add command filtering

johnstcn · johnstcn · commit 1e0040b2afce · 2025-03-28T10:51:43.000Z
diff --git a/cli/exp_mcp.go b/cli/exp_mcp.go
@@ -14,14 +14,15 @@ import (
 
 func (r *RootCmd) mcpCommand() *serpent.Command {
 	var (
-		client       = new(codersdk.Client)
-		instructions string
-		allowedTools []string
+		client              = new(codersdk.Client)
+		instructions        string
+		allowedTools        []string
+		allowedExecCommands []string
 	)
 	return &serpent.Command{
 		Use: "mcp",
 		Handler: func(inv *serpent.Invocation) error {
-			return mcpHandler(inv, client, instructions, allowedTools)
+			return mcpHandler(inv, client, instructions, allowedTools, allowedExecCommands)
 		},
 		Short: "Start an MCP server that can be used to interact with a Coder depoyment.",
 		Middleware: serpent.Chain(
@@ -40,11 +41,17 @@ func (r *RootCmd) mcpCommand() *serpent.Command {
 				Flag:        "allowed-tools",
 				Value:       serpent.StringArrayOf(&allowedTools),
 			},
+			{
+				Name:        "allowed-exec-commands",
+				Description: "Comma-separated list of allowed commands for workspace execution. If not specified, all commands are allowed.",
+				Flag:        "allowed-exec-commands",
+				Value:       serpent.StringArrayOf(&allowedExecCommands),
+			},
 		},
 	}
 }
 
-func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions string, allowedTools []string) error {
+func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions string, allowedTools []string, allowedExecCommands []string) error {
 	ctx, cancel := context.WithCancel(inv.Context())
 	defer cancel()
 
@@ -64,6 +71,9 @@ func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions s
 	if len(allowedTools) > 0 {
 		cliui.Infof(inv.Stderr, "Allowed Tools : %v", allowedTools)
 	}
+	if len(allowedExecCommands) > 0 {
+		cliui.Infof(inv.Stderr, "Allowed Exec Commands : %v", allowedExecCommands)
+	}
 	cliui.Infof(inv.Stderr, "Press Ctrl+C to stop the server")
 
 	// Capture the original stdin, stdout, and stderr.
@@ -88,6 +98,11 @@ func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions s
 		options = append(options, codermcp.WithAllowedTools(allowedTools))
 	}
 
+	// Add allowed exec commands option if specified
+	if len(allowedExecCommands) > 0 {
+		options = append(options, codermcp.WithAllowedExecCommands(allowedExecCommands))
+	}
+
 	closer := codermcp.New(ctx, client, options...)
 
 	<-ctx.Done()
@@ -98,4 +113,4 @@ func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions s
 		}
 	}
 	return nil
-}
+}
diff --git a/mcp/mcp.go b/mcp/mcp.go
@@ -17,11 +17,12 @@ import (
 )
 
 type mcpOptions struct {
-	in           io.Reader
-	out          io.Writer
-	instructions string
-	logger       *slog.Logger
-	allowedTools []string
+	in                  io.Reader
+	out                 io.Writer
+	instructions        string
+	logger              *slog.Logger
+	allowedTools        []string
+	allowedExecCommands []string
 }
 
 // Option is a function that configures the MCP server.
@@ -62,6 +63,13 @@ func WithAllowedTools(tools []string) Option {
 	}
 }
 
+// WithAllowedExecCommands sets the allowed commands for workspace execution.
+func WithAllowedExecCommands(commands []string) Option {
+	return func(o *mcpOptions) {
+		o.allowedExecCommands = commands
+	}
+}
+
 // New creates a new MCP server with the given client and options.
 func New(ctx context.Context, client *codersdk.Client, opts ...Option) io.Closer {
 	options := &mcpOptions{
@@ -88,8 +96,9 @@ func New(ctx context.Context, client *codersdk.Client, opts ...Option) io.Closer
 		reg = reg.WithOnlyAllowed(options.allowedTools...)
 	}
 	reg.Register(mcpSrv, mcptools.ToolDeps{
-		Client: client,
-		Logger: &logger,
+		Client:              client,
+		Logger:              &logger,
+		AllowedExecCommands: options.allowedExecCommands,
 	})
 
