MCP-Gateway

The project implements robust internal security features like timing-safe token comparison, configurable rate limiting, CORS, and environment variable validation/redaction. For its own `/admin/permissions/exec` endpoint, it employs a strict command whitelist and dangerous pattern blacklist. However, critical vulnerabilities exist: 1) The provided `config/gateway.json` (within the prompt context) contains hardcoded API tokens and OAuth client secrets, which is a severe risk if used directly in production. While the documentation suggests generating tokens and using environment variables, this specific configuration example is unsafe. 2) The `install.sh` and `setup-ubuntu.sh` scripts configure the gateway to run as `root` by default, granting maximum privileges to the entire process and its child MCP servers. This significantly increases the blast radius in case of a vulnerability. 3) The 'Desktop Commander' MCP server, a core pre-installed tool, explicitly exposes functionalities to 'Run shell commands' and 'file editing'. While the gateway's *own* `/admin/permissions/exec` endpoint is hardened, the Desktop Commander tool's methods (e.g., `execute_command`) allow arbitrary shell commands to be run by the AI agent through the MCP protocol, potentially bypassing the gateway's internal whitelist/blacklist and inheriting the `root` privileges. This is a very high privilege level for an AI-controlled component.