fix: secure built-in filesystem MCP root handling

src/main/mcpServers/factory.ts

@@ -9,6 +9,7 @@ import DiDiMcpServer from './didi-mcp'
 import DifyKnowledgeServer from './dify-knowledge'
 import FetchServer from './fetch'
 import FileSystemServer from './filesystem'
+import { resolveFilesystemBaseDir } from './filesystem/config'
 import HubServer from './hub'
 import MemoryServer from './memory'
 import PythonServer from './python'
@@ -37,7 +38,7 @@ export function createInMemoryMCPServer(
       return new FetchServer().server
     }
     case BuiltinMCPServerNames.filesystem: {
-      return new FileSystemServer(envs.WORKSPACE_ROOT).server
+      return new FileSystemServer(resolveFilesystemBaseDir(args, envs)).server
     }
     case BuiltinMCPServerNames.difyKnowledge: {
       const difyKey = envs.DIFY_KEY

src/main/mcpServers/filesystem/__tests__/filesystem.test.ts

@@ -0,0 +1,85 @@
+import fs from 'fs/promises'
+import path from 'path'
+import { afterEach, describe, expect, it, vi } from 'vitest'
+
+import { resolveFilesystemBaseDir } from '../config'
+import { validatePath } from '../types'
+
+describe('filesystem MCP security', () => {
+  const tempDirs: string[] = []
+
+  async function createTempDir(prefix: string) {
+    const tempRoot = path.join(process.cwd(), '.context', 'vitest-temp')
+    await fs.mkdir(tempRoot, { recursive: true })
+    const tempDir = await fs.mkdtemp(path.join(tempRoot, prefix))
+    tempDirs.push(tempDir)
+    return tempDir
+  }
+
+  afterEach(async () => {
+    vi.restoreAllMocks()
+    await Promise.all(tempDirs.splice(0).map((tempDir) => fs.rm(tempDir, { recursive: true, force: true })))
+  })
+
+  it('prefers WORKSPACE_ROOT and falls back to args for filesystem root', () => {
+    expect(resolveFilesystemBaseDir(['C:/args-root'], {})).toBe('C:/args-root')
+    expect(resolveFilesystemBaseDir(['C:/args-root'], { WORKSPACE_ROOT: 'C:/env-root' })).toBe('C:/env-root')
+    expect(resolveFilesystemBaseDir([], {})).toBeUndefined()
+  })
+
+  it('allows paths inside the configured root and rejects paths outside it', async () => {
+    const workspaceRoot = await createTempDir('filesystem-root-')
+    const outsideRoot = await createTempDir('filesystem-outside-')
+    const insideFile = path.join(workspaceRoot, 'inside.txt')
+    const outsideFile = path.join(outsideRoot, 'outside.txt')
+
+    await fs.writeFile(insideFile, 'inside')
+    await fs.writeFile(outsideFile, 'outside')
+
+    await expect(validatePath(insideFile, workspaceRoot)).resolves.toBe(insideFile)
+    await expect(validatePath(outsideFile, workspaceRoot)).rejects.toThrow('outside the configured workspace root')
+  })
+
+  it('rejects symlink escapes outside the configured root', async () => {
+    const workspaceRoot = await createTempDir('filesystem-symlink-root-')
+    const outsideRoot = await createTempDir('filesystem-symlink-outside-')
+    const outsideFile = path.join(outsideRoot, 'secret.txt')
+    const symlinkPath = path.join(workspaceRoot, 'escape-link')
+
+    await fs.writeFile(outsideFile, 'top-secret')
+    await fs.symlink(outsideFile, symlinkPath)
+
+    await expect(validatePath(symlinkPath, workspaceRoot)).rejects.toThrow('outside the configured workspace root')
+  })
+
+  it('rejects relative path traversal outside the configured root', async () => {
+    const workspaceRoot = await createTempDir('filesystem-relative-root-')
+    const outsideFile = path.join(path.dirname(workspaceRoot), 'outside.txt')
+
+    await fs.writeFile(outsideFile, 'outside')
+
+    await expect(validatePath('../outside.txt', workspaceRoot)).rejects.toThrow('outside the configured workspace root')
+  })
+
+  it('rejects home expansion outside the configured root', async () => {
+    const workspaceRoot = await createTempDir('filesystem-home-root-')
+
+    await expect(validatePath('~/sensitive-file', workspaceRoot)).rejects.toThrow(
+      'outside the configured workspace root'
+    )
+  })
+
+  it('falls back to process.cwd() when baseDir is omitted', async () => {
+    const workspaceRoot = await createTempDir('filesystem-cwd-root-')
+    const allowedFile = path.join(workspaceRoot, 'allowed.txt')
+    const outsideFile = path.join(path.dirname(workspaceRoot), 'outside.txt')
+
+    await fs.writeFile(allowedFile, 'allowed')
+    await fs.writeFile(outsideFile, 'outside')
+
+    vi.spyOn(process, 'cwd').mockReturnValue(workspaceRoot)
+
+    await expect(validatePath('allowed.txt')).resolves.toBe(allowedFile)
+    await expect(validatePath('../outside.txt')).rejects.toThrow('outside the configured workspace root')
+  })
+})

