Skip to content

[Security] MCP-06: Config Directory Created Without Explicit Permissions #7

Open
Open
[Security] MCP-06: Config Directory Created Without Explicit Permissions#7
@mefai-dev

Description

@mefai-dev
mefai-dev
opened on Mar 20, 2026

MCP-06: Config Directory Created Without Explicit Permissions

Severity: LOW
Affected File(s): config.py:24

Description

The config directory (~/.config/aster-mcp/) is created with mkdir(parents=True, exist_ok=True) without specifying mode=. The default umask (typically 0o022) results in world-readable directory permissions. Individual files get chmod 0o600 but the directory itself remains world-readable.

Vulnerable Code

self.config_dir.mkdir(parents=True, exist_ok=True)

Impact

Other users on shared systems can list directory contents and see that config files exist. Brief race window between mkdir and chmod on individual files.

Proof of Concept

On a shared server: ls -la ~/.config/aster-mcp/ shows directory is world-readable (drwxr-xr-x).

Recommended Fix

self.config_dir.mkdir(parents=True, exist_ok=True, mode=0o700)

Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions