mcp-server-kubernetes 3.6.2 → 3.8.0

package/dist/security/kubectl-flags.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Validate user-supplied kubectl flags and args. Throws an McpError if any
+ * dangerous flag is present and the unsafe-flags escape hatch is not set.
+ *
+ * The check covers:
+ *   - keys of the `flags` object (e.g. { server: "..." })
+ *   - tokens in the `args` array, in both joined ("--server=x") and split
+ *     ("--server", "x") forms, plus short aliases ("-s").
+ */
+export declare function assertNoDangerousFlags(flags?: Record<string, unknown>, args?: string[]): void;

package/dist/security/kubectl-flags.js

@@ -0,0 +1,97 @@
+import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
+// Flags that would let a caller redirect kubectl to a different API server,
+// substitute credentials, or impersonate another identity. Allowing any of
+// these to flow in from tool inputs lets an attacker who can influence the
+// LLM's tool arguments (e.g. via indirect prompt injection in pod logs)
+// exfiltrate the operator's bearer token to an attacker-controlled host.
+//
+// Names are stored in canonical (long-form) kebab-case, without the leading
+// "--". Short aliases that have the same effect are listed in SHORT_ALIASES.
+const DANGEROUS_FLAGS = new Set([
+    // Target / endpoint overrides
+    "server",
+    "kubeconfig",
+    "cluster",
+    "context",
+    "user",
+    "tls-server-name",
+    // TLS bypass
+    "insecure-skip-tls-verify",
+    "certificate-authority",
+    "client-certificate",
+    "client-key",
+    // Credential overrides
+    "token",
+    "username",
+    "password",
+    "auth-provider",
+    "auth-provider-arg",
+    "exec-command",
+    "exec-arg",
+    "exec-api-version",
+    "exec-env",
+    // Identity impersonation
+    "as",
+    "as-group",
+    "as-uid",
+]);
+const SHORT_ALIASES = new Set([
+    "s", // -s is an alias for --server
+]);
+function isUnsafeFlagsAllowed() {
+    return process.env.ALLOW_KUBECTL_UNSAFE_FLAGS === "true";
+}
+function normalizeFlagName(raw) {
+    // Strip leading dashes; drop "=value" suffix; lowercase.
+    let name = raw.replace(/^-+/, "");
+    const eq = name.indexOf("=");
+    if (eq !== -1)
+        name = name.slice(0, eq);
+    return name.toLowerCase();
+}
+function isDangerousFlagName(rawName, fromArgs) {
+    const name = normalizeFlagName(rawName);
+    if (DANGEROUS_FLAGS.has(name))
+        return true;
+    // Short aliases (-s) are only meaningful when they appear as a CLI token,
+    // not as a key in the `flags` object.
+    if (fromArgs && SHORT_ALIASES.has(name))
+        return true;
+    return false;
+}
+function reject(flag) {
+    throw new McpError(ErrorCode.InvalidParams, `Refusing to run kubectl with flag "${flag}": this flag can redirect ` +
+        `kubectl to a different API server or substitute credentials, which ` +
+        `would allow exfiltration of the operator's bearer token. If you ` +
+        `genuinely need this flag, set ALLOW_KUBECTL_UNSAFE_FLAGS=true in the ` +
+        `server environment.`);
+}
+/**
+ * Validate user-supplied kubectl flags and args. Throws an McpError if any
+ * dangerous flag is present and the unsafe-flags escape hatch is not set.
+ *
+ * The check covers:
+ *   - keys of the `flags` object (e.g. { server: "..." })
+ *   - tokens in the `args` array, in both joined ("--server=x") and split
+ *     ("--server", "x") forms, plus short aliases ("-s").
+ */
+export function assertNoDangerousFlags(flags, args) {
+    if (isUnsafeFlagsAllowed())
+        return;
+    if (flags) {
+        for (const key of Object.keys(flags)) {
+            if (isDangerousFlagName(key, false))
+                reject(`--${normalizeFlagName(key)}`);
+        }
+    }
+    if (args) {
+        for (const tok of args) {
+            if (typeof tok !== "string")
+                continue;
+            if (!tok.startsWith("-"))
+                continue;
+            if (isDangerousFlagName(tok, true))
+                reject(tok);
+        }
+    }
+}

package/dist/tools/kubectl-generic.js

@@ -2,6 +2,7 @@ import { execFileSync } from "child_process";
 import { McpError, ErrorCode } from "@modelcontextprotocol/sdk/types.js";
 import { getSpawnMaxBuffer } from "../config/max-buffer.js";
 import { contextParameter, namespaceParameter, } from "../models/common-parameters.js";
+import { assertNoDangerousFlags } from "../security/kubectl-flags.js";
 export const kubectlGenericSchema = {
     name: "kubectl_generic",
     description: "Execute any kubectl command with the provided arguments and flags",
@@ -50,6 +51,9 @@ export const kubectlGenericSchema = {
 };
 export async function kubectlGeneric(k8sManager, input) {
     try {
+        // Reject credential/target-redirecting flags before constructing the
+        // command. See src/security/kubectl-flags.ts for the rationale.
+        assertNoDangerousFlags(input.flags, input.args);
         // Start building the kubectl command
         const command = "kubectl";
         const cmdArgs = [input.command];

