mcp-remote-ssh 0.2.2__tar.gz → 0.3.0__tar.gz

{mcp_remote_ssh-0.2.2/src/mcp_remote_ssh.egg-info → mcp_remote_ssh-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-remote-ssh
-Version: 0.2.2
+Version: 0.3.0
 Summary: MCP server for remote SSH operations -- persistent sessions, structured command execution, SFTP file transfer, and port forwarding for AI agents.
 Author: Mohammadfaiz Bawa
 License-Expression: MIT
@@ -84,17 +84,17 @@ ssh_execute(session_id="abc", command="uname -a")
 
 1. **Local file read** -- the env file lives on your machine, never on the remote host
 2. **Shell injection via builtins** -- uses `read -r VAR <<< 'value' && export VAR` (no process tree exposure)
-3. **Automatic redaction** -- every tool response (`ssh_execute`, `ssh_shell_send`, `ssh_shell_read`, `ssh_read_remote_file`) is scrubbed before reaching the LLM
-4. **Longest-first matching** -- prevents partial-match corruption (e.g., `abc123` is replaced before `abc`)
-5. **Works with exec channels** -- secrets are prepended as exports to `ssh_execute` commands so they're available in stateless channels too
+3. **Stdin-based exec injection** -- `ssh_execute` feeds secrets via stdin to a bash wrapper, so they never appear in `/proc/*/cmdline`
+4. **Automatic redaction** -- every tool response (`ssh_execute`, `ssh_shell_send`, `ssh_shell_read`, `ssh_read_remote_file`) is scrubbed before reaching the LLM
+5. **Longest-first matching** -- prevents partial-match corruption (e.g., `abc123` is replaced before `abc`)
 
 ### Security properties
 
 | Threat | Mitigated? | How |
 |--------|-----------|-----|
 | Secret in LLM context window | Yes | Output redaction replaces values with `***` |
-| Secret in remote process tree | Yes | Shell builtins (`read`/`export`) don't fork |
-| Secret in `ssh_execute` process tree | Partial | Single short-lived process; use shell for zero-exposure |
+| Secret in remote process tree (shell) | Yes | Shell builtins (`read`/`export`) don't fork |
+| Secret in remote process tree (exec) | Yes | Secrets fed via stdin, never in `/proc/*/cmdline` |
 | LLM tries `cat` on the env file | N/A | File is local-only, doesn't exist on remote |
 | LLM tries `echo $VAR` | Yes | Output is redacted |
 | Encoded/transformed secret (base64) | No | Only literal matches are redacted |
@@ -207,6 +207,7 @@ ssh_forward_port(session_id="a1b2c3d4", remote_port=5432, local_port=15432)
 Built on **[Paramiko](https://www.paramiko.org/)** (SSH) + **[FastMCP](https://github.com/PrefectHQ/fastmcp)** (MCP protocol).
 
 - `ssh_execute` uses `exec_command()` for clean structured output with real exit codes
+- When secrets are loaded, `ssh_execute` feeds exports via stdin to a `bash` wrapper, then `exec`s the actual command -- secrets never appear in the process tree
 - `ssh_shell_*` uses `invoke_shell()` for persistent interactive sessions
 - All blocking Paramiko calls run in `run_in_executor` to stay async
 - Shell keeps a 500KB rolling buffer for `shell_read` polling

{mcp_remote_ssh-0.2.2 → mcp_remote_ssh-0.3.0}/README.md

@@ -54,17 +54,17 @@ ssh_execute(session_id="abc", command="uname -a")
 
