@oculum/scanner 1.0.9 → 1.0.11

package/src/layer2/ai-mcp-security.ts

@@ -0,0 +1,730 @@
+/**
+ * Layer 2: MCP (Model Context Protocol) Security Detection
+ * Detects security issues in MCP tool implementations
+ *
+ * Background: MCP enables AI agents to call external tools. Security risks include:
+ * - Tool Poisoning: External content returned without validation (CVE-2025-6514)
+ * - Credential Issues: Credentials in tool parameters/responses
+ * - Confused Deputy: Operations without proper user context
+ *
+ * Reference: https://modelcontextprotocol.io, 13,000+ MCP servers deployed
+ */
+
+import type { Vulnerability, VulnerabilitySeverity, VulnerabilityCategory } from '../types'
+import {
+  isComment,
+  isTestOrMockFile,
+  isDocumentationFile,
+  isScannerOrFixtureFile,
+  isExampleDirectory,
+  isLibraryCode,
+} from '../utils/context-helpers'
+
+// ============================================================================
+// Context Detection
+// ============================================================================
+
+/**
+ * Check if file is an MCP server/tool file based on imports and patterns
+ */
+function isMCPFile(content: string, filePath: string): boolean {
+  // Import patterns for MCP SDK
+  const mcpImportPatterns = [
+    /@modelcontextprotocol\/sdk/i,
+    /from\s+['"]mcp['"]/i,
+    /from\s+['"]@mcp\//i,
+    /McpServer/i,
+    /mcp\.server/i,
+    /server\.tool\s*\(/i,
+    /@server\.tool/i,
+  ]
+
+  if (mcpImportPatterns.some(p => p.test(content))) {
+    return true
+  }
+
+  // Path patterns
+  const mcpPathPatterns = [
+    /\/mcp\//i,
+    /mcp[-_]?server/i,
+    /mcp[-_]?tools?/i,
+  ]
+
+  return mcpPathPatterns.some(p => p.test(filePath))
+}
+
+/**
+ * Check if line/context has content sanitization
+ */
+function hasContentSanitization(context: string): boolean {
+  const sanitizationPatterns = [
+    /sanitize|DOMPurify|purify/i,
+    /escapeHtml|escape_html|html\.escape/i,
+    /strip(?:Tags|Html|Scripts)/i,
+    /validate(?:Content|Input|Schema)/i,
+    /zod\.parse|schema\.parse|safeParse/i,
+    /filterHtml|cleanHtml/i,
+    /ALLOWED_TAGS/i,
+    // Safe return patterns - returning only safe fields
+    /\.map\s*\([^)]*\{\s*id|title|name|summary\s*:/i,
+    // Static content patterns
+    /loadStaticDocs|staticContent|publicData/i,
+    // Pure computation
+    /mathjs\.evaluate|calculate/i,
+  ]
+  return sanitizationPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if the return is for a safe/static data source
+ */
+function isSafeDataSource(context: string): boolean {
+  const safePatterns = [
+    // Static/public data
+    /(?:static|public)(?:Data|Docs|Content)/i,
+    // Mathematical operations
+    /mathjs|calculate|compute/i,
+    // Internal API with server-side auth
+    /process\.env\.INTERNAL|SERVER_SIDE/i,
+    // User's own data explicitly
+    /findByUser|getByUser|user\.(?:files|documents|records)/i,
+    // Returns only safe fields like id, name, title
+    /return\s*\{[^}]*:\s*\{[^}]*(?:only|safe|id|title|name)[^}]*\}/i,
+  ]
+  return safePatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if tool has user context access
+ */
+function hasUserContext(context: string): boolean {
+  const userContextPatterns = [
+    /context\.user/i,
+    /context\.userId/i,
+    /context\.session/i,
+    /context\.auth/i,
+    /getCurrentUser/i,
+    /request\.user/i,
+    /req\.user/i,
+    /user\.id/i,
+    /userId/i,
+    /session\.user/i,
+    /auth\(\)/i,
+    /tenantId/i,
+    /tenant\.id/i,
+    /orgId/i,
+  ]
+  return userContextPatterns.some(p => p.test(context))
+}
+
+/**
+ * Check if there's an authorization check in context
+ */
+function hasAuthorizationCheck(context: string): boolean {
+  const authCheckPatterns = [
