This document outlines the security measures implemented in the MCP ACP server to ensure safe operation in production environments.

Security Version: 1.0.0 Last Updated: 2026-01-29

1. Security Features
2. Security Improvements Summary
3. Threat Model
4. Best Practices
5. Security Checklist
6. Reporting Security Issues

Kubernetes Resource Name Validation

• All resource names (sessions, projects, containers) are validated against DNS-1123 subdomain format
• Pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
• Maximum length: 253 characters
• Prevents: Path traversal, command injection, SQL injection

URL Validation

• Server URLs must start with https:// or http://
• Repository URLs validated before git clone operations
• Prevents: SSRF attacks, malicious URL injection

Label Selector Validation

• Pattern: ^[a-zA-Z0-9=,_-]+$
• Prevents: Label injection attacks

Subprocess Execution

• All subprocess calls use asyncio.create_subprocess_exec() with argument arrays
• Never uses shell=True which would enable shell injection
• Arguments validated for suspicious characters: ; | & $ \ \n \r`
• Example:

  # Secure - uses argument array
  process = await asyncio.create_subprocess_exec(
      "oc", "get", resource_type, name, "-n", namespace, "-o", "json"
  )
  
  # Never done - shell injection risk
  # os.system(f"oc get {resource_type} {name}")  # DANGEROUS!

Git Clone Security

• Repository URLs validated before cloning
• Uses git clone --depth 1 -- <url> <target> with explicit separator
• Timeouts prevent DoS via slow repositories
• Temporary directories use secure random names

Timeout Controls

• Maximum command timeout: 300 seconds (5 minutes)
• Git clone timeout: 60 seconds
• All subprocess operations have timeouts via asyncio.wait_for()
• Timed-out processes are killed to prevent zombie processes

Log Line Limits

• Maximum log lines: 10,000 per request
• Default log retrieval: 1,000 lines
• Prevents: Memory exhaustion attacks

Workflow File Limits

• Maximum workflow files parsed: 100
• Prevents: DoS via repositories with thousands of files

Resource Type Whitelist

• Only allowed types: agenticsession, pods, event
• Prevents: Unauthorized access to other Kubernetes resources

Configuration File Protection

• Config file must be within user's home directory
• Path traversal validation via Path.resolve()
• File permissions set to 0600 (owner read/write only)
• No credentials stored in config (metadata only)

Temporary File Security

• Created with tempfile.mkstemp() for secure permissions (0600)
• Random prefixes using secrets.token_hex(8) prevent predictability
• Cleanup in finally blocks ensures no sensitive data left behind
• Example:

  fd, path = tempfile.mkstemp(
      suffix='.yaml',
      prefix=f'acp-clone-{secrets.token_hex(8)}-'
  )
  try:
      with os.fdopen(fd, 'w') as f:
          yaml.dump(manifest, f)
      # Use file...
  finally:
      os.unlink(path)

Directory Traversal Prevention

• Workflow files validated to be within expected directory
• Uses Path.relative_to() to ensure containment

Sensitive Data in Logs

• Tokens, passwords, secrets filtered from logs
• Log sanitization in server.py:

  safe_args = {k: v for k, v in arguments.items()
               if k not in ['token', 'password', 'secret']}

Configuration Validation

• YAML config validated on load
• Type checking for all config fields
• Server URLs validated for proper format

Graceful Degradation

• Client methods return error dicts instead of raising exceptions
• Prevents information leakage via stack traces
• Structured error responses for LLMs

Exception Categories

• ValueError: Input validation failures (expected, logged as warnings)
• asyncio.TimeoutError: Timeout exceeded (logged as errors)
• Exception: Unexpected errors (logged with full stack trace)

Error Message Sanitization

• No sensitive data in error messages
• Generic messages for authentication failures

This section summarizes the comprehensive security hardening completed on 2026-01-29.

Issue: Subprocess calls were vulnerable to shell injection attacks through malicious user input.

Fix:

• Added validation for all subprocess arguments to detect shell metacharacters: ; | & $ \ \n \r`
• All subprocess calls use asyncio.create_subprocess_exec() with argument arrays (never shell=True)
• Git clone operations secured with -- separator and URL validation

Files Modified:

• src/mcp_acp/client.py (lines 114-120, 1179-1187)

Test Coverage: tests/test_security.py::TestCommandInjectionPrevention

Issue: User-supplied names, URLs, and other inputs were not validated, allowing injection attacks.