 1. **Local file read** -- the env file lives on your machine, never on the remote host
 2. **Shell injection via builtins** -- uses `read -r VAR <<< 'value' && export VAR` (no process tree exposure)
-3. **Automatic redaction** -- every tool response (`ssh_execute`, `ssh_shell_send`, `ssh_shell_read`, `ssh_read_remote_file`) is scrubbed before reaching the LLM
-4. **Longest-first matching** -- prevents partial-match corruption (e.g., `abc123` is replaced before `abc`)
-5. **Works with exec channels** -- secrets are prepended as exports to `ssh_execute` commands so they're available in stateless channels too
+3. **Stdin-based exec injection** -- `ssh_execute` feeds secrets via stdin to a bash wrapper, so they never appear in `/proc/*/cmdline`
+4. **Automatic redaction** -- every tool response (`ssh_execute`, `ssh_shell_send`, `ssh_shell_read`, `ssh_read_remote_file`) is scrubbed before reaching the LLM
+5. **Longest-first matching** -- prevents partial-match corruption (e.g., `abc123` is replaced before `abc`)
 
 ### Security properties
 
 | Threat | Mitigated? | How |
 |--------|-----------|-----|
 | Secret in LLM context window | Yes | Output redaction replaces values with `***` |
-| Secret in remote process tree | Yes | Shell builtins (`read`/`export`) don't fork |
-| Secret in `ssh_execute` process tree | Partial | Single short-lived process; use shell for zero-exposure |
+| Secret in remote process tree (shell) | Yes | Shell builtins (`read`/`export`) don't fork |
+| Secret in remote process tree (exec) | Yes | Secrets fed via stdin, never in `/proc/*/cmdline` |
 | LLM tries `cat` on the env file | N/A | File is local-only, doesn't exist on remote |
 | LLM tries `echo $VAR` | Yes | Output is redacted |
 | Encoded/transformed secret (base64) | No | Only literal matches are redacted |
@@ -177,6 +177,7 @@ ssh_forward_port(session_id="a1b2c3d4", remote_port=5432, local_port=15432)
 Built on **[Paramiko](https://www.paramiko.org/)** (SSH) + **[FastMCP](https://github.com/PrefectHQ/fastmcp)** (MCP protocol).
 
 - `ssh_execute` uses `exec_command()` for clean structured output with real exit codes
+- When secrets are loaded, `ssh_execute` feeds exports via stdin to a `bash` wrapper, then `exec`s the actual command -- secrets never appear in the process tree
 - `ssh_shell_*` uses `invoke_shell()` for persistent interactive sessions
 - All blocking Paramiko calls run in `run_in_executor` to stay async
 - Shell keeps a 500KB rolling buffer for `shell_read` polling

{mcp_remote_ssh-0.2.2 → mcp_remote_ssh-0.3.0}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "mcp-remote-ssh"
-version = "0.2.2"
+version = "0.3.0"
 description = "MCP server for remote SSH operations -- persistent sessions, structured command execution, SFTP file transfer, and port forwarding for AI agents."
 readme = "README.md"
 license = "MIT"

{mcp_remote_ssh-0.2.2 → mcp_remote_ssh-0.3.0}/src/mcp_remote_ssh/server/execute.py

@@ -11,16 +11,15 @@ from mcp_remote_ssh.server import mcp
 from mcp_remote_ssh.server.helpers import get_session, require_connected
 
 
-def _build_env_prefix(session) -> str:
-    """Build an env export prefix from loaded secrets for exec channels.
-    Uses env var assignment syntax that doesn't appear in /proc/*/cmdline
-    since the whole thing runs under a single 'bash -c' invocation."""
+def _build_env_script(session) -> str:
+    """Build export statements for secrets, to be fed via stdin.
+    Never appears in /proc/*/cmdline."""
     if not session._secrets:
         return ''
-    parts = []
+    lines = []
     for key, value in session._secrets.items():
-        parts.append(f'export {key}={shlex.quote(value)}')
-    return ' && '.join(parts) + ' && '
+        lines.append(f'export {key}={shlex.quote(value)}')
+    return '\n'.join(lines) + '\n'
 
 
 @mcp.tool()
@@ -48,13 +47,18 @@ async def ssh_execute(
     session = get_session(ctx, session_id)
     require_connected(session)
 
-    env_prefix = _build_env_prefix(session)
-    full_command = env_prefix + command
-
+    env_script = _build_env_script(session)
     loop = asyncio.get_running_loop()
 
     def _exec() -> dict[str, Any]:
-        _, stdout_ch, stderr_ch = session.client.exec_command(full_command, timeout=timeout)
+        if env_script:
+            # Feed secrets via stdin so they never appear in /proc/*/cmdline
+            script = env_script + f'exec bash -c {shlex.quote(command)}\n'
+            stdin_ch, stdout_ch, stderr_ch = session.client.exec_command('bash', timeout=timeout)
+            stdin_ch.write(script)
+            stdin_ch.channel.shutdown_write()
+        else:
+            _, stdout_ch, stderr_ch = session.client.exec_command(command, timeout=timeout)
         stdout = stdout_ch.read().decode(errors='replace')
         stderr = stderr_ch.read().decode(errors='replace')
         exit_code = stdout_ch.channel.recv_exit_status()
@@ -93,17 +97,23 @@ async def ssh_sudo_execute(
     session = get_session(ctx, session_id)
     require_connected(session)
 
-    env_prefix = _build_env_prefix(session)
+    env_script = _build_env_script(session)
 
     if sudo_password:
-        wrapped = f'{env_prefix}echo {_shell_quote(sudo_password)} | sudo -S {command}'
+        actual_cmd = f'echo {_shell_quote(sudo_password)} | sudo -SE {command}'
     else:
-        wrapped = f'{env_prefix}sudo -E {command}'
+        actual_cmd = f'sudo -E {command}'
 
     loop = asyncio.get_running_loop()
 
     def _exec() -> dict[str, Any]:
-        _, stdout_ch, stderr_ch = session.client.exec_command(wrapped, timeout=timeout)
+        if env_script:
+            script = env_script + f'exec bash -c {shlex.quote(actual_cmd)}\n'
+            stdin_ch, stdout_ch, stderr_ch = session.client.exec_command('bash', timeout=timeout)
+            stdin_ch.write(script)
+            stdin_ch.channel.shutdown_write()
+        else:
+            _, stdout_ch, stderr_ch = session.client.exec_command(actual_cmd, timeout=timeout)
         stdout = stdout_ch.read().decode(errors='replace')
         stderr = stderr_ch.read().decode(errors='replace')
         exit_code = stdout_ch.channel.recv_exit_status()

{mcp_remote_ssh-0.2.2 → mcp_remote_ssh-0.3.0/src/mcp_remote_ssh.egg-info}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: mcp-remote-ssh
-Version: 0.2.2
+Version: 0.3.0
 Summary: MCP server for remote SSH operations -- persistent sessions, structured command execution, SFTP file transfer, and port forwarding for AI agents.
 Author: Mohammadfaiz Bawa
 License-Expression: MIT
@@ -84,17 +84,17 @@ ssh_execute(session_id="abc", command="uname -a")
 
 1. **Local file read** -- the env file lives on your machine, never on the remote host
 2. **Shell injection via builtins** -- uses `read -r VAR <<< 'value' && export VAR` (no process tree exposure)
-3. **Automatic redaction** -- every tool response (`ssh_execute`, `ssh_shell_send`, `ssh_shell_read`, `ssh_read_remote_file`) is scrubbed before reaching the LLM
-4. **Longest-first matching** -- prevents partial-match corruption (e.g., `abc123` is replaced before `abc`)
-5. **Works with exec channels** -- secrets are prepended as exports to `ssh_execute` commands so they're available in stateless channels too
+3. **Stdin-based exec injection** -- `ssh_execute` feeds secrets via stdin to a bash wrapper, so they never appear in `/proc/*/cmdline`
+4. **Automatic redaction** -- every tool response (`ssh_execute`, `ssh_shell_send`, `ssh_shell_read`, `ssh_read_remote_file`) is scrubbed before reaching the LLM
+5. **Longest-first matching** -- prevents partial-match corruption (e.g., `abc123` is replaced before `abc`)
 
