agent-threat-rules 3.3.0 → 3.4.0

package/rules/context-exfiltration/ATR-2026-00578-zen-mcp-path-traversal-blacklist-bypass.yaml

@@ -0,0 +1,201 @@
+title: Zen MCP Server path-traversal blacklist bypass via non-canonical paths (CVE-2025-66689)
+id: ATR-2026-00578
+rule_version: 1
+status: experimental
+description: >
+  CVE-2025-66689 (CWE-22). The Zen MCP server's is_dangerous_path() blocks
+  sensitive files with an exact-string blacklist but never canonicalizes the
+  path before comparison, so a path that still resolves to a protected target
+  slips through when it is wrapped in normalization tricks: a blacklisted
+  prefix followed by ../ (/etc/shadow/../../../home/user/.ssh/id_rsa), a
+  same-directory bounce (/home/user/.ssh/../.ssh/id_rsa), a /./ no-op
+  (/etc/./shadow), or redundant slashes (/etc//shadow). The discriminator from
+  the existing deep-../-chain rule (ATR-2026-00569) and the clean-credential-path
+  rule (ATR-2026-00113) is that the SENSITIVE target token sits immediately
+  adjacent to a normalization/traversal artefact — neither a clean credential
+  path nor a bare ../ chain alone matches here.
+author: "ATR Community (vulnerablemcp sync)"
+date: 2026/06/12
+schema_version: '0.1'
+detection_tier: pattern
+maturity: experimental
+severity: high
+references:
+  owasp_llm:
+  - "LLM07:2025 - System Prompt Leakage"
+  - "LLM02:2025 - Sensitive Information Disclosure"
+  owasp_agentic:
+  - "ASI05:2026 - Unexpected Code Execution"
+  - "ASI06:2026 - Memory and Context Poisoning"
+  mitre_atlas:
+  - "AML.T0057 - LLM Data Leakage"
+  - "AML.T0056 - LLM Meta Prompt Extraction"
+  cve:
+  - CVE-2025-66689
+  cwe:
+  - CWE-22
+  vulnerablemcp_id:
+  - cve-2025-66689-zen-mcp-path-traversal
+  external:
+  - https://www.sentinelone.com/vulnerability-database/cve-2025-66689/
+metadata_provenance:
+  cve: vulnerablemcp-sync
+  cwe: vulnerablemcp-sync
+  vulnerablemcp: vulnerablemcp-sync
+compliance:
+  owasp_agentic:
+    - id: ASI06:2026
+      context: "OWASP Agentic ASI06:2026 is exercised by path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689); this rule provides runtime detection of that technique."
+      strength: primary
+    - id: ASI05:2026
+      context: "OWASP Agentic ASI05:2026 is exercised by path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689); this rule provides runtime detection of that technique."
+      strength: secondary
+  owasp_llm:
+    - id: LLM02:2025
+      context: "OWASP LLM LLM02:2025 is exercised by path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689); this rule is a detection implementation for that category."
+      strength: primary
+    - id: LLM07:2025
+      context: "OWASP LLM LLM07:2025 is exercised by path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689); this rule is a detection implementation for that category."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "EU AI Act Article 15 (accuracy, robustness and cybersecurity) requires controls against path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689); this rule provides runtime detection evidence for that obligation."
+      strength: primary
+    - article: "10"
+      context: "EU AI Act Article 10 (data and data governance) requires controls against path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689); this rule provides runtime detection evidence for that obligation."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Measure
+      subcategory: MS.2.10
+      context: "NIST AI RMF MS.2.10 (privacy risk examined and documented) is supported by this rule's detection of path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689)."
+      strength: primary
+    - function: Measure
+      subcategory: MS.2.7
+      context: "NIST AI RMF MS.2.7 (security and resilience evaluated and documented) is supported by this rule's detection of path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.4"
+      context: "ISO/IEC 42001 Clause 8.4 (AI system impact assessment) is operationalised by this rule's detection of path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689)."
+      strength: primary
+    - clause: "9.1"
+      context: "ISO/IEC 42001 Clause 9.1 (monitoring, measurement, analysis and evaluation) is operationalised by this rule's detection of path-traversal blacklist bypass in Zen MCP Server that reads files outside the sandbox via non-canonical paths (CVE-2025-66689)."