Fix:

• Added _validate_input() method enforcing DNS-1123 subdomain format
• Validation pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
• Maximum length: 253 characters (Kubernetes limit)
• URL validation for server and repository URLs
• Label selector validation

Files Modified:

• src/mcp_acp/client.py (lines 73-90, 1160-1167)

Test Coverage: tests/test_security.py::TestInputValidation

Issue: No limits on log retrieval, command execution time, or file processing could lead to DoS attacks.

Fix:

• Maximum command timeout: 300 seconds (5 minutes)
• Git clone timeout: 60 seconds
• Maximum log lines: 10,000 per request
• Default log limit: 1,000 lines
• Maximum workflow files: 100 per repository
• All subprocess operations use asyncio.wait_for() with timeouts
• Timed-out processes are properly killed

Files Modified:

• src/mcp_acp/client.py (lines 19-22, 133-158, 671-692, 1200-1206)

Test Coverage: tests/test_security.py::TestResourceLimits

Issue: Config file paths and workflow files not validated, allowing access outside intended directories.

Fix:

• Config file must be within user's home directory
• Path resolution with Path.resolve() and validation
• Workflow files validated with Path.relative_to() to ensure containment
• Strict Kubernetes naming prevents path traversal in resource names

Files Modified:

• src/mcp_acp/client.py (lines 42-48, 1208-1212)

Issue: Temporary files created with predictable names and insecure permissions.

Fix:

• Use tempfile.mkstemp() for secure file creation (0600 permissions)
• Random prefixes using secrets.token_hex(8) prevent prediction
• Cleanup in finally blocks ensures no sensitive data leakage

Files Modified:

• src/mcp_acp/client.py (lines 852-884, 1175, 1329-1361)

Issue: YAML config loaded without validation, allowing malformed or malicious configs.

Fix:

• Added _validate_config() method called on initialization
• Validates config structure (must be dict)
• Validates cluster configs (must have 'server' field)
• Validates server URLs (must be http:// or https://)
• Type checking for all config fields
• Config file permissions set to 0600 on write

Files Modified:

• src/mcp_acp/client.py (lines 36-71, 1526-1531)

Test Coverage: tests/test_security.py::TestInputValidation::test_config_validation_*

Issue: No restriction on which Kubernetes resource types could be accessed.

Fix:

• Added ALLOWED_RESOURCE_TYPES whitelist: {"agenticsession", "pods", "event"}
• All resource operations validate against whitelist
• Prevents unauthorized access to secrets, configmaps, etc.

Files Modified:

• src/mcp_acp/client.py (line 22, 187-189, 221-223)

Test Coverage: tests/test_security.py::TestCommandInjectionPrevention::test_resource_type_whitelist

Fix:

• Specific exception types for different failure modes
• Structured error responses in dictionaries
• Error categorization in server.py with appropriate logging levels
• Better error messages for LLM consumption

Files Modified:

• src/mcp_acp/server.py (lines 527-539)

Fix:

• Tool call start/completion logging with execution times
• Sensitive data filtering (tokens, passwords, secrets) from logs
• Warning logs for validation errors
• Error logs with stack traces for unexpected failures

Files Modified:

• src/mcp_acp/server.py (lines 491-539, 112-121)

Fix:

• Argument sanitization removes token, password, secret from logs
• No credentials stored in config files (metadata only)
• Generic error messages for authentication failures
• Config file permissions enforced (0600)

Files Modified:

• src/mcp_acp/server.py (line 495)
• src/mcp_acp/client.py (lines 1529-1531)

Before Security Hardening:

• ❌ Vulnerable to command injection
• ❌ No input validation
• ❌ No timeout controls
• ❌ Insecure temporary files
• ❌ No resource limits
• ❌ Minimal logging

After Security Hardening:

• ✅ Command injection prevented via argument validation
• ✅ Comprehensive input validation on all user inputs
• ✅ Timeouts on all operations with process cleanup
• ✅ Secure temporary files with random names and 0600 permissions
• ✅ Resource limits prevent DoS attacks
• ✅ Detailed logging with sensitive data filtering

Security Test Suite: tests/test_security.py

✅ 13 security tests passing

• Input validation (valid and invalid inputs)
• Configuration validation
• Command injection prevention
• Resource type whitelist
• Resource limits enforcement
• URL validation
• Data protection