+    /if\s*\([^)]*\.ownerId\s*[!=]==?\s*/i,
+    /if\s*\([^)]*userId\s*[!=]==?\s*/i,
+    /if\s*\([^)]*tenantId\s*[!=]==?\s*/i,
+    /Not\s*authorized/i,
+    /Forbidden/i,
+    /checkPermission/i,
+    /checkAccess/i,
+    /canAccess/i,
+    /hasPermission/i,
+    /isAuthorized/i,
+    /throw.*Error.*auth/i,
+  ]
+  return authCheckPatterns.some(p => p.test(context))
+}
+
+/**
+ * Get surrounding context for analysis
+ */
+function getSurroundingContext(content: string, lineIndex: number, windowSize: number = 30): string {
+  const lines = content.split('\n')
+  const start = Math.max(0, lineIndex - windowSize)
+  const end = Math.min(lines.length, lineIndex + windowSize)
+  return lines.slice(start, end).join('\n')
+}
+
+// ============================================================================
+// Pattern Definitions
+// ============================================================================
+
+interface MCPSecurityPattern {
+  name: string
+  pattern: RegExp
+  category: 'tool_poisoning' | 'credential_issue' | 'confused_deputy' | 'description_injection' | 'server_shadowing'
+  baseSeverity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+}
+
+/**
+ * Tool Poisoning Patterns
+ * Detect tools that return external content without validation
+ */
+const TOOL_POISONING_PATTERNS: MCPSecurityPattern[] = [
+  // Raw HTTP response content (JS and Python)
+  {
+    name: 'Raw HTTP response in tool',
+    pattern: /(?:return|=>)\s*[{(]\s*[{"]?[^}]*(?:content|body|text|html)['"]\s*[:=]\s*(?:await\s+)?(?:response|res)\.(?:text|json|body)/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'MCP tool returns raw HTTP response content without sanitization. External content could contain prompt injection payloads.',
+    suggestedFix: 'Sanitize external content before returning: return { content: sanitize(response.text()) }',
+  },
+  // Raw fetch result
+  {
+    name: 'Fetch result returned directly',
+    pattern: /return\s*[{(]\s*[{"]?[^}]*[:=]\s*await\s+fetch\([^)]+\)\.(?:text|json)\(\)/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'Fetch result returned directly in tool response. Content may contain malicious instructions.',
+    suggestedFix: 'Validate and sanitize fetch results before including in response.',
+  },
+  // Database query results (JS)
+  {
+    name: 'Raw database content in response',
+    pattern: /return\s*\{[^}]*(?:data|results?|rows|documents?|items?)\s*:\s*(?:await\s+)?(?:db|database|client|collection|query)\.(?:query|find|search|execute)/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'medium',
+    description: 'Database query results returned without filtering. Stored content could be poisoned.',
+    suggestedFix: 'Validate and sanitize database content. Consider returning only safe fields.',
+  },
+  // Database query results (Python)
+  {
+    name: 'Raw database content in Python response',
+    pattern: /return\s*\{[^}]*["'](?:data|results?|documents?)["']\s*:\s*(?:await\s+)?(?:db|database|results)[\.\[]/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'medium',
+    description: 'Database query results returned without filtering in Python MCP tool.',
+    suggestedFix: 'Validate and sanitize database content. Consider returning only safe fields.',
+  },
+  // File content
+  {
+    name: 'File content returned without validation',
+    pattern: /return\s*[{(]\s*[{"]?[^}]*content['"]\s*[:=]\s*(?:await\s+)?(?:fs|file|readFile|readFileSync)/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'File content returned without validation. Files could contain malicious instructions.',
+    suggestedFix: 'Validate file content and type. Sanitize before returning to the model.',
+  },
+  // Email content
+  {
+    name: 'Email content in response',
