mcp-server

The server exposes powerful operations directly to the LLM that involve user-provided strings without robust internal validation: 1. SQL Injection Risk: The `synapse_query` tool passes raw `query` strings directly to `synapseclient.tableQuery`. While Synapse may offer some backend protection, an LLM receiving malicious input could craft queries to extract sensitive data or perform unintended operations within the bounds of the `SYNAPSE_AUTH_TOKEN`'s permissions. 2. Arbitrary File Read Risk: The `validate_metadata` tool accepts a `schema_file` path from user input. Without proper sanitization or sandboxing by the MCP client, this could allow the LLM to read arbitrary files from the server's filesystem. 3. Server-Side Request Forgery (SSRF) Risk: Tools like `fetch_schema`, `get_data_classes`, and `get_data_sharing_plan` construct URLs based on user input (e.g., `schema_url`, `templates_url`, `study_id` for DSP API). An LLM could potentially craft these inputs to probe or interact with internal network services if the server has such access. 4. Broad Permissions: The required `SYNAPSE_AUTH_TOKEN` is a personal access token, which can grant extensive permissions to Synapse resources, amplifying the impact of any successful exploitation of the above risks.