package/dist/utils/streamable-http.js

@@ -1,22 +1,63 @@
 import express from "express";
 import { StreamableHTTPServerTransport } from "@modelcontextprotocol/sdk/server/streamableHttp.js";
 import { createAuthMiddleware, isAuthEnabled } from "./auth.js";
+/**
+ * Build the default allowedHosts list for DNS rebinding protection.
+ * Includes localhost variants with and without port.
+ */
+function buildDefaultAllowedHosts(host, port) {
+    // Always allow the bare host and host:port for common localhost addresses
+    const localhostAliases = ["127.0.0.1", "localhost", "::1"];
+    const hosts = [];
+    for (const alias of localhostAliases) {
+        hosts.push(alias);
+        // HTTP Host header uses bracket notation for IPv6: [::1]:3000
+        if (alias.includes(":")) {
+            hosts.push(`[${alias}]`);
+            hosts.push(`[${alias}]:${port}`);
+        }
+        else {
+            hosts.push(`${alias}:${port}`);
+        }
+    }
+    // Also add the configured host if it's not already covered
+    if (!localhostAliases.includes(host)) {
+        hosts.push(host);
+        if (host.includes(":") && !host.startsWith("[")) {
+            hosts.push(`[${host}]`);
+            hosts.push(`[${host}]:${port}`);
+        }
+        else {
+            hosts.push(`${host}:${port}`);
+        }
+    }
+    return hosts;
+}
 export function startStreamableHTTPServer(server) {
     const app = express();
     app.use(express.json());
     // Create auth middleware - when MCP_AUTH_TOKEN is set, requires X-MCP-AUTH header
     const authMiddleware = createAuthMiddleware();
+    // DNS rebinding protection is enabled by default. Set DNS_REBINDING_PROTECTION=false to disable.
+    const enableDnsRebindingProtection = process.env.DNS_REBINDING_PROTECTION !== "false";
+    const host = process.env.HOST || "localhost";
+    const parsed = parseInt(process.env.PORT || "3000", 10);
+    const port = Number.isNaN(parsed) ? 3000 : parsed;
+    const allowedHosts = process.env.DNS_REBINDING_ALLOWED_HOST
+        ? [process.env.DNS_REBINDING_ALLOWED_HOST]
+        : buildDefaultAllowedHosts(host, port);
+    // Warn when binding to all interfaces with DNS rebinding protection disabled
+    if (!enableDnsRebindingProtection && (host === "0.0.0.0" || host === "::")) {
+        console.warn("WARNING: DNS rebinding protection is disabled while HOST is set to " +
+            `'${host}'. This exposes the MCP server to DNS rebinding attacks ` +
+            "from any browser on the network. Set DNS_REBINDING_PROTECTION=true " +
+            "(the default) or restrict HOST to 'localhost' / '127.0.0.1'.");
+    }
     app.post("/mcp", authMiddleware, async (req, res) => {
         // In stateless mode, create a new instance of transport and server for each request
         // to ensure complete isolation. A single instance would cause request ID collisions
         // when multiple clients connect concurrently.
         try {
-            // DNS rebinding protection is disabled by default for backwards compatibility. If you are running this server
-            // locally, make sure to set DNS_REBINDING_PROTECTION=true
-            const enableDnsRebindingProtection = process.env.DNS_REBINDING_PROTECTION === "true";
-            const allowedHosts = process.env.DNS_REBINDING_ALLOWED_HOST
-                ? [process.env.DNS_REBINDING_ALLOWED_HOST]
-                : ["127.0.0.1"];
             const transport = new StreamableHTTPServerTransport({
                 sessionIdGenerator: undefined,
                 enableDnsRebindingProtection,
@@ -91,14 +132,6 @@ export function startStreamableHTTPServer(server) {
             });
         }
     });
-    let port = 3000;
-    try {
-        port = parseInt(process.env.PORT || "3000", 10);
-    }
-    catch (e) {
-        console.error("Invalid PORT environment variable, using default port 3000.");
-    }
-    const host = process.env.HOST || "localhost";
     const httpServer = app.listen(port, host, () => {
         console.log(`mcp-kubernetes-server is listening on port ${port}\nUse the following url to connect to the server:\nhttp://${host}:${port}/mcp`);
         if (isAuthEnabled()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcp-server-kubernetes",
-  "version": "3.6.2",
+  "version": "3.8.0",
   "description": "MCP server for interacting with Kubernetes clusters via kubectl",
   "license": "MIT",
   "type": "module",