Closed
Description
Describe the bug
The filesystem MCP server does not properly handle symbolic links that point outside the sandboxed directory.
Although the server provides a sandboxed environment rooted at /projects, this restriction can be bypassed by using symbolic links.
To Reproduce
Steps to reproduce the behavior:
- Create a symbolic link within /projects that points to a file outside the sandbox (e.g., ln -s /etc/passwd tempfile).
- Use the MCP server to read the symlinked file.
- Observe that the server reads the content from the file outside the sandbox. (e.g., /etc/passwd)
Expected behavior
It is unclear whether this is the intended behavior, but I believe it seems inconsistent with sandboxing principles.
Ideally, files outside the sandbox should be inaccessible, especially since they are not visible from within the container's perspective.
Interestingly, symbolic links using relative paths (e.g., ln -s ../ prev_folder) behave differently. I was unable to list files in such directories.