Skip to content

Files and paths can be disallowed inside of directories #1012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cantino wants to merge 4 commits into from
Closed

Files and paths can be disallowed inside of directories #1012

cantino wants to merge 4 commits into from

Conversation

@cantino
Copy link

@cantino cantino commented Mar 22, 2025

This code was entirely written by Claude, with incremental testing by the human.

Description

Added the ability to exclude specific paths from filesystem access using patterns in the arguments list.

Server Details

  • Server: filesystem
  • Changes to: Command-line arguments processing, path validation, exclusion logic

Motivation and Context

Users needed more control over which files and directories could be accessed within an allowed directory. This change allows specifying excluded paths (e.g., .env files, build directories, .git directories) that should never be accessible, even if they exist within an allowed directory.

The feature provides enhanced security by allowing fine-grained access control. For instance, a user can allow access to a project directory while preventing access to sensitive files or directories within it.

How Has This Been Tested?

  • Tested with Docker configuration to verify exclusion patterns work correctly
  • Verified that negation patterns (e.g., !.git) can re-enable access to otherwise excluded paths
  • Confirmed case-insensitive matching works (e.g., TSCONFIG.json excludes both uppercase and lowercase variants)
  • Validated subdirectory exclusions (e.g., test/foo excludes that specific subdirectory)
  • Tested all filesystem operations (read, write, list, etc.) to ensure excluded paths are consistently blocked

Breaking Changes

Existing configurations without exclusion patterns will continue to work as before, except that now .git and node_modules are excluded by default.

Types of changes

  • New feature (non-breaking change which adds functionality)
  • Bug fix (non-breaking change which fixes an issue)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update

Checklist

  • I have read the MCP Protocol Documentation
  • My changes follows MCP security best practices
  • I have updated the server's README accordingly
  • I have tested this with an LLM client
  • My code follows the repository's style guidelines
  • New and existing tests pass locally
  • I have added appropriate error handling
  • I have documented all environment variables and configuration options

Additional context

The implementation supports the following features:

  1. Default Exclusions: .git and node_modules are excluded by default for security reasons.

  2. Custom Exclusions: Add exclusions with the syntax /path/to/dir!file1,dir2,path/to/file3.

  3. Negation Patterns: Override default or higher-level exclusions by prefixing with !, e.g., !.git to allow access to the .git directory even though it's excluded by default.

  4. Case-Insensitive Matching: All exclusion patterns are case-insensitive for security on all operating systems.

  5. Path-Based Exclusions: Support for excluding specific paths like test/foo to block access to subdirectories.

Example usage:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": [
        "-y",
        "@modelcontextprotocol/server-filesystem",
        "/path/to/allowed/dir!.env,dist,secrets"
      ]
    }
  }
}

@cantino cantino mentioned this pull request Mar 22, 2025
Open
@cantino cantino force-pushed the allow-file-exclusions-in-filesystem branch from 44f95b9 to f403ae1 Compare March 22, 2025 19:23
@olaservo olaservo added enhancement New feature or request server-filesystem Reference implementation for the Filesystem MCP server - src/filesystem labels Mar 27, 2025
olaservo
olaservo requested changes Apr 2, 2025
View reviewed changes
Copy link
Member

@olaservo olaservo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR! Had some minor comments. Also I was trying to compare this to this other PR: #623 to see if this approach would be consistent with that older one which I'm in the process of looking at, too.

src/filesystem/index.ts
normalizePath(path.resolve(expandHome(dir)))
);
// Default exclusion patterns that always apply
const DEFAULT_EXCLUSIONS = ['.git', 'node_modules'];
Copy link
Member

@olaservo olaservo Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const DEFAULT_EXCLUSIONS = ['.git', 'node_modules'];
const DEFAULT_EXCLUSIONS = [
'.git',
'node_modules',
'.env*',
'id_rsa',
'id_dsa',
'*.pem'
];

(So this could also exclude common secrets/key files by default)

Copy link
Author

@cantino cantino Jun 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think this has support for * in the paths, but I'm not sure.

src/filesystem/index.ts
if (!exclusion.includes('/') && !exclusion.includes('*')) {
// Compare filenames case-insensitively
if (requestedFilename.toLowerCase() === exclusion.toLowerCase()) {
throw new Error(`Access denied - path not accessible`);
Copy link
Member

@olaservo olaservo Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should make it clearer to the LLM that its not accessible on purpose, something like: Access denied - path matches exclusion pattern

src/filesystem/index.ts
// Check if the path matches any exclusion pattern
if (isPathExcluded(config.path, relativePath, config.exclusions)) {
// Use a generic message that doesn't reveal if the file exists
throw new Error(`Access denied - path not accessible`);
Copy link
Member

@olaservo olaservo Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here and with other new errors being added.

src/filesystem/index.ts
console.error("Usage: mcp-server-filesystem <allowed-directory> [additional-directories...]");
console.error("Usage: mcp-server-filesystem <allowed-directory>[!excluded1,excluded2,...] [additional-directories...]");
console.error("");
console.error("Examples:");
Copy link
Member

@olaservo olaservo Apr 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think as long as the tool descriptions have good descriptions for the LLM then you don't need to add this logging.

@olaservo
Copy link
Member

olaservo commented Jun 16, 2025

Hi, wanted to check if I should close this or if you're still planning on merging these changes (I see some comments didn't get addressed). Thanks!

@olaservo olaservo added the waiting for submitter Waiting for the submitter to provide more info label Jun 16, 2025
@olaservo
Copy link
Member

olaservo commented Jul 18, 2025

Going to close for now, but feel free to re-open if you would still like to update and merge this.

@olaservo olaservo closed this Jul 18, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olaservo olaservo olaservo requested changes

Assignees

No one assigned

Labels

enhancement New feature or request server-filesystem Reference implementation for the Filesystem MCP server - src/filesystem waiting for submitter Waiting for the submitter to provide more info

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cantino @olaservo