+      strength: secondary
+
+tags:
+  category: context-exfiltration
+  subcategory: path-normalization-bypass
+  scan_target: runtime
+  confidence: high
+agent_source:
+  type: mcp_exchange
+  framework:
+  - any
+  provider:
+  - any
+detection:
+  condition: any
+  false_positives:
+  - Documentation or tutorials that mention ../ relative imports without a sensitive credential/system target adjacent to it
+  - Legitimate absolute file paths to project source under /home/<user>/project that contain no /../ , /./ , or redundant-slash artefact
+  - Security write-ups quoting the CVE that describe canonicalization in prose rather than presenting an inline non-canonical path to a sensitive file
+  conditions:
+  - field: content
+    operator: regex
+    value: (?i)[\\/](?:etc[\\/](?:shadow|passwd|sudoers)|\.ssh|\.aws|\.config[\\/]gcloud|root)[\\/]\.{1,2}[\\/]{1,2}[^\s"'<>]{0,80}(?:id_(?:rsa|ed25519|ecdsa)|\.ssh|shadow|passwd|credentials|authorized_keys|\.pem|\.key)
+    description: Blacklisted sensitive prefix immediately followed by a ./ or ../ normalization hop that re-targets another sensitive file (Zen-MCP prefix-then-traversal bypass)
+  - field: content
+    operator: regex
+    value: (?i)[\\/]etc[\\/]\.{1,2}[\\/]{1,2}(?:etc[\\/]){0,1}(?:shadow|passwd|sudoers)\b
+    description: /etc/./shadow or /etc/../etc/shadow style same-dir or bounce normalization reaching an exact-blacklist target
+  - field: content
+    operator: regex
+    value: (?i)[\\/]\.ssh[\\/]\.\.[\\/]\.ssh[\\/](?:id_(?:rsa|ed25519|ecdsa)|authorized_keys|known_hosts)\b
+    description: .ssh/../.ssh/ same-directory bounce that re-resolves to an SSH private key while evading an exact ~/.ssh/id_rsa blacklist entry
+  - field: content
+    operator: regex
+    value: (?i)/etc/{2,}(?:shadow|passwd|sudoers)\b|/\.ssh/{2,}id_(?:rsa|ed25519|ecdsa)\b
+    description: Redundant FORWARD-slash variant (/etc//shadow , /.ssh//id_rsa) that defeats an exact-string blacklist while resolving to the protected file. Forward-slash only — backslash forms like \etc\\passwd are almost always doc/Windows-escaping in tutorials, not a unix redundant-slash bypass, and caused a wild FP.
+response:
+  actions:
+  - alert
+  - block_tool
+  message_template: >
+    [ATR-2026-00578] Non-canonical path to a sensitive file detected
+    (CVE-2025-66689, Zen MCP is_dangerous_path blacklist bypass). The path mixes
+    a sensitive target (SSH key, /etc/shadow, credentials) with a normalization
+    or traversal artefact (../ , /./ , redundant slash, blacklisted-prefix-then-..)
+    that evades exact-string blacklists while still resolving to the protected
+    file. Remediation: upgrade Zen MCP server to v9.8.2 or later; canonicalize
+    paths (resolve symlinks, normalize . and ..) BEFORE any security check; prefer
+    an allowlist of permitted directories over a sensitive-path blacklist.
+  notify:
+  - security_team
+confidence: 85
+wild_fp_rate: 0
+test_cases:
+  true_positives:
+  - input: '{"path": "/etc/shadow/../../../home/user/.ssh/id_rsa"}'
+    expected: triggered
+    description: Blacklisted /etc/shadow prefix then ../ chain re-targeting an SSH private key (CVE-2025-66689 PoC)
+  - input: read_file("/home/user/.ssh/../.ssh/id_rsa")
+    expected: triggered
+    description: .ssh/../.ssh/ same-directory bounce evading exact ~/.ssh/id_rsa blacklist
+  - input: 'requested file: /etc/./shadow'
+    expected: triggered
+    description: /etc/./shadow no-op normalization reaching exact blacklist target
+  - input: open("/etc//shadow")
+    expected: triggered
+    description: Redundant-slash variant defeating exact-string match on /etc/shadow
+  - input: '{"file": "/root/.ssh/../.ssh/id_ed25519"}'
+    expected: triggered
+    description: root .ssh bounce to ed25519 private key
+  - input: path=/etc/../etc/passwd
+    expected: triggered
+    description: /etc/../etc/passwd bounce normalization to /etc/passwd
+  - input: load("/home/user/.aws/../.ssh/id_rsa")
+    expected: triggered
+    description: Blacklisted .aws prefix then ../ hop re-targeting an SSH key
+  true_negatives:
+  - input: path = "/home/user/project/main.py"
+    expected: not_triggered
+    description: Legit absolute project source path, no normalization artefact or sensitive target
+  - input: import "../../shared/utils"
+    expected: not_triggered
+    description: Normal relative import path, no sensitive credential/system target
+  - input: To go up a directory in the tutorial, use ../ before the folder name.
+    expected: not_triggered
+    description: Documentation sentence mentioning ../ with no sensitive target adjacent
+  - input: CVE-2025-66689 is fixed by canonicalizing paths before the blacklist check in is_dangerous_path().
+    expected: not_triggered
+    description: CVE patch-discussion prose, describes the fix without an inline non-canonical sensitive path
+  - input: We studied path-traversal bypasses where attackers reach SSH keys via redundant slashes and dot segments.
