remove exec command filtering

johnstcn · johnstcn · commit a3d889669513 · 2025-03-28T14:59:25.000Z
diff --git a/cli/exp_mcp.go b/cli/exp_mcp.go
@@ -14,15 +14,14 @@ import (
 
 func (r *RootCmd) mcpCommand() *serpent.Command {
 	var (
-		client              = new(codersdk.Client)
-		instructions        string
-		allowedTools        []string
-		allowedExecCommands []string
+		client       = new(codersdk.Client)
+		instructions string
+		allowedTools []string
 	)
 	return &serpent.Command{
 		Use: "mcp",
 		Handler: func(inv *serpent.Invocation) error {
-			return mcpHandler(inv, client, instructions, allowedTools, allowedExecCommands)
+			return mcpHandler(inv, client, instructions, allowedTools)
 		},
 		Short: "Start an MCP server that can be used to interact with a Coder depoyment.",
 		Middleware: serpent.Chain(
@@ -41,17 +40,11 @@ func (r *RootCmd) mcpCommand() *serpent.Command {
 				Flag:        "allowed-tools",
 				Value:       serpent.StringArrayOf(&allowedTools),
 			},
-			{
-				Name:        "allowed-exec-commands",
-				Description: "Comma-separated list of allowed commands for workspace execution. If not specified, all commands are allowed.",
-				Flag:        "allowed-exec-commands",
-				Value:       serpent.StringArrayOf(&allowedExecCommands),
-			},
 		},
 	}
 }
 
-func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions string, allowedTools []string, allowedExecCommands []string) error {
+func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions string, allowedTools []string) error {
 	ctx, cancel := context.WithCancel(inv.Context())
 	defer cancel()
 
@@ -71,9 +64,6 @@ func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions s
 	if len(allowedTools) > 0 {
 		cliui.Infof(inv.Stderr, "Allowed Tools : %v", allowedTools)
 	}
-	if len(allowedExecCommands) > 0 {
-		cliui.Infof(inv.Stderr, "Allowed Exec Commands : %v", allowedExecCommands)
-	}
 	cliui.Infof(inv.Stderr, "Press Ctrl+C to stop the server")
 
 	// Capture the original stdin, stdout, and stderr.
@@ -98,11 +88,6 @@ func mcpHandler(inv *serpent.Invocation, client *codersdk.Client, instructions s
 		options = append(options, codermcp.WithAllowedTools(allowedTools))
 	}
 
-	// Add allowed exec commands option if specified
-	if len(allowedExecCommands) > 0 {
-		options = append(options, codermcp.WithAllowedExecCommands(allowedExecCommands))
-	}
-
 	closer := codermcp.New(ctx, client, options...)
 
 	<-ctx.Done()
diff --git a/go.mod b/go.mod
@@ -320,7 +320,7 @@ require (
 	github.com/google/nftables v0.2.0 // indirect
 	github.com/google/pprof v0.0.0-20230817174616-7a8ec2ada47b // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
+	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/gorilla/css v1.0.1 // indirect
diff --git a/mcp/mcp.go b/mcp/mcp.go
@@ -17,12 +17,11 @@ import (
 )
 
 type mcpOptions struct {
-	in                  io.Reader
-	out                 io.Writer
-	instructions        string
-	logger              *slog.Logger
-	allowedTools        []string
-	allowedExecCommands []string
+	in           io.Reader
+	out          io.Writer
+	instructions string
+	logger       *slog.Logger
+	allowedTools []string
 }
 
 // Option is a function that configures the MCP server.
@@ -63,13 +62,6 @@ func WithAllowedTools(tools []string) Option {
 	}
 }
 
-// WithAllowedExecCommands sets the allowed commands for workspace execution.
-func WithAllowedExecCommands(commands []string) Option {
-	return func(o *mcpOptions) {
-		o.allowedExecCommands = commands
-	}
-}
-
 // New creates a new MCP server with the given client and options.
 func New(ctx context.Context, client *codersdk.Client, opts ...Option) io.Closer {
 	options := &mcpOptions{
@@ -96,9 +88,8 @@ func New(ctx context.Context, client *codersdk.Client, opts ...Option) io.Closer
 		reg = reg.WithOnlyAllowed(options.allowedTools...)
 	}
 	reg.Register(mcpSrv, mcptools.ToolDeps{
-		Client:              client,
-		Logger:              &logger,
-		AllowedExecCommands: options.allowedExecCommands,
+		Client: client,
+		Logger: &logger,
 	})
 
 	srv := server.NewStdioServer(mcpSrv)
diff --git a/mcp/tools/command_validator.go b/mcp/tools/command_validator.go
diff --git a/mcp/tools/command_validator_test.go b/mcp/tools/command_validator_test.go
diff --git a/mcp/tools/tools_coder.go b/mcp/tools/tools_coder.go
@@ -194,15 +194,6 @@ func handleCoderWorkspaceExec(deps ToolDeps) mcpserver.ToolHandlerFunc {
 			return nil, xerrors.New("command is required")
 		}
 
