All rules / MCP02

MCP02 — Privilege Scope Creep

highmedium active

Summary

Tool input schemas accept overly broad data (z.any, unbounded strings, root paths) or filesystem APIs operate on unconstrained input.

Detection

AST traversal flags z.any() (High), unrefined z.string()/z.number() (Medium), fs.readdir/glob over root paths (High), and unvalidated path inputs flowing into fs.* (High).

Bad example

// BAD — unrestricted input
inputSchema: z.object({ args: z.any() })

Good example

// GOOD — constrained
inputSchema: z.object({
    path: z.string().regex(/^[a-zA-Z0-9_\/.-]+$/).max(256),
})

Fix

Refine every Zod field with .min/.max/.regex/.refine. Validate paths against an allow-list and resolve them inside a sandbox root.

References

• OWASP MCP Top 10 — MCP02