+    expected: not_triggered
+    description: Research abstract describing the technique in prose, no literal payload
+  - input: ssh-keygen -lf ~/.ssh/id_rsa
+    expected: not_triggered
+    description: Clean ~/.ssh/id_rsa path with no traversal/normalization artefact (owned by ATR-2026-00113)
+  - input: relpath = "../../../build/output/lib.so"
+    expected: not_triggered
+    description: Deep ../ chain to a build artefact, not a sensitive target (no overlap with ATR-2026-00569 either)
+  - input: cp /etc/passwd.bak /home/user/backup/passwd.copy
+    expected: not_triggered
+    description: Backup copy of passwd-like files via clean absolute paths, no normalization artefact
+  - input: 'In this lab, requesting \etc\\passwd demonstrates the path-traversal example.'
+    expected: not_triggered
+    description: Security-education skill quoting a backslash-escaped \etc\passwd example (wild FP from skills-sh/sickn33 file-path-traversal.md) — backslash form is doc-escaping, not a unix redundant-slash bypass
+_llm_authored:
+  model: claude (gstack subagent)
+  generalization_note: >
+    Generalizes the Zen-MCP is_dangerous_path() exact-blacklist bypass beyond the
+    two literal PoCs (/home/user/.ssh/../.ssh/id_rsa and /etc/./shadow) by keying
+    on the structural invariant of the bug class: a SENSITIVE target token
+    (id_rsa/ed25519/ecdsa, /etc/shadow|passwd|sudoers, credentials, authorized_keys,
+    .pem/.key) appearing ADJACENT to a path-normalization artefact (blacklisted
+    prefix then ../ , same-dir .ssh/../.ssh/ bounce, /./ no-op, /etc/../etc bounce,
+    or redundant slashes). This is deliberately disjoint from ATR-2026-00569
+    (requires 2+ consecutive ../ hops to a system target — a clean deep chain, no
+    prefix/bounce/normalization adjacency) and from ATR-2026-00113 (clean
+    credential paths with no traversal), so a bare ../ chain or a clean
+    ~/.ssh/id_rsa does not trigger this rule. Bounded {0,80}/{1,2} spans keep the
+    regex linear and avoid catastrophic backtracking.
+  note: Generation-time authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge.

package/rules/context-exfiltration/ATR-2026-00580-mcp-session-id-token-in-url-query.yaml

@@ -0,0 +1,220 @@
+title: MCP session ID / auth token placed in URL query string (session leak via logs, referrer, history)
+id: ATR-2026-00580
+rule_version: 1
+status: experimental
+description: >
+  Vulnerable MCP Project entry "session-ids-exposed-in-urls" (reported by
+  Equixly). An MCP server, gateway, or client construction embeds a session
+  identifier or auth credential in the URL QUERY STRING rather than in a
+  request header or POST body — e.g. GET /messages/?sessionId=<uuid>,
+  https://mcp.example.com/sse?session_id=<value>, or a config "url" field with
+  ?access_token=/?api_key=. URLs are routinely logged by web servers, proxies,
+  CDNs, and browser history, and are leaked in HTTP Referer headers on outbound
+  navigation, so a credential in the query string is an exposed credential —
+  enabling session hijack and context exfiltration. The discriminator from the
+  generic secret-assignment rule (ATR-2026-00021, which matches any
+  api_key=/access_token= at-rest assignment) and from the markdown-image-exfil
+  rules (00261/00405/00501, which key on ![](url?param=) image/link syntax) is
+  that THIS rule requires a session/auth credential keyword to sit in the QUERY
+  STRING of an http(s)/ws(s) URL or an MCP-shaped relative endpoint
+  (/messages, /sse, /mcp, or a config url= field) with a realistic (12+ char)
+  credential value — not a credential assigned to an env var, not a path
+  segment like /api-keys, and not a doc placeholder like ?session_token=5e9...
+author: "ATR Community (vulnerablemcp sync)"
+date: 2026/06/12
+schema_version: '0.1'
+detection_tier: pattern
+maturity: experimental
+severity: high
+references:
+  owasp_llm:
+  - "LLM07:2025 - System Prompt Leakage"
+  - "LLM02:2025 - Sensitive Information Disclosure"
+  owasp_agentic:
+  - "ASI05:2026 - Unexpected Code Execution"
+  - "ASI06:2026 - Memory and Context Poisoning"
+  mitre_atlas:
+  - "AML.T0057 - LLM Data Leakage"
+  - "AML.T0056 - LLM Meta Prompt Extraction"
+  vulnerablemcp_id:
+  - session-ids-exposed-in-urls
+  external:
+  - https://equixly.com/blog/2025/03/29/mcp-server-new-security-nightmare/
+metadata_provenance:
+  vulnerablemcp: vulnerablemcp-sync
+compliance:
+  owasp_agentic:
+    - id: ASI06:2026
+      context: "OWASP Agentic ASI06:2026 is exercised by leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history); this rule provides runtime detection of that technique."
+      strength: primary
+    - id: ASI05:2026
+      context: "OWASP Agentic ASI05:2026 is exercised by leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history); this rule provides runtime detection of that technique."
+      strength: secondary
+  owasp_llm:
+    - id: LLM02:2025
+      context: "OWASP LLM LLM02:2025 is exercised by leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history); this rule is a detection implementation for that category."
+      strength: primary
+    - id: LLM07:2025
+      context: "OWASP LLM LLM07:2025 is exercised by leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history); this rule is a detection implementation for that category."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "EU AI Act Article 15 (accuracy, robustness and cybersecurity) requires controls against leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history); this rule provides runtime detection evidence for that obligation."
+      strength: primary
+    - article: "10"
+      context: "EU AI Act Article 10 (data and data governance) requires controls against leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history); this rule provides runtime detection evidence for that obligation."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Measure
+      subcategory: MS.2.10
+      context: "NIST AI RMF MS.2.10 (privacy risk examined and documented) is supported by this rule's detection of leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history)."
+      strength: primary
+    - function: Measure
+      subcategory: MS.2.7
+      context: "NIST AI RMF MS.2.7 (security and resilience evaluated and documented) is supported by this rule's detection of leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.4"
+      context: "ISO/IEC 42001 Clause 8.4 (AI system impact assessment) is operationalised by this rule's detection of leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history)."
+      strength: primary
+    - clause: "9.1"
+      context: "ISO/IEC 42001 Clause 9.1 (monitoring, measurement, analysis and evaluation) is operationalised by this rule's detection of leakage of MCP session IDs and auth tokens placed in URL query strings (exposed via logs, referrer headers, and history)."
+      strength: secondary
+
+tags:
+  category: context-exfiltration
+  subcategory: session-credential-in-url-query
+  scan_target: runtime
+  confidence: high
+agent_source:
+  type: mcp_exchange
+  framework:
+  - any
+  provider:
+  - any
+detection:
+  condition: any
+  false_positives:
+  - URLs with non-credential query parameters only (?page=2, ?q=search, ?city=NYC) — no session/auth credential keyword in the query string
+  - Credential keyword as a documentation path segment (/api-keys, /access-tokens/, /settings/auth-tokens/) with no =value query parameter
+  - 'Environment-variable or config assignment of a credential that is NOT inside a URL query (export API_KEY=..., SESSION_ID=... env, "Authorization: Bearer ..." header examples)'
+  - Documentation placeholders with a redacted/short value (?session_token=5e9..., ?apiKey=KEY) — the 12+ char realistic-value bound excludes these
+  - Uppercase or single-word placeholder token values (?access_token=ACCESS_TOKEN, ?apiKey=YOUR_API_KEY, ?sessionId=attacker_session, ?token=your_token_here) — the require-a-digit value shape excludes these, so API docs and security-teaching examples that show the pattern with a placeholder value do not match
+  - Prose that mentions "session id in a URL" as a best-practice warning without an inline credential-bearing URL
+  conditions:
+  - field: content
+    operator: regex
+    value: (?i)(?:https?|wss?):\/\/[A-Za-z0-9.@:\/_~%+-]{1,120}\?[A-Za-z0-9._~%+\/=&-]{0,80}?\b(?:session[_-]?id|sessionid|session[_-]?token|auth[_-]?token|access[_-]?token|api[_-]?key)=(?=[A-Za-z0-9._~+\/-]*[0-9])[A-Za-z0-9._~+\/-]{12,}
+    description: A session/auth credential keyword carrying a realistic high-entropy (12+ char, contains a digit) value inside the query string of an http(s)/ws(s) URL (session leak via logs/referrer/history). The digit requirement excludes uppercase/word placeholders (ACCESS_TOKEN, YOUR_API_KEY, attacker_session) that survive the engine's case-insensitive matching.
+  - field: content
+    operator: regex
+    value: (?i)\b(?:GET|POST|url["']?\s*[:=]\s*["']?)\s*\/[A-Za-z0-9._~%+\/-]{0,60}\?[A-Za-z0-9._~%+\/=&-]{0,60}?\b(?:session[_-]?id|sessionid|session[_-]?token|auth[_-]?token|access[_-]?token|api[_-]?key)=(?=[A-Za-z0-9._~+\/-]*[0-9])[A-Za-z0-9._~+\/-]{12,}
+    description: An MCP/SSE-shaped relative endpoint (request line or config url field, e.g. GET /messages/?sessionId=..., url=/sse?session_id=...) carrying a realistic high-entropy credential (12+ char, contains a digit) in the query string
+response:
+  actions:
+  - alert
+  - block_tool
+  message_template: >
+    [ATR-2026-00580] A session ID or auth credential is being placed in a URL
+    query string (Vulnerable MCP "session-ids-exposed-in-urls", reported by
+    Equixly). URLs are logged by servers, proxies, CDNs and browser history and
+    leak via HTTP Referer headers, so a credential in the query string is an
+    exposed credential — enabling MCP session hijack and context exfiltration.
+    Remediation: never put session IDs or tokens in the URL. Send them in an
+    HTTP header (Authorization: Bearer ...) or a POST request body; use
+    short-lived, rotating session tokens; serve everything over HTTPS; and
+    scrub session identifiers from proxy/server access logs.
+  notify:
+  - security_team
+confidence: 82
+wild_fp_rate: 0
+test_cases:
+  true_positives:
+  - input: https://mcp.example.com/sse?session_id=abc123def456ghi789
+    expected: triggered
+    description: MCP SSE endpoint URL with a session_id credential in the query string
+  - input: 'GET /messages/?sessionId=550e8400-e29b-41d4-a716-446655440000'
+    expected: triggered
+    description: Canonical MCP SSE transport request line placing the session UUID in the URL query (Equixly PoC form)
+  - input: 'endpoint: https://mcp.acme.io/connect?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'
+    expected: triggered
+    description: MCP connect URL carrying a JWT access_token in the query string
+  - input: '{"url": "https://gateway.tool.dev/mcp?api_key=sk-live-9f8e7d6c5b4a3210"}'
+    expected: triggered
+    description: MCP client config with the server api_key embedded in the URL query
+  - input: wss://realtime.example.org/stream?auth_token=A1b2C3d4E5f6G7h8I9j0
+    expected: triggered
+    description: WebSocket MCP transport with an auth_token in the query string (logged by proxies/CDNs)
+  - input: 'url=/sse?session_id=abc123def456ghi789jkl'
+    expected: triggered
+    description: Relative config url field placing a session_id in the SSE endpoint query string
+  - input: 'POST /mcp/stream?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9'
+    expected: triggered
+    description: MCP stream request line with an access_token in the query string
+  true_negatives:
+  - input: https://api.example.com/search?q=hello&page=2
+    expected: not_triggered
+    description: Ordinary URL with only non-credential query params (q, page)
+  - input: Use the Authorization Bearer header instead of putting the token in the URL.
+    expected: not_triggered
+    description: Remediation prose recommending header-based auth — no credential-bearing URL
+  - input: SESSION_ID=local1234567890 set as an environment variable for the test runner
+    expected: not_triggered
+    description: Credential assigned to an env var, not inside a URL query string
+  - input: wss://connect.browser-use.com?apiKey=KEY&proxyCountryCode=us
+    expected: not_triggered
+    description: Documented WebSocket URL whose apiKey value is the literal placeholder KEY (under the 12-char realistic-value bound)
+  - input: https://connect.maton.ai/?session_token=5e9...
+    expected: not_triggered
+    description: Benign API doc with a redacted/truncated session_token placeholder (5e9... is under the 12-char realistic-value bound)
+  - input: The session id should never be exposed in a URL query string per best practice.
+    expected: not_triggered
+    description: Best-practice warning prose mentioning the concept with no inline credential-bearing URL
+  - input: https://accounts.google.com/o/oauth2/v2/auth?response_type=code&client_id=123&redirect_uri=https://app.example.com/callback
+    expected: not_triggered
+    description: Standard OAuth authorization-code redirect (response_type=code, no session/auth-token credential keyword in the query)
+  - input: 'GET /v1/users?page=2&limit=50'
+    expected: not_triggered
+    description: Normal REST request line with pagination params, no credential in the query
+  - input: 'documentation link: https://sentry.io/settings/auth-tokens/'
+    expected: not_triggered
+    description: Credential keyword appears only as a path segment (/auth-tokens/), not a =value query parameter
+  - input: https://api.weixin.qq.com/cgi-bin/draft/add?access_token=ACCESS_TOKEN
+    expected: not_triggered
+    description: WeChat API documentation URL whose access_token value is the uppercase placeholder ACCESS_TOKEN — no digit, so the require-a-digit value shape excludes it (wild FP from real-skill scan)
+  - input: https://target.com/login?SESSIONID=attacker_session
+    expected: not_triggered
+    description: Security-education example (broken-authentication.md) showing the session-fixation vuln with a teaching placeholder value attacker_session — no digit, excluded by value shape (wild FP from real-skill scan)
+_llm_authored:
+  model: claude (gstack subagent)
+  generalization_note: >
+    Generalizes the Vulnerable MCP "session-ids-exposed-in-urls" advisory beyond
+    its single canonical example (GET /messages/?sessionId=UUID) by keying on the
+    structural invariant of the bug class: a session/auth credential keyword
+    (session_id, sessionid, session_token, auth_token, access_token, api_key)
+    appearing as a QUERY-STRING parameter (preceded by ? or & inside the query)
+    of either an absolute http(s)/ws(s) URL (condition 1) or an MCP/SSE-shaped