+    pattern: /return\s*[{(]\s*[{"]?[^}]*(?:body|content|text)['"]\s*[:=]\s*(?:email|message|mail)\.(?:body|content|text|html)/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'Email content returned to model. Emails are common vectors for prompt injection.',
+    suggestedFix: 'Sanitize email content. Strip HTML, scripts, and instruction-like patterns.',
+  },
+  // RSS/feed content
+  {
+    name: 'RSS/feed content in response',
+    pattern: /return\s*[{(]\s*[{"]?[^}]*(?:items?|entries?|feed)['"]\s*[:=]\s*(?:feed|rss|parser)\.(?:items?|entries?|parse)/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'medium',
+    description: 'RSS/feed content returned without filtering. Feed titles and descriptions could be poisoned.',
+    suggestedFix: 'Sanitize feed content. Filter to safe fields only (id, title summary).',
+  },
+  // Generic raw content return (JS)
+  {
+    name: 'Raw content in tool response',
+    pattern: /server\.tool\s*\([^)]+,\s*async[^{]+\{[^}]*return\s*\{[^}]*:\s*(?:await\s+)?response\.text\(\)/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'MCP tool returns raw text content from external source.',
+    suggestedFix: 'Add content sanitization layer before returning external content.',
+  },
+  // Python httpx response text
+  {
+    name: 'Raw HTTP response in Python tool',
+    pattern: /return\s*\{[^}]*["']content["']\s*:\s*(?:await\s+)?response\.text/gi,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'Python MCP tool returns raw HTTP response content.',
+    suggestedFix: 'Sanitize external content before returning to the model.',
+  },
+  // Variable-based: HTTP response assigned then returned
+  {
+    name: 'HTTP response variable in MCP tool',
+    pattern: /(?:const|let|var)\s+\w+\s*=\s*(?:await\s+)?response\.text\(\)[^}]+return\s*\{[^}]*content/gis,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'HTTP response text stored in variable and returned. External content could be poisoned.',
+    suggestedFix: 'Sanitize the content before returning: const sanitized = sanitize(html)',
+  },
+  // Variable-based: File read assigned then returned
+  {
+    name: 'File read variable in MCP tool',
+    pattern: /(?:const|let|var)\s+\w+\s*=\s*(?:await\s+)?(?:fs\.readFile|readFile)[^}]+return\s*\{[^}]*content/gis,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'File content stored in variable and returned. File content could contain malicious instructions.',
+    suggestedFix: 'Validate and sanitize file content before returning.',
+  },
+  // Database query result in return (shorthand property)
+  {
+    name: 'Database query in MCP return',
+    pattern: /(?:const|let|var)\s+(?:results?|data|rows)\s*=\s*(?:await\s+)?(?:db|database|client)\.(?:query|find|search)[^}]+return\s*\{[^}]*(?:data|results?|rows)/gis,
+    category: 'tool_poisoning',
+    baseSeverity: 'medium',
+    description: 'Database query results returned in MCP tool. Stored content could be poisoned.',
+    suggestedFix: 'Validate and sanitize database content before returning.',
+  },
+  // Email body returned
+  {
+    name: 'Email body in MCP return',
+    pattern: /(?:email|message|mail)\s*=\s*(?:await)?[^}]+return\s*\{[^}]*body\s*:\s*(?:email|message|mail)\.body/gis,
+    category: 'tool_poisoning',
+    baseSeverity: 'high',
+    description: 'Email body content returned in MCP tool. Emails are common prompt injection vectors.',
+    suggestedFix: 'Sanitize email content. Strip HTML and instruction-like patterns.',
+  },
+  // Feed/RSS items returned
+  {
+    name: 'RSS/feed items in MCP return',
+    pattern: /(?:feed|rss)\s*=\s*(?:await)?[^}]+return\s*\{[^}]*items?\s*:\s*(?:feed|rss)\.items?/gis,
+    category: 'tool_poisoning',
+    baseSeverity: 'medium',