src/main/mcpServers/filesystem/config.ts

@@ -0,0 +1,8 @@
+export function resolveFilesystemBaseDir(args: string[] = [], envs: Record<string, string> = {}): string | undefined {
+  const envWorkspaceRoot = envs.WORKSPACE_ROOT?.trim()
+  if (envWorkspaceRoot) {
+    return envWorkspaceRoot
+  }
+
+  return args.find((arg) => typeof arg === 'string' && arg.trim().length > 0)?.trim()
+}

src/main/mcpServers/filesystem/server.ts

@@ -20,16 +20,18 @@ import {
   readToolDefinition,
   writeToolDefinition
 } from './tools'
-import { logger } from './types'
+import { expandHome, logger, normalizePath } from './types'
 
 export class FileSystemServer {
   public server: Server
   private baseDir: string
 
   constructor(baseDir?: string) {
-    if (baseDir && path.isAbsolute(baseDir)) {
-      this.baseDir = baseDir
-      logger.info(`Using provided baseDir for filesystem MCP: ${baseDir}`)
+    const expandedBaseDir = baseDir ? expandHome(baseDir) : undefined
+
+    if (expandedBaseDir && path.isAbsolute(expandedBaseDir)) {
+      this.baseDir = normalizePath(path.resolve(expandedBaseDir))
+      logger.info(`Using provided baseDir for filesystem MCP: ${this.baseDir}`)
     } else {
       const userData = app.getPath('userData')
       this.baseDir = path.join(userData, 'Data', 'Workspace')
@@ -48,17 +50,19 @@ export class FileSystemServer {
       }
     )
 
-    this.initialize()
+    this.registerHandlers()
+    void this.ensureBaseDir()
   }
 
-  async initialize() {
+  private async ensureBaseDir() {
     try {
       await fs.mkdir(this.baseDir, { recursive: true })
     } catch (error) {
       logger.error('Failed to create filesystem MCP baseDir', { error, baseDir: this.baseDir })
     }
+  }
 
-    // Register tool list handler
+  private registerHandlers() {
     this.server.setRequestHandler(ListToolsRequestSchema, async () => {
       return {
         tools: [

src/main/mcpServers/filesystem/tools/delete.ts

@@ -20,7 +20,7 @@ CAUTION: This operation cannot be undone!
 - For files: simply provide the path
 - For empty directories: provide the path
 - For non-empty directories: set recursive=true
-- The path must be an absolute path, not a relative path
+- The path must resolve within the configured workspace root
 - Always verify the path before deleting to avoid data loss`,
   inputSchema: z.toJSONSchema(DeleteToolSchema)
 }

src/main/mcpServers/filesystem/tools/edit.ts

@@ -18,7 +18,7 @@ export const editToolDefinition = {
   description: `Performs exact string replacements in files.
 