+    relative endpoint or config url field (condition 2), carrying a realistic
+    12+ character credential value that CONTAINS A DIGIT. Two precision
+    discriminators stack: (1) the 12+ char length bound excludes short
+    placeholders (?session_token=5e9..., ?apiKey=KEY); (2) the require-a-digit
+    value shape — a (?=[A-Za-z0-9._~+/-]*[0-9]) lookahead before the value —
+    excludes letters-only / uppercase placeholders. The digit requirement is
+    deliberately chosen instead of a case-sensitive lowercase check because the
+    ATR engine strips inline (?i) and applies the case-insensitive flag
+    globally, so a [a-z] check would still match uppercase; a digit is the
+    case-fold-stable signal. This drops the wild false positives found scanning
+    3115 real skills — a WeChat API doc (?access_token=ACCESS_TOKEN) and a
+    security-teaching example (?SESSIONID=attacker_session) — plus the
+    YOUR_API_KEY / your_token_here / REDACTED placeholder family, while still
+    catching real UUIDs (550e8400-...), JWTs (eyJ...digits...) and live keys
+    (sk-live-9f8e7d6c...), which all contain digits. Deliberately disjoint from
+    ATR-2026-00021 (generic at-rest credential ASSIGNMENT, no URL-query
+    requirement), from the markdown-image-exfil rules 00261/00405/00501 (which
+    require ![](...) image/link markdown syntax), and from ATR-2026-00114
+    (OAuth redirect_uri / forwarding-verb patterns). Path-segment credential
+    keywords (/api-keys, /access-tokens/) and env-var assignments do not match
+    because the credential must be a =value query parameter inside a URL.
+    Bounded {0,80}/{0,60}/{1,120} spans keep the regex linear (no unbounded
+    [^...]* or .*) and avoid catastrophic backtracking.
+  note: Generation-time authoring; verified by deterministic gate. Runtime detection is pure regex. Human review required before merge.

package/rules/context-exfiltration/ATR-2026-00583-mcp-env-secret-file-read-without-consent.yaml

@@ -0,0 +1,218 @@
+title: MCP/agent tool reads .env or secret file without user consent (OSV-MCPS-2025-EB70F912)
+id: ATR-2026-00583
+rule_version: 1
+status: experimental
+description: >
+  CSA MCP-Security advisory OSV-MCPS-2025-EB70F912 (CWE-200 / CWE-922). An
+  MCP/agent file-read tool (Claude Code class) ingests a `.env` / secret file
+  by default during codebase analysis, sending API keys, DB credentials and
+  other secrets to the model/server with no explicit user-consent step. The
+  detectable artefact is the TOOL-CALL itself: a read/fs tool invocation whose
+  PATH ARGUMENT targets `.env`, `.env.local`, `secrets.*`, `credentials`,
+  `.npmrc` or `.netrc` — in function-call form `read_file(".env")` /
+  `Read(file_path="/app/.env.local")` or JSON-arg form `{"path":".env"}` /
+  `{"file_path":"~/project/.env"}`.
+
+  Discriminator from existing credential rules: this keys on the structured
+  MCP tool-mediated file-read shape (a read-tool name + quoted secret-file path
+  argument), which the other rules do NOT cover. ATR-2026-00115 (env-var
+  harvesting) only matches a shell verb `cat|read|load|parse` immediately
+  followed by a bare ` .env` token, not `read_file(".env")` or `{"path":".env"}`.
+  ATR-2026-00113 (credential theft) keys on home-dir credential PATHS and
+  `cat|read` of credential keywords, not the tool-call/JSON-arg `.env` form.
+  ATR-2026-00423 (NL sensitive-file disclosure) keys on natural-language
+  imperatives ("always include the contents of ..."), not a tool_input object.
+  ATR-2026-00569 / 00578 require a path-traversal / normalization artefact;
+  this rule fires on a CLEAN consent-less `.env` read with no traversal.
+author: "ATR Community (mcp-security-db sync)"
+date: 2026/06/12
+schema_version: '0.1'
+detection_tier: pattern
+maturity: experimental
+severity: high
+references:
+  owasp_llm:
+  - "LLM07:2025 - System Prompt Leakage"
+  - "LLM02:2025 - Sensitive Information Disclosure"
+  owasp_agentic:
+  - "ASI05:2026 - Unexpected Code Execution"
+  - "ASI06:2026 - Memory and Context Poisoning"
+  mitre_atlas:
+  - "AML.T0057 - LLM Data Leakage"
+  - "AML.T0056 - LLM Meta Prompt Extraction"
+  cwe:
+  - CWE-200
+  - CWE-922
+  mcps_id:
+  - OSV-MCPS-2025-EB70F912
+  external:
+  - https://github.com/ModelContextProtocol-Security/vulnerability-db/blob/main/advisories/2025/07/16/OSV-MCPS-2025-EB70F912-osv.json
+  - https://github.com/anthropics/claude-code/issues/112
+  - https://github.com/anthropics/claude-code/issues/401
+  - https://github.com/anthropics/claude-code/issues/2695
+  - https://docs.anthropic.com/en/docs/claude-code/security
+metadata_provenance:
+  cwe: mcp-security-db-sync
+  mcps_id: mcp-security-db-sync
+compliance:
+  owasp_agentic:
+    - id: ASI06:2026
+      context: "OWASP Agentic ASI06:2026 is exercised by an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912); this rule provides runtime detection of that technique."