+    description: 'RSS/feed items returned in MCP tool. Feed content could be poisoned.',
+    suggestedFix: 'Sanitize feed content. Filter to safe fields only.',
+  },
+]
+
+/**
+ * Credential Issue Patterns
+ * Detect credentials in tool parameters or responses
+ */
+const CREDENTIAL_PATTERNS: MCPSecurityPattern[] = [
+  // API key in parameter
+  {
+    name: 'API key in tool parameter',
+    pattern: /server\.tool\s*\([^)]+,\s*async\s*\(\s*\{[^}]*(?:apiKey|api_key|token|secret|password|privateKey|private_key|accessToken|access_token|authToken|auth_token)/gi,
+    category: 'credential_issue',
+    baseSeverity: 'high',
+    description: 'Tool accepts credentials as parameter. Credentials should not flow through the model.',
+    suggestedFix: 'Use server-side credential storage. Remove credential parameter and use environment variables or secret manager.',
+  },
+  // Python decorator with credentials
+  {
+    name: 'Python tool with credential parameter',
+    pattern: /@server\.tool[^)]*\)\s*(?:async\s+)?def\s+\w+\s*\([^)]*(?:api_key|token|secret|password|private_key|access_token|auth_token)/gi,
+    category: 'credential_issue',
+    baseSeverity: 'high',
+    description: 'Python MCP tool accepts credentials as parameter.',
+    suggestedFix: 'Use server-side credential management. Do not pass secrets through tool parameters.',
+  },
+  // Returning credentials in response
+  {
+    name: 'Credentials in tool response',
+    pattern: /return\s*\{[^}]*(?:apiKey|api_key|token|password|secret|privateKey|private_key|accessToken|access_token|refreshToken|refresh_token|jwt)\s*:/gi,
+    category: 'credential_issue',
+    baseSeverity: 'critical',
+    description: 'Tool response includes credentials. Exposing secrets to the model is dangerous.',
+    suggestedFix: 'Never return credentials in tool responses. Return success status or user-safe identifiers only.',
+  },
+  // Connection string in parameter
+  {
+    name: 'Connection string in tool parameter',
+    pattern: /server\.tool\s*\([^)]+,\s*async\s*\(\s*\{[^}]*(?:connectionString|connection_string|dsn|dbUrl|db_url|databaseUrl|database_url)/gi,
+    category: 'credential_issue',
+    baseSeverity: 'high',
+    description: 'Database connection string passed as tool parameter. Connection strings contain credentials.',
+    suggestedFix: 'Use server-side database configuration. Do not accept connection strings as parameters.',
+  },
+  // Environment secrets in response
+  {
+    name: 'Environment secrets in response',
+    pattern: /return\s*\{[^}]*:\s*process\.env\.(?:.*(?:KEY|SECRET|TOKEN|PASSWORD|CREDENTIAL))/gi,
+    category: 'credential_issue',
+    baseSeverity: 'critical',
+    description: 'Environment secrets returned in tool response.',
+    suggestedFix: 'Never return environment secrets. Use them server-side only.',
+  },
+]
+
+/**
+ * Confused Deputy Patterns
+ * Detect operations without proper user context
+ */
+const CONFUSED_DEPUTY_PATTERNS: MCPSecurityPattern[] = [
+  // Data operation without user context
+  {
+    name: 'Data deletion without user context',
+    pattern: /server\.tool\s*\([^)]+,\s*async\s*\(\s*\{[^}]*(?:Id|id)\s*\}[^)]*\)\s*(?:=>|:)[^{]*\{[^}]*(?:\.delete|\.remove|\.destroy)\s*\(/gi,
+    category: 'confused_deputy',
+    baseSeverity: 'high',
+    description: 'Tool deletes data using only an ID parameter without user context verification.',
+    suggestedFix: 'Add user context parameter and verify ownership: if (record.ownerId !== context.user.id) throw new Error("Unauthorized")',
+  },
+  // Update operation without auth check
+  {
+    name: 'Data update without authorization',
+    pattern: /server\.tool\s*\([^)]+,\s*async\s*\(\s*\{[^}]*(?:Id|id)[^}]*data[^}]*\}[^)]*\)[^{]*\{[^}]*(?:\.update|\.set|\.save)\s*\(/gi,