1. Network Security

   • Run MCP server in isolated network namespace if possible
   • Use firewall rules to restrict outbound connections
   • Consider running in containers with network policies

2. Authentication

   • Use OpenShift token authentication
   • Rotate tokens regularly
   • Never store tokens in config files

3. File Permissions

   • Ensure ~/.config/acp/ has 0700 permissions
   • Config file should have 0600 permissions
   • Never commit config files to version control

4. Logging

   • Monitor logs for validation errors (potential attack attempts)
   • Set up alerts for repeated timeout errors
   • Review error logs regularly

5. Updates

   • Keep dependencies updated (mcp, pyyaml, etc.)
   • Monitor security advisories for Python and dependencies
   • Test updates in staging before production

1. Adding New Tools

   • Always validate inputs with _validate_input()
   • Use resource type whitelist
   • Implement dry-run mode for mutating operations
   • Add timeout parameters

2. Subprocess Calls

   • Never use shell=True
   • Always use argument arrays
   • Validate all arguments
   • Set timeouts

3. File Operations

   • Use tempfile.mkstemp() for temporary files
   • Add random prefixes to prevent prediction
   • Clean up in finally blocks
   • Validate paths to prevent traversal

4. Testing

   • Test with malicious inputs
   • Test timeout scenarios
   • Test resource exhaustion
   • Test concurrent requests

1. Command Injection ✅

   • Prevented via argument arrays and validation
   • No shell interpretation of user input

2. Path Traversal ✅

   • Config file path validation
   • Workflow file containment checks
   • Resource name validation

3. Resource Exhaustion ✅

   • Timeouts on all operations
   • Limits on log retrieval
   • Limits on workflow file parsing

4. SSRF (Server-Side Request Forgery) ✅

   • URL validation before git clone
   • Resource type whitelist

5. Information Disclosure ✅

   • Sensitive data filtered from logs
   • Error messages sanitized
   • No credentials in config

6. Privilege Escalation ✅

   • Limited to OpenShift RBAC permissions
   • Resource type whitelist
   • No sudo or elevated privileges

1. OpenShift/Kubernetes Vulnerabilities

   • Mitigation: Keep OpenShift cluster updated
   • Rely on cluster's built-in security

2. Compromised OpenShift Token

   • Mitigation: Short token lifetimes, token rotation
   • Monitor for unusual activity

3. Malicious Git Repositories

   • Mitigation: Only clone trusted repositories
   • Workflow file limits prevent some attacks
   • Consider sandboxing git operations

4. Dependency Vulnerabilities

   • Mitigation: Regular dependency updates
   • Security scanning in CI/CD

Before deploying to production:

• Config file permissions set to 0600
• Config directory permissions set to 0700
• No tokens or credentials in config
• Logging configured and monitored
• All dependencies updated to latest secure versions
• Network policies configured (if using Kubernetes)
• Token rotation policy in place
• Incident response plan documented
• Security scanning enabled in CI/CD
• Rate limiting configured (if exposing via HTTP)

If you discover a security vulnerability, please:

1. Do not open a public GitHub issue
2. Email the maintainers directly
3. Provide detailed reproduction steps
4. Allow time for a fix before public disclosure

1. Rate Limiting (if exposing via HTTP)

   • Per-client request limits
   • Token bucket algorithm
   • Configurable thresholds

2. Audit Logging

   • Structured audit trail
   • Security event logging
   • Integration with SIEM

3. Authentication Enhancements

   • OAuth2/OIDC support
   • JWT token validation
   • Multi-factor authentication

4. Network Security

   • mTLS for MCP transport
   • Certificate pinning
   • Network policy enforcement

5. Sandboxing

   • Run git clone in isolated container
   • Seccomp profiles
   • AppArmor/SELinux policies

• OWASP Top 10
• CWE-78: OS Command Injection
• Kubernetes Security Best Practices
• Python Security Best Practices

v1.0.0 (2026-01-29) - Initial security hardening

• Command injection prevention
• Input validation and sanitization
• Resource exhaustion protection
• Secure temporary file handling
• Path traversal prevention
• Resource type whitelist
• Sensitive data filtering
• Comprehensive security test suite

All 19 MCP tools now operate with defense-in-depth security controls while maintaining full functionality and backwards compatibility.