 - You must use the 'read' tool at least once before editing
-- The file_path must be an absolute path, not a relative path
+- The file_path must resolve within the configured workspace root
 - Preserve exact indentation from read output (after the line number prefix)
 - Never include line number prefixes in old_string or new_string
 - ALWAYS prefer editing existing files over creating new ones

src/main/mcpServers/filesystem/tools/glob.ts

@@ -26,7 +26,7 @@ export const globToolDefinition = {
 - Patterns with "/" (e.g., "src/*.ts") match relative to the search path
 - Pattern syntax: * (any chars), ** (any path), {a,b} (alternatives), ? (single char)
 - Results are limited to 100 files
-- The path parameter must be an absolute path if specified
+- The path parameter must resolve within the configured workspace root if specified
 - If path is not specified, defaults to the base directory
 - IMPORTANT: Omit the path field for the default directory (don't use "undefined" or "null")`,
   inputSchema: z.toJSONSchema(GlobToolSchema)

src/main/mcpServers/filesystem/tools/grep.ts

@@ -27,7 +27,7 @@ export const grepToolDefinition = {
 - Results are limited to 100 matches
 - Binary files are automatically skipped
 - Common directories (node_modules, .git, dist) are excluded
-- The path parameter must be an absolute path if specified
+- The path parameter must resolve within the configured workspace root if specified
 - If path is not specified, defaults to the base directory`,
   inputSchema: z.toJSONSchema(GrepToolSchema)
 }

src/main/mcpServers/filesystem/tools/ls.ts

@@ -22,7 +22,7 @@ export const lsToolDefinition = {
 - Common directories (node_modules, dist, .git) are excluded
 - Hidden files (starting with .) are excluded except .env.example
 - Results are limited to 100 entries
-- The path parameter must be an absolute path if specified
+- The path parameter must resolve within the configured workspace root if specified
 - If path is not specified, defaults to the base directory`,
   inputSchema: z.toJSONSchema(LsToolSchema)
 }

src/main/mcpServers/filesystem/tools/read.ts

@@ -16,8 +16,8 @@ export const readToolDefinition = {
   name: 'read',
   description: `Reads a file from the local filesystem.
 
-- Assumes this tool can read all files on the machine
-- The file_path parameter must be an absolute path, not a relative path
+- Only files within the configured workspace root can be read
+- The file_path parameter must resolve within the configured workspace root
 - By default, reads up to 2000 lines starting from the beginning
 - You can optionally specify a line offset and limit for long files
 - Any lines longer than 2000 characters will be truncated

src/main/mcpServers/filesystem/tools/write.ts

@@ -20,7 +20,7 @@ export const writeToolDefinition = {
 - ALWAYS prefer using the 'edit' tool for existing files
 - NEVER proactively create documentation files unless explicitly requested
 - Parent directories will be created automatically if they don't exist
-- The file_path must be an absolute path, not a relative path`,
+- The file_path must resolve within the configured workspace root`,
   inputSchema: z.toJSONSchema(WriteToolSchema)
 }
 

src/main/mcpServers/filesystem/types.ts

@@ -39,27 +39,60 @@ export function expandHome(filepath: string): string {
   return filepath
 }
 
+function normalizeForComparison(filePath: string): string {
+  const normalizedPath = normalizePath(path.resolve(filePath))
+  return isWin ? normalizedPath.toLowerCase() : normalizedPath
+}
+
+async function resolveRealOrNearestExistingPath(targetPath: string): Promise<string> {
+  try {
+    return normalizePath(await fs.realpath(targetPath))
+  } catch {
+    let currentPath = path.dirname(targetPath)
+
+    while (true) {
+      try {
+        const realCurrentPath = await fs.realpath(currentPath)
+        const relativeSuffix = path.relative(currentPath, targetPath)
+        return normalizePath(path.join(realCurrentPath, relativeSuffix))
+      } catch {
+        const parentPath = path.dirname(currentPath)
+        if (parentPath === currentPath) {
+          logger.warn('Could not resolve any existing ancestor for path', { targetPath })
+          return normalizePath(targetPath)
+        }
+        currentPath = parentPath
+      }
+    }
+  }
+}
+
+function isPathWithinRoot(targetPath: string, rootPath: string): boolean {
+  const normalizedTargetPath = normalizeForComparison(targetPath)
+  const normalizedRootPath = normalizeForComparison(rootPath)
+
+  if (normalizedTargetPath === normalizedRootPath) {
+    return true
+  }
+
+  const relativePath = path.relative(normalizedRootPath, normalizedTargetPath)
+  return relativePath !== '' && !relativePath.startsWith('..') && !path.isAbsolute(relativePath)
+}
+
 // Security validation
 export async function validatePath(requestedPath: string, baseDir?: string): Promise<string> {
   const expandedPath = expandHome(requestedPath)
-  const root = baseDir ?? process.cwd()
+  const root = expandHome(baseDir ?? process.cwd())
   const absolute = path.isAbsolute(expandedPath) ? path.resolve(expandedPath) : path.resolve(root, expandedPath)
 
