# engineer-your-data Workspace Boundary Bypass in File Operations Vulnerability Report ## Vulnerability Overview This vulnerability is classified as **CNA / Submission Type**, with type **CVE ID request**, submitted by independent security researcher **wing3e** on **April 10, 2026**. ### Vulnerability Type - **CWE**: CWE-73 (External Control of File Name or Path) - **Brief Description**: File tools ignore the configured `WORKSPACE_PATH` boundary ### Affected Versions - **Confirmed Affected**: 0.1.3 - **Suspected Affected Range**: Versions containing the same request to sink flow revisions - **Fixed Version**: Not provided at time of report (April 10, 2026) ### Vulnerability Description The project documentation declares `WORKSPACE_PATH` as the directory for the user data workspace, but the actual file tools (`read_file`, `write_file`, `list_files`, `file_info`) do not enforce this boundary. They accept arbitrary paths from the caller, directly convert them to `Path(...)`, and operate immediately. This allows an attacker to read from or write to any file accessible by the service account, not limited to the configured workspace. ### Technical Root Cause 1. Server advertises dedicated workspace root directory - `src/server.py:57` - `WORKSPACE_PATH = os.getenv("WORKSPACE_PATH", os.path.expanduser("~/Documents"))` 2. README explicitly instructs users to configure the workspace root directory - `README.md:78-152` - Claude Desktop example sets `WORKSPACE_PATH` to `/path/to/your/data/workspace` 3. Tool execution passes raw MCP parameters directly to registry implementation - `src/server.py:142-153` 4. `read_file` ignores `WORKSPACE_PATH` and directly opens arbitrary paths - `src/tools/file_operations.py:53-88` - `file_path = Path(file_path_str) followed by file_path.exists() and open(file_path, ...)` 5. `write_file` performs the same operation for writing - `src/tools/file_operations.py:227-288` - `file_path = Path(file_path_str) then file_path.parent.mkdir(...) and open(file_path, "w", ...)` 6. `list_files` and `file_info` are also unrestricted - `src/tools/file_operations.py:309-428` - `src/tools/file_operations.py:465-517` ### Attack Prerequisites - Ability to call exposed MCP file tools - Service account must have permission to read from or write to target paths - No wrapper rewrites or restricts file paths before they reach the tool registry ### Proof of Concept / Reproduction Guide The repository exposes direct arbitrary reads even when `WORKSPACE_PATH` is set to a different location. #### 1. Call the real `read_file` tool: ```json { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "read_file", "arguments": { "file_path": "/etc/hosts", "file_type": "auto" } } } ``` #### 2. Why this triggers: - The tool converts `/etc/hosts` to `Path("/etc/hosts")` - No code joins the path with `WORKSPACE_PATH` or checks if it remains under the configured workspace - If the file is readable, it is opened directly and returned #### 3. Expected Result: - Returns the content of `/etc/hosts` even if `WORKSPACE_PATH` points elsewhere - Parallel write primitive exists via `write_file(file_path="/tmp/engineer-your-data_poc.json", ...)` ### Security Impact - **Confidentiality**: High, as it can disclose any readable host file - **Integrity**: High, as it can create or overwrite any writable host file - **Availability**: Medium, as arbitrary writes may corrupt or disrupt local workflows - **Scope**: Unchanged ### CVSS V3.1 Recommendation - **Suggested Vector**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L - **Suggested Base Score**: 9.1 (Critical) ### Workarounds / Mitigations - Enforce `WORKSPACE_PATH` as a hard root for each file-oriented tool - Run the service under a restricted account that cannot access sensitive host paths - Disable file write tools in untrusted deployments until boundary checks are added - Consider using separate allowlists for read-only and writable paths ### Recommended Fixes - Resolve each requested path against `WORKSPACE_PATH` and reject any escape paths - Apply the same workspace enforcement to `read_file`, `write_file`, `list_files`, `file_info` - Add regression tests for absolute paths, `../` symlink traversal, and Windows drive path inputs - Update documentation to match the patched enforced behavior ### References - **Repository**: https://github.com/eghuzefa/engineer-your-data-mcp.git - **Reviewed Source Files**: `src/server.py`, `src/tools/file_operations.py` - **CWE-73**: https://cwe.mitre.org/data/definitions/73.html ### Credit - **Discoverer**: wing3e - **Discovery Method**: Static analysis (CodeQL) combined with repository source code audit ### Additional Notes from Form Mapping - **Audit Conclusion**: Vulnerability confirmed - **Total Reviewed SARIF Results**: 16 - **Core Issue**: Mismatch between documented workspace root model and unconstrained implementation - **Dynamic Exploitation Replay Status**: PoC verified in batch via source-level requests to sink analysis