+      strength: primary
+    - id: ASI05:2026
+      context: "OWASP Agentic ASI05:2026 is exercised by an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912); this rule provides runtime detection of that technique."
+      strength: secondary
+  owasp_llm:
+    - id: LLM02:2025
+      context: "OWASP LLM LLM02:2025 is exercised by an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912); this rule is a detection implementation for that category."
+      strength: primary
+    - id: LLM07:2025
+      context: "OWASP LLM LLM07:2025 is exercised by an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912); this rule is a detection implementation for that category."
+      strength: secondary
+  eu_ai_act:
+    - article: "15"
+      context: "EU AI Act Article 15 (accuracy, robustness and cybersecurity) requires controls against an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912); this rule provides runtime detection evidence for that obligation."
+      strength: primary
+    - article: "10"
+      context: "EU AI Act Article 10 (data and data governance) requires controls against an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912); this rule provides runtime detection evidence for that obligation."
+      strength: secondary
+  nist_ai_rmf:
+    - function: Measure
+      subcategory: MS.2.10
+      context: "NIST AI RMF MS.2.10 (privacy risk examined and documented) is supported by this rule's detection of an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912)."
+      strength: primary
+    - function: Measure
+      subcategory: MS.2.7
+      context: "NIST AI RMF MS.2.7 (security and resilience evaluated and documented) is supported by this rule's detection of an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912)."
+      strength: secondary
+  iso_42001:
+    - clause: "8.4"
+      context: "ISO/IEC 42001 Clause 8.4 (AI system impact assessment) is operationalised by this rule's detection of an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912)."
+      strength: primary
+    - clause: "9.1"
+      context: "ISO/IEC 42001 Clause 9.1 (monitoring, measurement, analysis and evaluation) is operationalised by this rule's detection of an MCP/agent tool reading .env or secret files without user consent (OSV-MCPS-2025-EB70F912)."
+      strength: secondary
+
+tags:
+  category: context-exfiltration
+  subcategory: mcp-consentless-secret-read
+  scan_target: mcp
+  confidence: high
+agent_source:
+  type: mcp_exchange
+  framework:
+  - any
+  provider:
+  - any
+detection:
+  condition: any
+  false_positives:
+  - Natural-language prose that merely mentions a .env / secrets file ("create a .env file with your API key", "if you have a .env file in your project root") with no read-tool call or JSON path argument.
+  - "The CLI flag form `node --env-file=.env` or `--env-file <path-to-.env>` — an interpreter loading its own config, not an agent read-tool ingesting the file content for the model."
+  - "`dotenv.config()` / `load_dotenv()` in normal application source — runtime config loading by the app itself, not an MCP read tool surfacing secrets to the agent."
+  - Searching/listing for the file (`find . -name ".env" -type f`) without reading its contents.
+  - A read tool whose path argument targets a NON-secret config file (config.json, README.md, src/index.ts).
+  conditions:
+  - field: content
+    operator: regex
+    value: (?i)\b(?:read_?file|readfile|read_text|read_secret|get_?file|load_?file|cat_?file|fs[._]read(?:file)?|open_?file|file_read|read)\s*\(\s*(?:file_?path|path|file)?\s*=?\s*["\x27](?:[^"\x27<>]{0,120}[\\/])?(?:\.?env(?:\.[\w.]+)?|secrets?(?:\.\w+)?|credentials|\.npmrc|\.netrc)["\x27]
+    description: A read/fs tool invoked in function-call form whose quoted path argument targets a .env or secret file (e.g. read_file(".env"), Read(file_path="/app/.env.local"), open_file("secrets/.env")) — MCP-mediated consent-less secret read.
+  - field: content
+    operator: regex
+    value: (?i)"(?:file_?path|path|file|filename|target|src|source)"\s*:\s*"(?:[^"<>]{0,120}[\\/])?(?:\.?env(?:\.[\w.]+)?|secrets?(?:\.\w+)?|credentials|\.npmrc|\.netrc)"
+    description: A JSON tool_input object whose path/file key value targets a .env or secret file (e.g. {"path":".env"}, {"file_path":"~/project/.env"}) — structured MCP tool-call ingesting secrets without a consent gate.
+response:
+  actions:
+  - alert
+  message_template: >
+    [ATR-2026-00583] An MCP/agent read tool is targeting a .env / secret file
+    (.env, .env.local, secrets.*, credentials, .npmrc, .netrc) via its path
+    argument with no consent gate (OSV-MCPS-2025-EB70F912, CWE-200/CWE-922).
