McpServerConfigResponse:
     """Return a copy of server config with sensitive fields masked.
 
@@ -162,7 +240,7 @@ def _merge_preserving_secrets(
     summary="Get MCP Configuration",
     description="Retrieve the current Model Context Protocol (MCP) server configurations.",
 )
-async def get_mcp_configuration() -> McpConfigResponse:
+async def get_mcp_configuration(request: Request) -> McpConfigResponse:
     """Get the current MCP configuration.
 
     Returns:
@@ -183,6 +261,8 @@ async def get_mcp_configuration() -> McpConfigResponse:
         }
         ```
     """
+    await _require_admin_user(request)
+
     config = get_extensions_config()
 
     servers = {name: _mask_server_config(McpServerConfigResponse(**server.model_dump())) for name, server in config.mcp_servers.items()}
@@ -195,7 +275,7 @@ async def get_mcp_configuration() -> McpConfigResponse:
     summary="Update MCP Configuration",
     description="Update Model Context Protocol (MCP) server configurations and save to file.",
 )
-async def update_mcp_configuration(request: McpConfigUpdateRequest) -> McpConfigResponse:
+async def update_mcp_configuration(request: Request, body: McpConfigUpdateRequest) -> McpConfigResponse:
     """Update the MCP configuration.
 
     This will:
@@ -228,6 +308,9 @@ async def update_mcp_configuration(request: McpConfigUpdateRequest) -> McpConfig
         ```
     """
     try:
+        await _require_admin_user(request)
+        _validate_mcp_update_request(body)
+
         # Get the current config path (or determine where to save it)
         config_path = ExtensionsConfig.resolve_config_path()
 
@@ -255,7 +338,7 @@ async def update_mcp_configuration(request: McpConfigUpdateRequest) -> McpConfig
 
         # Merge incoming server configs with raw on-disk secrets
         merged_servers: dict[str, McpServerConfigResponse] = {}
-        for name, incoming in request.mcp_servers.items():
+        for name, incoming in body.mcp_servers.items():
             raw_server = raw_servers.get(name)
             if raw_server is not None:
                 merged_servers[name] = _merge_preserving_secrets(
@@ -283,6 +366,8 @@ async def update_mcp_configuration(request: McpConfigUpdateRequest) -> McpConfig
         servers = {name: _mask_server_config(McpServerConfigResponse(**server.model_dump())) for name, server in reloaded_config.mcp_servers.items()}
         return McpConfigResponse(mcp_servers=servers)
 
+    except HTTPException:
+        raise
     except Exception as e:
         logger.error(f"Failed to update MCP configuration: {e}", exc_info=True)
         raise HTTPException(status_code=500, detail=f"Failed to update MCP configuration: {str(e)}")