 	srv := server.NewStdioServer(mcpSrv)
diff --git a/mcp/tools/command_validator.go b/mcp/tools/command_validator.go
@@ -0,0 +1,42 @@
+package mcptools
+
+import (
+	"strings"
+
+	"github.com/google/shlex"
+	"golang.org/x/xerrors"
+)
+
+// IsCommandAllowed checks if a command is in the allowed list.
+// It parses the command using shlex to correctly handle quoted arguments
+// and only checks the executable name (first part of the command).
+func IsCommandAllowed(command string, allowedCommands []string) (bool, error) {
+	if len(allowedCommands) == 0 {
+		// If no allowed commands are specified, all commands are allowed
+		return true, nil
+	}
+
+	// Parse the command to extract the executable name
+	parts, err := shlex.Split(command)
+	if err != nil {
+		return false, xerrors.Errorf("failed to parse command: %w", err)
+	}
+
+	if len(parts) == 0 {
+		return false, xerrors.New("empty command")
+	}
+
+	// The first part is the executable name
+	executable := parts[0]
+
+	// Check if the executable is in the allowed list
+	for _, allowed := range allowedCommands {
+		if allowed == executable {
+			return true, nil
+		}
+	}
+
+	// Build a helpful error message
+	return false, xerrors.Errorf("command %q is not allowed. Allowed commands: %s",
+		executable, strings.Join(allowedCommands, ", "))
+}
diff --git a/mcp/tools/command_validator_test.go b/mcp/tools/command_validator_test.go
@@ -0,0 +1,80 @@
+package mcptools_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	mcptools "github.com/coder/coder/v2/mcp/tools"
+)
+
+func TestIsCommandAllowed(t *testing.T) {
+	tests := []struct {
+		name            string
+		command         string
+		allowedCommands []string
+		want            bool
+		wantErr         bool
+		errorMessage    string
+	}{
+		{
+			name:            "empty allowed commands allows all",
+			command:         "ls -la",
+			allowedCommands: []string{},
+			want:            true,
+			wantErr:         false,
+		},
+		{
+			name:            "allowed command",
+			command:         "ls -la",
+			allowedCommands: []string{"ls", "cat", "grep"},
+			want:            true,
+			wantErr:         false,
+		},
+		{
+			name:            "disallowed command",
+			command:         "rm -rf /",
+			allowedCommands: []string{"ls", "cat", "grep"},
+			want:            false,
+			wantErr:         true,
+			errorMessage:    "not allowed",
+		},
+		{
+			name:            "command with quotes",
+			command:         "echo \"hello world\"",
+			allowedCommands: []string{"echo", "cat", "grep"},
+			want:            true,
+			wantErr:         false,
+		},
+		{
+			name:            "command with path",
+			command:         "/bin/ls -la",
+			allowedCommands: []string{"/bin/ls", "cat", "grep"},
+			want:            true,
+			wantErr:         false,
+		},
+		{
+			name:            "empty command",
+			command:         "",
+			allowedCommands: []string{"ls", "cat", "grep"},
+			want:            false,
+			wantErr:         true,
+			errorMessage:    "empty command",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got, err := mcptools.IsCommandAllowed(tt.command, tt.allowedCommands)
+			if tt.wantErr {
+				require.Error(t, err)
+				if tt.errorMessage != "" {
+					require.Contains(t, err.Error(), tt.errorMessage)
+				}
+			} else {
+				require.NoError(t, err)
+			}
+			require.Equal(t, tt.want, got)
+		})
+	}
+}
diff --git a/mcp/tools/tools_coder.go b/mcp/tools/tools_coder.go
@@ -194,6 +194,15 @@ func handleCoderWorkspaceExec(deps ToolDeps) mcpserver.ToolHandlerFunc {
 			return nil, xerrors.New("command is required")
 		}
 
+		// Validate the command if allowed commands are specified
+		allowed, err := IsCommandAllowed(command, deps.AllowedExecCommands)
+		if err != nil {
+			return nil, err
+		}
+		if !allowed {
+			return nil, xerrors.Errorf("command not allowed: %s", command)
+		}
+
 		// Attempt to fetch the workspace. We may get a UUID or a name, so try to
 		// handle both.
 		ws, err := getWorkspaceByIDOrOwnerName(ctx, deps.Client, wsArg)
diff --git a/mcp/tools/tools_coder_test.go b/mcp/tools/tools_coder_test.go
@@ -198,6 +198,69 @@ func TestCoderTools(t *testing.T) {
 		testutil.RequireJSONEq(t, expected, actual)
 	})
 
