Skip to content

v1.3.3 - Cmd Injection Security Hardening 🔐

Choose a tag to compare

View all tags
@joshuayoes joshuayoes released this 20 Jun 17:13
v1.3.3
eb53a4f
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

iOS Simulator MCP v1.3.3

Warning

Security Notice: This release addresses a command injection vulnerability (moderate severity) present in versions < 1.3.3. Please update to v1.3.3 or later. This vulnerability is described in Snyks article on Exploiting MCP Servers Vulnerable to Command Injection.

Security Fixes

  • Patched Command Injection Vulnerability: Replaced child_process.exec with the more secure child_process.execFile. This mitigates command injection risks by ensuring user-provided inputs are treated as distinct arguments and not interpreted by the shell, following best practices from the Node.js security community.
  • Strict Input Validation: Implemented robust input validation using zod for all user-provided arguments, including regex checks for UDIDs and length limits for paths and text.
  • Secure Argument Handling: Added a -- separator to commands to clearly distinguish options from positional arguments, preventing misinterpretation by the shell.

Affected Tools

The following tools have been secured:

  • ui_tap
  • ui_type
  • ui_swipe
  • ui_describe_point
  • ui_describe_all
  • screenshot
  • record_video
  • stop_recording

Documentation

  • Updated SECURITY.md: The security policy was updated with details about the vulnerability, its impact, and the fix.
  • Added QA.md: A new Quality Assurance guide (QA.md) was added with manual test cases.
  • Updated README.md: The README now includes a prominent security notice and updated installation instructions.

Build

  • Version Bump: The project version has been bumped to 1.3.3.
Assets 2
Loading