-		// Validate the command if allowed commands are specified
-		allowed, err := IsCommandAllowed(command, deps.AllowedExecCommands)
-		if err != nil {
-			return nil, err
-		}
-		if !allowed {
-			return nil, xerrors.Errorf("command not allowed: %s", command)
-		}
-
 		// Attempt to fetch the workspace. We may get a UUID or a name, so try to
 		// handle both.
 		ws, err := getWorkspaceByIDOrOwnerName(ctx, deps.Client, wsArg)
diff --git a/mcp/tools/tools_coder_test.go b/mcp/tools/tools_coder_test.go
@@ -217,24 +217,22 @@ func TestCoderTools(t *testing.T) {
 	})
 
 	// NOTE: this test runs after the list_workspaces tool is called.
-	t.Run("tool_and_command_restrictions", func(t *testing.T) {
+	t.Run("tool_restrictions", func(t *testing.T) {
 		// Given: the workspace agent is connected
 		<-agentStarted
 
 		// Given: a restricted MCP server with only allowed tools and commands
 		restrictedPty := ptytest.New(t)
 		allowedTools := []string{"coder_workspace_exec"}
-		allowedCommands := []string{"echo", "ls"}
 		restrictedMCPSrv, closeRestrictedSrv := startTestMCPServer(ctx, t, restrictedPty.Input(), restrictedPty.Output())
 		t.Cleanup(func() {
 			_ = closeRestrictedSrv()
 		})
 		mcptools.AllTools().
 			WithOnlyAllowed(allowedTools...).
 			Register(restrictedMCPSrv, mcptools.ToolDeps{
-				Client:              memberClient,
-				Logger:              &logger,
-				AllowedExecCommands: allowedCommands,
+				Client: memberClient,
+				Logger: &logger,
 			})
 
 		// When: the tools/list command is called
@@ -256,31 +254,6 @@ func TestCoderTools(t *testing.T) {
 		disallowedToolResponse := restrictedPty.ReadLine(ctx)
 		require.Contains(t, disallowedToolResponse, "error")
 		require.Contains(t, disallowedToolResponse, "not found")
-
-		// When: an allowed exec command is called
-		randString := testutil.GetRandomName(t)
-		allowedCmd := makeJSONRPCRequest(t, "tools/call", "coder_workspace_exec", map[string]any{
-			"workspace": r.Workspace.ID.String(),
-			"command":   "echo " + randString,
-		})
-
-		// Then: the response is the output of the command.
-		restrictedPty.WriteLine(allowedCmd)
-		_ = restrictedPty.ReadLine(ctx) // skip the echo
-		actual := restrictedPty.ReadLine(ctx)
-		require.Contains(t, actual, randString)
-
-		// When: a disallowed exec command is called
-		disallowedCmd := makeJSONRPCRequest(t, "tools/call", "coder_workspace_exec", map[string]any{
-			"workspace": r.Workspace.ID.String(),
-			"command":   "evil --hax",
-		})
-
-		// Then: the response is an error indicating the command is not allowed.
-		restrictedPty.WriteLine(disallowedCmd)
-		_ = restrictedPty.ReadLine(ctx) // skip the echo
-		errorResponse := restrictedPty.ReadLine(ctx)
-		require.Contains(t, errorResponse, `command \"evil\" is not allowed`)
 	})
 
 	t.Run("coder_start_workspace", func(t *testing.T) {
diff --git a/mcp/tools/tools_registry.go b/mcp/tools/tools_registry.go
@@ -150,8 +150,7 @@ Examples:
 - "cat ~/.bashrc" - View a file's contents
 - "python -m pip list" - List installed Python packages
 
-Note: Commands are subject to security restrictions and validation.
-Very long-running commands may time out.`), mcp.Required()),
+Note: Very long-running commands may time out.`), mcp.Required()),
 		),
 		MakeHandler: handleCoderWorkspaceExec,
 	},
@@ -215,9 +214,8 @@ var _ ToolAdder = (*server.MCPServer)(nil)
 
 // ToolDeps contains all dependencies needed by tool handlers
 type ToolDeps struct {
-	Client              *codersdk.Client
-	Logger              *slog.Logger
-	AllowedExecCommands []string
+	Client *codersdk.Client
+	Logger *slog.Logger
 }
 
 // ToolHandler associates a tool with its handler creation function