+	t.Run("tool_and_command_restrictions", func(t *testing.T) {
+		// Given: a restricted MCP server with only allowed tools and commands
+		restrictedPty := ptytest.New(t)
+		allowedTools := []string{"coder_workspace_exec"}
+		allowedCommands := []string{"echo", "ls"}
+		restrictedMCPSrv, closeRestrictedSrv := startTestMCPServer(ctx, t, restrictedPty.Input(), restrictedPty.Output())
+		t.Cleanup(func() {
+			_ = closeRestrictedSrv()
+		})
+		mcptools.AllTools().
+			WithOnlyAllowed(allowedTools...).
+			Register(restrictedMCPSrv, mcptools.ToolDeps{
+				Client:              memberClient,
+				Logger:              &logger,
+				AllowedExecCommands: allowedCommands,
+			})
+
+		// When: the tools/list command is called
+		toolsListCmd := makeJSONRPCRequest(t, "tools/list", "", nil)
+		restrictedPty.WriteLine(toolsListCmd)
+		_ = restrictedPty.ReadLine(ctx) // skip the echo
+
+		// Then: the response is a list of only the allowed tools.
+		toolsListResponse := restrictedPty.ReadLine(ctx)
+		require.Contains(t, toolsListResponse, "coder_workspace_exec")
+		require.NotContains(t, toolsListResponse, "coder_whoami")
+
+		// When: a disallowed tool is called
+		disallowedToolCmd := makeJSONRPCRequest(t, "tools/call", "coder_whoami", map[string]any{})
+		restrictedPty.WriteLine(disallowedToolCmd)
+		_ = restrictedPty.ReadLine(ctx) // skip the echo
+
+		// Then: the response is an error indicating the tool is not available.
+		disallowedToolResponse := restrictedPty.ReadLine(ctx)
+		require.Contains(t, disallowedToolResponse, "error")
+		require.Contains(t, disallowedToolResponse, "not found")
+
+		// When: an allowed exec command is called
+		randString := testutil.GetRandomName(t)
+		allowedCmd := makeJSONRPCRequest(t, "tools/call", "coder_workspace_exec", map[string]any{
+			"workspace": r.Workspace.ID.String(),
+			"command":   "echo " + randString,
+		})
+
+		// Then: the response is the output of the command.
+		restrictedPty.WriteLine(allowedCmd)
+		_ = restrictedPty.ReadLine(ctx) // skip the echo
+		actual := restrictedPty.ReadLine(ctx)
+		require.Contains(t, actual, randString)
+
+		// When: a disallowed exec command is called
+		disallowedCmd := makeJSONRPCRequest(t, "tools/call", "coder_workspace_exec", map[string]any{
+			"workspace": r.Workspace.ID.String(),
+			"command":   "evil --hax",
+		})
+
+		// Then: the response is an error indicating the command is not allowed.
+		restrictedPty.WriteLine(disallowedCmd)
+		_ = restrictedPty.ReadLine(ctx) // skip the echo
+		errorResponse := restrictedPty.ReadLine(ctx)
+		require.Contains(t, errorResponse, `command \"evil\" is not allowed`)
+	})
+
 	t.Run("coder_start_workspace", func(t *testing.T) {
 		// Given: a separate workspace in the stopped state
 		stopWs := dbfake.WorkspaceBuild(t, store, database.WorkspaceTable{
diff --git a/mcp/tools/tools_registry.go b/mcp/tools/tools_registry.go
@@ -91,8 +91,9 @@ var _ ToolAdder = (*server.MCPServer)(nil)
 
 // ToolDeps contains all dependencies needed by tool handlers
 type ToolDeps struct {
-	Client *codersdk.Client
-	Logger *slog.Logger
+	Client              *codersdk.Client
+	Logger              *slog.Logger
+	AllowedExecCommands []string
 }
 
 // ToolHandler associates a tool with its handler creation function