-  // Handle symlinks by checking their real path
-  try {
-    const realPath = await fs.realpath(absolute)
-    return normalizePath(realPath)
-  } catch (error) {
-    // For new files that don't exist yet, verify parent directory
-    const parentDir = path.dirname(absolute)
-    try {
-      const realParentPath = await fs.realpath(parentDir)
-      normalizePath(realParentPath)
-      return normalizePath(absolute)
-    } catch {
-      return normalizePath(absolute)
-    }
+  const resolvedRoot = await resolveRealOrNearestExistingPath(path.resolve(root))
+  const resolvedPath = await resolveRealOrNearestExistingPath(absolute)
+
+  if (!isPathWithinRoot(resolvedPath, resolvedRoot)) {
+    throw new Error(`Access denied: Path is outside the configured workspace root: ${requestedPath}`)
   }
+
+  return resolvedPath
 }
 
 // ============================================================================

src/renderer/src/store/__tests__/mcp.test.ts

@@ -0,0 +1,32 @@
+import { BuiltinMCPServerNames, type MCPServer } from '@renderer/types'
+import { describe, expect, it, vi } from 'vitest'
+
+import { builtinMCPServers, initializeMCPServers, updateMCPServer } from '../mcp'
+
+describe('MCP filesystem defaults', () => {
+  it('disables auto-approve for sensitive filesystem tools by default', () => {
+    const filesystemServer = builtinMCPServers.find((server) => server.name === BuiltinMCPServerNames.filesystem)
+
+    expect(filesystemServer?.disabledAutoApproveTools).toEqual(['write', 'edit', 'delete'])
+  })
+
+  it('backfills manual approval defaults for existing filesystem servers', () => {
+    const dispatch = vi.fn()
+    const existingFilesystemServer: MCPServer = {
+      id: 'filesystem-server',
+      name: BuiltinMCPServerNames.filesystem,
+      type: 'inMemory',
+      args: ['/tmp/workspace'],
+      isActive: true
+    }
+
+    initializeMCPServers([existingFilesystemServer], dispatch)
+
+    expect(dispatch).toHaveBeenCalledWith(
+      updateMCPServer({
+        ...existingFilesystemServer,
+        disabledAutoApproveTools: ['write', 'edit', 'delete']
+      })
+    )
+  })
+})

src/renderer/src/store/mcp.ts

@@ -19,6 +19,7 @@ import { createSlice, nanoid, type PayloadAction } from '@reduxjs/toolkit'
 import { type BuiltinMCPServer, BuiltinMCPServerNames, type MCPConfig, type MCPServer } from '@renderer/types'
 
 const logger = loggerService.withContext('Store:MCP')
+const filesystemManualApprovalTools = ['write', 'edit', 'delete'] as const
 
 export const initialState: MCPConfig = {
   servers: [],
@@ -170,7 +171,8 @@ export const builtinMCPServers: BuiltinMCPServer[] = [
     id: nanoid(),
     name: BuiltinMCPServerNames.filesystem,
     type: 'inMemory',
-    args: ['/Users/username/Desktop', '/path/to/other/allowed/dir'],
+    args: ['/Users/username/Desktop'],
+    disabledAutoApproveTools: [...filesystemManualApprovalTools],
     shouldConfig: true,
     isActive: false,
     provider: 'CherryAI',
@@ -240,6 +242,16 @@ export const builtinMCPServers: BuiltinMCPServer[] = [
  * @param dispatch Redux dispatch function
  */
 export const initializeMCPServers = (existingServers: MCPServer[], dispatch: (action: any) => void): void => {
+  const existingFilesystemServer = existingServers.find((server) => server.name === BuiltinMCPServerNames.filesystem)
+  if (existingFilesystemServer && existingFilesystemServer.disabledAutoApproveTools === undefined) {
+    dispatch(
+      updateMCPServer({
+        ...existingFilesystemServer,
+        disabledAutoApproveTools: [...filesystemManualApprovalTools]
+      })
+    )
+  }
+
   // Check if the existing servers already contain the built-in servers
   const serverIds = new Set(existingServers.map((server) => server.name))