Validate flags used in MCP server config commands

christopherholland-workday · christopherholland-workday · commit 6c089bc48f98 · 2026-02-11T11:39:02.000-08:00
diff --git a/packages/components/nodes/tools/MCP/core.ts b/packages/components/nodes/tools/MCP/core.ts
@@ -272,7 +272,8 @@ export const validateCommandFlags = (command: string, args: string[]): void => {
         npx: [
             '-c', // Execute shell commands
             '--call', // Execute shell commands
-            '--shell-auto-fallback' // Shell execution fallback
+            '--shell-auto-fallback', // Shell execution fallback
+            '-y' // Auto-confirms installation prompts
         ],
         node: [
             '-e', // Execute JavaScript code
diff --git a/packages/components/test/nodes/tools/MCP/core.test.ts b/packages/components/test/nodes/tools/MCP/core.test.ts
@@ -27,6 +27,12 @@ describe('MCP Security Validations', () => {
                 }).toThrow("Argument '--shell-auto-fallback' is not allowed for command 'npx'")
             })
 
+            it('should block -y flag', () => {
+                expect(() => {
+                    validateCommandFlags('npx', ['-y', 'https://test-malicious-download.com'])
+                }).toThrow("Argument '-y' is not allowed for command 'npx'")
+            })
+
             it('should block case variations', () => {
                 expect(() => {
                     validateCommandFlags('npx', ['-C', 'command'])
@@ -41,10 +47,6 @@ describe('MCP Security Validations', () => {
                 expect(() => {
                     validateCommandFlags('npx', ['@modelcontextprotocol/server-filesystem', '/tmp'])
                 }).not.toThrow()
-
-                expect(() => {
-                    validateCommandFlags('npx', ['-y', '@modelcontextprotocol/server-github'])
-                }).not.toThrow()
             })
         })
 
@@ -393,14 +395,6 @@ describe('MCP Security Validations', () => {
         })
 
         it('should allow legitimate MCP server configurations', () => {
-            expect(() => {
-                validateMCPServerConfig({
-                    command: 'npx',
-                    args: ['-y', '@modelcontextprotocol/server-github'],
-                    env: { GITHUB_TOKEN: 'token123' }
-                })
-            }).not.toThrow()
-
             expect(() => {
                 validateMCPServerConfig({
                     command: 'node',