+    category: 'confused_deputy',
+    baseSeverity: 'high',
+    description: 'Tool updates data without verifying the user owns the record.',
+    suggestedFix: 'Validate user ownership before update. Add authorization check.',
+  },
+  // Reading user-specific data without context
+  {
+    name: 'User data access without context',
+    pattern: /server\.tool\s*\([^)]+(?:user|file|record|document|message)[^)]+,\s*async\s*\(\s*\{[^}]*(?:Id|id)\s*\}/gi,
+    category: 'confused_deputy',
+    baseSeverity: 'medium',
+    description: 'Tool accesses user-specific data with only an ID. Missing user context verification.',
+    suggestedFix: 'Add user context and verify access permissions for the requested resource.',
+  },
+  // Admin/privileged operation without auth
+  {
+    name: 'Privileged operation without authorization',
+    pattern: /server\.tool\s*\([^)]+(?:admin|grant|revoke|elevate|promote)[^)]*,\s*async/gi,
+    category: 'confused_deputy',
+    baseSeverity: 'critical',
+    description: 'Privileged/admin tool without visible authorization check.',
+    suggestedFix: 'Add strict authorization check. Verify caller has admin privileges before executing.',
+  },
+  // Send email/message as user
+  {
+    name: 'Send message without identity verification',
+    pattern: /server\.tool\s*\([^)]+(?:send|email|message)[^)]+,\s*async\s*\(\s*\{[^}]*(?:from|sender)[^}]*\}/gi,
+    category: 'confused_deputy',
+    baseSeverity: 'high',
+    description: 'Tool sends messages with a \'from\' parameter. Should use authenticated user identity.',
+    suggestedFix: 'Use context.user for sender identity. Do not allow arbitrary \'from\' values.',
+  },
+  // Cross-tenant data access
+  {
+    name: 'Organization/tenant data without scope',
+    pattern: /server\.tool\s*\([^)]+(?:org|organization|tenant|workspace)[^)]+,\s*async\s*\(\s*\{[^}]*(?:Id|id)\s*\}/gi,
+    category: 'confused_deputy',
+    baseSeverity: 'high',
+    description: 'Tool accesses organization data by ID without tenant context verification.',
+    suggestedFix: 'Verify tenant membership: if (org.id !== context.user.tenantId) throw new Error("Unauthorized")',
+  },
+  // Python tool without context
+  {
+    name: 'Python tool data operation without user',
+    pattern: /@server\.tool[^)]*\)\s*(?:async\s+)?def\s+(?:delete|update|remove|create)_\w+\s*\(\s*(?:\w+_)?id\s*:/gi,
+    category: 'confused_deputy',
+    baseSeverity: 'medium',
+    description: 'Python MCP tool performs data operation with only an ID parameter.',
+    suggestedFix: 'Add user context parameter and validate authorization.',
+  },
+]
+
+/**
+ * Tool Description Injection Patterns
+ * Detect prompt injection risks in MCP tool descriptions/metadata
+ */
+const DESCRIPTION_INJECTION_PATTERNS: MCPSecurityPattern[] = [
+  // Dynamic description from variable/input (JS template literals)
+  {
+    name: 'Dynamic tool description from variable',
+    pattern: /description\s*:\s*[`'"].*\$\{.*(?:user|req|input|param|config).*\}.*[`'"]/gi,
+    category: 'description_injection',
+    baseSeverity: 'high',
+    description: 'Tool description constructed from user input or external variables. Malicious content could manipulate AI behavior.',
+    suggestedFix: 'Use static descriptions only. Never include user input in tool descriptions.',
+  },
+  // Description concatenated with user input
+  {
+    name: 'Tool description with user input concatenation',
+    pattern: /description\s*:\s*(?:["'][^"']*["']\s*\+\s*)?(?:user|req|input|param|options)\./gi,
+    category: 'description_injection',
+    baseSeverity: 'high',
+    description: 'Tool description concatenated with user-controlled values. Could inject prompt manipulation instructions.',