+    This exfiltrates API keys, DB credentials and other secrets into the model
+    context by default. Remediation: require an explicit user-consent prompt
+    before any tool reads secret files; add a read-deny rule for .env / secret
+    patterns in the agent settings (e.g. ~/.claude/settings.json deny list);
+    keep .env in .gitignore / .claudeignore; prefer a real secrets manager over
+    plaintext .env files and rotate any credentials already exposed.
+  notify:
+  - security_team
+confidence: 80
+wild_fp_rate: 0
+test_cases:
+  true_positives:
+  - input: '{"tool":"read_file","arguments":{"path":".env"}}'
+    expected: triggered
+    description: MCP read_file tool with JSON path argument targeting a bare .env file
+  - input: Read(file_path="/app/.env.local")
+    expected: triggered
+    description: Claude Code Read tool function-call ingesting .env.local without consent
+  - input: '{"name":"fs.read","path":"config/.env"}'
+    expected: triggered
+    description: fs.read MCP tool with JSON path key targeting a project .env file
+  - input: read_file("/proj/.env")
+    expected: triggered
+    description: Function-call read of an absolute-path .env file
+  - input: readFile(".env.production")
+    expected: triggered
+    description: camelCase readFile tool targeting a .env.production secret file
+  - input: '{"tool":"fs.readFile","file_path":"~/project/.env"}'
+    expected: triggered
+    description: JSON file_path key with home-relative .env path in an fs.readFile tool call
+  - input: open_file("secrets/.env")
+    expected: triggered
+    description: open_file tool reading a .env under a secrets directory
+  - input: load_file("/srv/app/credentials")
+    expected: triggered
+    description: load_file tool reading a credentials secret file argument
+  true_negatives:
+  - input: 'If you have a `.env` file in your project root, the skill will load it for configuration.'
+    expected: not_triggered
+    description: NL prose mentioning .env, no read-tool call or JSON path argument (owned-by-prose, not a tool invocation)
+  - input: Create a .env file with your API key APIFY_TOKEN=your_token
+    expected: not_triggered
+    description: Tutorial instruction to create a .env file, not a read-tool reading its contents
+  - input: node --env-file=.env scripts/run.js
+    expected: not_triggered
+    description: Node CLI --env-file flag loading its own config, not an agent read tool surfacing secrets
+  - input: Use `--env-file <path-to-.env>` with all commands
+    expected: not_triggered
+    description: Documentation of the --env-file CLI flag, not a tool-call path argument
+  - input: find . -name ".env" -type f 2>/dev/null | head -5
+    expected: not_triggered
+    description: Searching/listing for .env files, no content read
+  - input: dotenv.config()
+    expected: not_triggered
+    description: App-side dotenv runtime config loading, not an MCP read tool
+  - input: 'The application loads .env files at startup using the dotenv package for configuration.'
+    expected: not_triggered
+    description: Prose describing dotenv usage, no tool invocation
+  - input: read_file("config.json")
+    expected: not_triggered
+    description: Read tool targeting a non-secret config.json file
+  - input: '{"path":"src/index.ts"}'
+    expected: not_triggered
+    description: JSON path argument targeting ordinary source, not a secret file
+  - input: Read(file_path="README.md")
+    expected: not_triggered
+    description: Read tool targeting documentation, no secret-file path
+  - input: 'If the user reports a credential leak, ask them whether ~/.aws/credentials was committed to git history.'
+    expected: not_triggered
+    description: Security advice prose referencing credentials, no read-tool path argument (owned by ATR-2026-00113)
+_llm_authored:
+  model: claude-opus (gstack subagent)
+  generalization_note: >
+    Carves a signature DISJOINT from the existing credential cluster by keying on
+    the structured MCP/agent tool-call shape only: a read/fs tool NAME
+    (read_file/readFile/fs.read/Read/open_file/load_file/...) immediately
+    followed by a quoted PATH ARGUMENT (function-call or JSON path/file/file_path
+    key) whose basename is a secret file (.env[.suffix], secrets.*, credentials,
+    .npmrc, .netrc). ATR-2026-00115 requires a shell verb (cat|read|load|parse)
+    directly preceding a bare ` .env` token and does NOT match read_file(".env")
+    or {"path":".env"} (verified). ATR-2026-00113 keys on home-dir credential
+    PATHS and cat/read of credential keywords; ATR-2026-00423 keys on NL
+    imperatives; ATR-2026-00569/00578 require a traversal/normalization artefact.
+    Bounded {0,120} path span keeps both regexes linear (no nested quantifier on
+    backtrackable groups) avoiding catastrophic backtracking. The CLI flag form
+    --env-file=.env, find-by-name, dotenv.config(), and prose mentions are all
+    excluded because none present a read-TOOL-name + quoted secret path argument.
+  note: Generation-time authoring; runtime detection is pure regex. Verified by the deterministic safety gate (0 FP across benign corpora + no cross-rule conflict). Human review required before any production promotion.