mcp-sed-awk

The server implements a robust, multi-layered security architecture: 1. Input Validation: `SecurityValidator` actively sanitizes sed patterns and AWK programs, preventing command injection, ReDoS attacks (nested quantifiers, excessive repetition, deep nesting), and filters shell metacharacters through blacklists and structural checks. 2. Access Control: `PathValidator` enforces a strict directory whitelist, canonicalizes paths, resolves symlinks, and prevents path traversal and TOCTOU vulnerabilities. 3. Resource Protection: `BinaryExecutor` enforces file size limits (10MB), operation timeouts (30s), and on Linux systems, applies memory (100MB) and CPU time (30s) limits using `setrlimit`. 4. Safe Execution: All native binary executions (sed, awk, diff) use `subprocess.run(shell=False)` to prevent shell injection. 5. Error Recovery: `sed_substitute` creates automatic backups and rolls back changes on failure, while `preview_sed` uses temporary files for non-destructive operations with guaranteed cleanup. 6. Audit Trail: `AuditLogger` records all security-relevant events (validation failures, access violations, executions) with data sanitization and fail-safe logging to prevent log injection. No `eval()` or similar dangerous functions were identified. No hardcoded secrets were found; sensitive configurations like allowed directories are passed via CLI or environment variables.