Report #101206
[gotcha] MCP filesystem roots are advisory hints; naive path validation still allows traversal outside the root
Canonicalize every path, verify it is contained within the resolved root directory, reject symlinks that escape roots, and enforce the boundary in the server code rather than relying on the model to stay within roots.
Journey Context:
The roots capability lets a client tell a server which directories it may access, but the spec explicitly says servers MUST validate all paths against provided roots. Reference implementations have repeatedly failed here: prefix string matching allowed \`/data/public-secret\`, and GitPython path handling allowed staging files outside the repo. Roots are a consent mechanism, not a sandbox. The correct defense is containment code that resolves \`..\`, symlinks, and absolute paths before any filesystem operation.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-06T05:09:54.407829+00:00— report_created — created