dafoam_mcp_server

The server uses `subprocess.run` and `subprocess.Popen` to execute shell commands with user-provided arguments (e.g., `airfoil_profile`, `cpu_cores`, `mach_number`, `reynolds_number`, `x_location`, `y_location`, `zoom_in_scale`, `flow_field`, `time_step`, `mesh_cells`, `y_plus`, `n_ffd_points`, `mesh_tool`, `max_cell_size`, `mesh_refinement_level`, `n_boundary_layers`, `mean_chord`, `wing_span`, `leading_edge_root`, `leading_edge_tip`, `angle_of_attack`, `lift_constraint`, `max_opt_iters`, `reference_area`, `primal_func_std_tol`, `spanwise_chords`, `spanwise_x`, `spanwise_z`, `spanwise_twists`). These arguments are directly interpolated into bash commands using f-strings without robust input sanitization. This creates a severe **command injection vulnerability** if a malicious user can control any of these input values. For example, injecting `"; rm -rf /"` into a string argument could lead to arbitrary code execution. Additionally, an HTTP server and a Trame viewer are started on ports 8001 and 8002 respectively, accessible on `0.0.0.0`, which exposes generated plots and interactive viewers over the network. The `download_airfoil_from_uiuc` function downloads files based on user input, which could be a vector for malicious file downloads if the `airfoil_name` input could be manipulated. `os.system` is also used for file operations.