+    suggestedFix: 'Use static descriptions. If dynamic content is needed, sanitize and validate strictly.',
+  },
+  // Injection keywords in tool descriptions
+  {
+    name: 'Injection keywords in tool description',
+    pattern: /description\s*:\s*["'`][^"'`]*(?:ignore\s*(?:previous|above|all)|bypass|override|system\s*prompt|disregard|forget)[^"'`]*["'`]/gi,
+    category: 'description_injection',
+    baseSeverity: 'critical',
+    description: 'Tool description contains prompt injection keywords. This could manipulate AI behavior.',
+    suggestedFix: 'Remove manipulation keywords from description. Use neutral, factual descriptions.',
+  },
+  // Tool name from untrusted source
+  {
+    name: 'Dynamic tool name from config/options',
+    pattern: /(?:registerTool|server\.tool|addTool)\s*\(\s*(?:config|options|params|settings)\s*\[?\s*['".]?\s*(?:name|tool)/gi,
+    category: 'description_injection',
+    baseSeverity: 'high',
+    description: 'Tool name derived from configuration or options. Attackers could shadow legitimate tools.',
+    suggestedFix: 'Use hardcoded tool names. Validate against an allowlist if dynamic names are required.',
+  },
+  // Python dynamic description
+  {
+    name: 'Python tool with dynamic description',
+    pattern: /@server\.tool\s*\(\s*name\s*=\s*(?:f["']|["'].*\{)/gi,
+    category: 'description_injection',
+    baseSeverity: 'high',
+    description: 'Python MCP tool with f-string or formatted description. Could include injected content.',
+    suggestedFix: 'Use static string literals for tool names and descriptions.',
+  },
+  // Description from database/storage
+  {
+    name: 'Tool description from storage',
+    pattern: /description\s*:\s*(?:await\s+)?(?:db|database|storage|cache|redis)\.(?:get|read|fetch)/gi,
+    category: 'description_injection',
+    baseSeverity: 'medium',
+    description: 'Tool description loaded from storage. Stored content could be poisoned.',
+    suggestedFix: 'Use static descriptions. If dynamic descriptions are required, validate and sanitize thoroughly.',
+  },
+]
+
+/**
+ * Cross-Server Tool Shadowing Patterns
+ * Detect malicious MCP servers overriding legitimate tools
+ */
+const SERVER_SHADOWING_PATTERNS: MCPSecurityPattern[] = [
+  // Server config from environment/user input
+  {
+    name: 'MCP server config from environment',
+    pattern: /(?:MCP_SERVERS?|mcpServers?)\s*[=:]\s*(?:JSON\.parse\s*\(\s*)?process\.env/gi,
+    category: 'server_shadowing',
+    baseSeverity: 'medium',
+    description: 'MCP server configuration loaded from environment variables. Ensure proper validation.',
+    suggestedFix: 'Validate server URLs against an allowlist. Use explicit server configuration in code.',
+  },
+  // Server URLs from user input
+  {
+    name: 'MCP server URL from user input',
+    pattern: /(?:server(?:Url|URL|Uri)|endpoint)\s*:\s*(?:req\.|user\.|input\.|params\.|body\.)/gi,
+    category: 'server_shadowing',
+    baseSeverity: 'high',
+    description: 'MCP server URL derived from user input. Attackers could point to malicious servers.',
+    suggestedFix: 'Use hardcoded server URLs or validate against a strict allowlist.',
+  },
+  // Dynamic server registration from config
+  {
+    name: 'Dynamic MCP server registration',
+    pattern: /(?:for|forEach)\s*\([^)]*\)\s*(?:=>|\{)\s*[^}]*(?:register|connect|add)(?:Server|MCP)/gi,
+    category: 'server_shadowing',
+    baseSeverity: 'medium',
+    description: 'MCP servers registered dynamically from configuration. Tool shadowing risk.',
+    suggestedFix: 'Register servers explicitly. Implement tool name conflict detection.',
+  },
+  // Server list from JSON parse
+  {
+    name: 'MCP servers from parsed JSON',
+    pattern: /servers\s*=\s*JSON\.parse\s*\(\s*(?:req\.|user|input|localStorage|sessionStorage)/gi,
+    category: 'server_shadowing',
+    baseSeverity: 'high',
+    description: 'MCP server list parsed from user-controlled data. Could inject malicious servers.',
+    suggestedFix: 'Define servers in code. If dynamic loading is needed, validate against an allowlist.',
+  },
+  // Server config override
+  {
+    name: 'MCP server config override pattern',
+    pattern: /Object\.assign\s*\([^)]*(?:server|mcp)Config[^)]*,\s*(?:req\.|user\.|options\.)/gi,
+    category: 'server_shadowing',
+    baseSeverity: 'medium',
+    description: 'MCP server configuration being overridden with user-provided values.',
+    suggestedFix: 'Validate and sanitize configuration overrides. Use allowlist for permitted settings.',
+  },
+]
+
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+
+/**
+ * Map internal category to vulnerability category
+ */
+function mapCategory(internal: MCPSecurityPattern['category']): VulnerabilityCategory {
+  switch (internal) {
+    case 'tool_poisoning':
+      return 'ai_mcp_tool_poisoning'
+    case 'credential_issue':
+      return 'ai_mcp_credential_issue'
+    case 'confused_deputy':
+      return 'ai_mcp_confused_deputy'
+    case 'description_injection':
+      return 'ai_mcp_description_injection'
+    case 'server_shadowing':
+      return 'ai_mcp_server_shadowing'
+  }
+}
+
+/**
+ * Main detection function for MCP security issues
+ */
+export function detectMCPSecurity(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  // Skip non-applicable files
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  if (isDocumentationFile(filePath)) return vulnerabilities
+
+  // Only scan MCP-related files
+  if (!isMCPFile(content, filePath)) {
+    return vulnerabilities
+  }
+
+  const lines = content.split('\n')
+  const isTestFile = isTestOrMockFile(filePath)
+  const isExample = isExampleDirectory(filePath)
+  const isLibrary = isLibraryCode(filePath)
+
+  // Process all pattern categories
+  const allPatterns: MCPSecurityPattern[] = [
+    ...TOOL_POISONING_PATTERNS,
+    ...CREDENTIAL_PATTERNS,
+    ...CONFUSED_DEPUTY_PATTERNS,
+    ...DESCRIPTION_INJECTION_PATTERNS,
+    ...SERVER_SHADOWING_PATTERNS,
+  ]
+
+  // Track findings to avoid duplicates
+  const seenFindings = new Set<string>()
+
+  for (const pattern of allPatterns) {
+    const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+    let match
+
+    while ((match = regex.exec(content)) !== null) {
+      const lineNumber = content.substring(0, match.index).split('\n').length
+      const lineContent = lines[lineNumber - 1]?.trim() || ''
+
+      // Skip comments
+      if (isComment(lineContent)) continue
+
+      // Create dedup key
+      const dedupKey = `${filePath}:${lineNumber}:${pattern.category}`
+      if (seenFindings.has(dedupKey)) continue
+      seenFindings.add(dedupKey)
+
+      // Get surrounding context for analysis
+      const context = getSurroundingContext(content, lineNumber - 1, 30)
+
+      // Calculate severity based on context
+      let severity = pattern.baseSeverity
+      let description = pattern.description
+      const notes: string[] = []
+
+      // Apply context-aware severity adjustments
+      if (pattern.category === 'tool_poisoning') {
+        // Check for content sanitization
+        if (hasContentSanitization(context)) {
+          severity = 'info'
+          notes.push('Content sanitization detected')
+        }
+        // Check for safe data source
+        else if (isSafeDataSource(context)) {
+          severity = 'info'
+          notes.push('Safe/static data source detected')
+        }
+        // Check for user context (their own data)
+        else if (hasUserContext(context)) {
+          // Has user context - might be returning user's own data
+          if (severity === 'high') severity = 'medium'
+          notes.push('User context present - may be returning user\'s own data')
+        }
+      }
+
+      if (pattern.category === 'confused_deputy') {
+        // Check for user context
+        if (hasUserContext(context)) {
+          // User context present - check for auth
+          if (hasAuthorizationCheck(context)) {
+            severity = 'info'
+            notes.push('Authorization check detected')
+          } else {
+            // Has user but no auth check - lower severity
+            if (severity === 'high') severity = 'medium'
+            if (severity === 'critical') severity = 'high'
+            notes.push('User context present but no authorization check')
+          }
+        }
+      }
+
+      // Credential issues are always serious, but check context
+      if (pattern.category === 'credential_issue') {
+        // Check if it's returning the credential
+        if (pattern.name.includes('response') || pattern.name.includes('return')) {
+          // Returning credentials is always critical/high
+        } else if (hasUserContext(context)) {
+          // Parameter with user context - still bad but slightly less severe
+          if (severity === 'high') severity = 'medium'
+          notes.push('User context present but credentials still in parameters')
+        }
+      }
+
+      // Description injection - check for input sanitization
+      if (pattern.category === 'description_injection') {
+        // Check for sanitization or validation before description
+        if (/sanitize|validate|escape|filter|strip/i.test(context)) {
+          severity = 'low'
+          notes.push('Input sanitization detected nearby')
+        }
+        // Check for static/constant descriptions
+        if (/const\s+\w+\s*=\s*["'`][^"'`]+["'`]\s*;?\s*$/m.test(context)) {
+          // Likely a constant being used
+          severity = 'info'
+          notes.push('May be using constant description')
+        }
+      }
+
+      // Server shadowing - check for allowlist validation
+      if (pattern.category === 'server_shadowing') {
+        // Check for allowlist/whitelist validation
+        if (/allowlist|whitelist|ALLOWED_SERVERS|validServers|trustedServers/i.test(context)) {
+          severity = 'info'
+          notes.push('Server allowlist detected')
+        }
+        // Check for URL validation
+        if (/validate.*url|url.*validate|isValidUrl|checkUrl/i.test(context)) {
+          severity = 'low'
+          notes.push('URL validation detected')
+        }
+      }
+
+      // Downgrade test files
+      if (isTestFile) {
+        severity = 'info'
+        notes.push('in test file')
+      }
+
+      // Downgrade example/demo directories
+      if (isExample && severity !== 'info') {
+        severity = 'info'
+        notes.push('in example/demo directory')
+      }
+
+      // Downgrade library code
+      if (isLibrary && severity !== 'info') {
+        severity = 'info'
+        notes.push('library code')
+      }
+
+      // Build final description
+      if (notes.length > 0) {
+        description += ` (${notes.join('; ')})`
+      }
+
+      vulnerabilities.push({
+        id: `ai-mcp-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+        filePath,
+        lineNumber,
+        lineContent,
+        severity,
+        category: mapCategory(pattern.category),
+        title: pattern.name,
+        description,
+        suggestedFix: pattern.suggestedFix,
+        confidence: severity === 'info' ? 'low' : 'medium',
+        layer: 2,
+        requiresAIValidation: severity !== 'info' && severity !== 'low',
+      })
+    }
+  }
+
+  return vulnerabilities
+}