 ### Security properties
 
 | Threat | Mitigated? | How |
 |--------|-----------|-----|
 | Secret in LLM context window | Yes | Output redaction replaces values with `***` |
-| Secret in remote process tree | Yes | Shell builtins (`read`/`export`) don't fork |
-| Secret in `ssh_execute` process tree | Partial | Single short-lived process; use shell for zero-exposure |
+| Secret in remote process tree (shell) | Yes | Shell builtins (`read`/`export`) don't fork |
+| Secret in remote process tree (exec) | Yes | Secrets fed via stdin, never in `/proc/*/cmdline` |
 | LLM tries `cat` on the env file | N/A | File is local-only, doesn't exist on remote |
 | LLM tries `echo $VAR` | Yes | Output is redacted |
 | Encoded/transformed secret (base64) | No | Only literal matches are redacted |
@@ -207,6 +207,7 @@ ssh_forward_port(session_id="a1b2c3d4", remote_port=5432, local_port=15432)
 Built on **[Paramiko](https://www.paramiko.org/)** (SSH) + **[FastMCP](https://github.com/PrefectHQ/fastmcp)** (MCP protocol).
 
 - `ssh_execute` uses `exec_command()` for clean structured output with real exit codes
+- When secrets are loaded, `ssh_execute` feeds exports via stdin to a `bash` wrapper, then `exec`s the actual command -- secrets never appear in the process tree
 - `ssh_shell_*` uses `invoke_shell()` for persistent interactive sessions
 - All blocking Paramiko calls run in `run_in_executor` to stay async
 - Shell keeps a 500KB rolling buffer for `shell_read` polling

{mcp_remote_ssh-0.2.2 → mcp_remote_ssh-0.3.0}/tests/test_edge_cases.py

@@ -4,7 +4,7 @@ from __future__ import annotations
 import pytest
 
 from mcp_remote_ssh.session import SSHSession
-from mcp_remote_ssh.server.execute import _build_env_prefix
+from mcp_remote_ssh.server.execute import _build_env_script
 
 
 class TestLongestFirstRedaction:
@@ -44,35 +44,34 @@ class TestLongestFirstRedaction:
         assert redacted == 'a=*** b=***'
 
 
-class TestEnvPrefixForExec:
-    """Verify _build_env_prefix generates correct export statements."""
+class TestEnvScriptForExec:
+    """Verify _build_env_script generates correct export statements."""
 
     def test_empty_when_no_secrets(self):
         session = SSHSession(host='test-host')
-        assert _build_env_prefix(session) == ''
+        assert _build_env_script(session) == ''
 
     def test_single_secret(self):
         session = SSHSession(host='test-host')
         session._secrets = {'TOKEN': 'abc123'}
-        prefix = _build_env_prefix(session)
-        assert 'export TOKEN=abc123' in prefix
-        assert prefix.endswith(' && ')
+        script = _build_env_script(session)
+        assert 'export TOKEN=abc123' in script
+        assert script.endswith('\n')
 
     def test_multiple_secrets(self):
         session = SSHSession(host='test-host')
         session._secrets = {'A': 'val1', 'B': 'val2'}
-        prefix = _build_env_prefix(session)
-        assert 'export A=val1' in prefix
-        assert 'export B=val2' in prefix
-        assert prefix.endswith(' && ')
+        script = _build_env_script(session)
+        assert 'export A=val1' in script
+        assert 'export B=val2' in script
+        assert '\n' in script
 
     def test_quotes_special_characters(self):
         session = SSHSession(host='test-host')
         session._secrets = {'PASS': "it's a p@ss!"}
-        prefix = _build_env_prefix(session)
-        # shlex.quote wraps with single quotes and escapes internal ones
-        assert 'PASS=' in prefix
-        assert "p@ss!" in prefix
+        script = _build_env_script(session)
+        assert 'PASS=' in script
+        assert "p@ss!" in script
 
 
 class TestShellInjectionSafety: