feat(security): Add glob patterns and expand sensitive-file coverage

Added glob pattern support (`*`, `?`) in `mcp-server-security-sensitive-file-patterns`
via `wildcard-to-regexp`. Patterns like `~/.authinfo*` now correctly match all variants
(`~/.authinfo`, `~/.authinfo.gpg`, `~/.authinfo.enc`, etc.).

Extended sensitive file protection to cover `copy-file`, `rename-file`, `write-region`,
`append-to-file`, `write-file`, and `insert-file-contents-literally`, blocking both reads
from and writes to sensitive paths even when the function itself is allowed.

Added new dangerous functions: `append-to-file`, `async-shell-command`, `directory-files`,
`directory-files-recursively`, `insert-file-contents-literally`, `make-network-process`,
`make-process`, `open-network-stream`, `setenv`, `with-temp-file`, `write-file`.

Removed non-functional entries: `process-environment` (variable), `shell-environment`
(non-standard), `require` (too restrictive), `save-current-buffer`, `set-buffer`,
`switch-to-buffer` (low-level primitives).

Fixed `mcp-server-security--is-sensitive-file`: patterns using `~/` prefix are now
expanded with `expand-file-name` before comparison (issue #9).

Fixed `mcp-server-security--is-dangerous-operation`: calling `symbol-name` on string
operation IDs no longer raises `wrong-type-argument: symbolp`.

Added comprehensive unit test suite (79 ERT tests) for `mcp-server-security`.

Documented known limitation: static form walker does not recurse into `let`-binding
positions and cannot detect dynamically-constructed function names (issue #10).

Author: rhblind

CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.6.0] - 2026-03-31
+
+### Fixed
+- `mcp-server-security--is-sensitive-file`: patterns using `~/` prefix (e.g. `"~/.ssh/"`) were never matched because the input path was expanded with `expand-file-name` but the patterns were not, causing the literal `~` to fail against an absolute path (issue #9)
+- `mcp-server-security--is-dangerous-operation`: calling `symbol-name` on a string operation ID (e.g. `"access-sensitive-file:find-file"`) raised `wrong-type-argument: symbolp` instead of returning a result
+- Sensitive file check was only applied to four functions (`find-file`, `find-file-noselect`, `view-file`, `insert-file-contents`); functions like `copy-file` and `rename-file` could still access sensitive files when placed in `mcp-server-security-allowed-dangerous-functions`
+
+### Added
+- Glob pattern support (`*`, `?`) in `mcp-server-security-sensitive-file-patterns`: patterns such as `"~/.authinfo*"` now correctly match all variants (`~/.authinfo.gpg`, `~/.authinfo.enc`, etc.) via `wildcard-to-regexp`
+- Sensitive file check now covers `copy-file` (args 1 and 2), `rename-file` (args 1 and 2), `write-region` (arg 3), `append-to-file` (arg 3), `write-file` (arg 1), and `insert-file-contents-literally` (arg 1), blocking both reads from and writes to sensitive paths
+- New entries in default `mcp-server-security-dangerous-functions`: `append-to-file`, `async-shell-command`, `directory-files`, `directory-files-recursively`, `insert-file-contents-literally`, `make-network-process`, `make-process`, `open-network-stream`, `setenv`, `with-temp-file`, `write-file`
+- Removed entries from default `mcp-server-security-dangerous-functions` that were either non-functional or overly broad: `process-environment` (a variable, not a function; the form walker never matched it), `shell-environment` (not a standard Emacs function), `require` (too restrictive for legitimate use), `save-current-buffer` and `set-buffer` (low-level context-switching primitives with no inherent danger), `switch-to-buffer` (interactive UI command with no security impact)
+- Comprehensive unit test suite for `mcp-server-security` (79 ERT tests total)
+- Known limitation documented and tracked: static form walker does not recurse into `let`-binding value positions and cannot detect dynamically-constructed function names (`funcall` + `intern`); see issue #10
+
 ## [0.4.0] - 2026-01-08
 
 ### Added
@@ -68,6 +83,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Comprehensive test suite
 - Demo images for theme change and poem writing
 
+[0.6.0]: https://github.com/rhblind/emacs-mcp-server/compare/v0.5.0...v0.6.0
 [0.4.0]: https://github.com/rhblind/emacs-mcp-server/compare/v0.3.0...v0.4.0
 [0.3.0]: https://github.com/rhblind/emacs-mcp-server/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/rhblind/emacs-mcp-server/compare/v0.1.0...v0.2.0

README.md

@@ -177,8 +177,8 @@ Retrieves errors and warnings from flycheck or flymake (auto-detected per buffer
 ### Security Features
 
 **Permission System:**
-- **Dangerous function protection** - Functions like `delete-file`, `shell-command`, `find-file` require user approval
-- **Sensitive file protection** - Automatic blocking of credential files (`.authinfo`, `.netrc`, SSH keys, etc.)
+- **Dangerous function protection** - Functions like `delete-file`, `shell-command`, `find-file`, `write-file`, `make-network-process`, `make-process`, `async-shell-command`, `setenv` require user approval
+- **Sensitive file protection** - Automatic blocking of credential files (`.authinfo`, `.netrc`, SSH keys, etc.) for both reads and writes, even when the function itself is allowed
 - **Buffer access controls** - Protection for sensitive buffers like `*Messages*`, `*shell*`, `*terminal*`
 - **Permission caching** - Decisions are remembered for the session to avoid repeated prompts
 - **Audit logging** - Complete trail of all security events and decisions
@@ -198,9 +198,9 @@ Retrieves errors and warnings from flycheck or flymake (auto-detected per buffer
 
 The security model provides defense-in-depth but has known limitations:
 
-- **Blocklist bypass via indirection** - The dangerous function blocklist checks direct function calls, but `funcall`, `apply`, or `(intern "shell-command")` can bypass it
-- **Macro evaluation** - Macros that expand to dangerous code execute at compile-time before security checks
-- **Dynamic function construction** - Code can construct function names at runtime to evade static analysis
+- **`let`-binding positions not fully checked** - The static form walker does not recurse into `let`/`let*` binding-value positions, so `(let ((x (shell-command "id"))) x)` bypasses the blocklist. Tracked in [#10](https://github.com/rhblind/emacs-mcp-server/issues/10).
+- **Dynamic function construction** - Code can construct function names at runtime to evade static analysis: `(funcall (intern "delete-file") "/tmp/test")` passes the checker. Tracked in [#10](https://github.com/rhblind/emacs-mcp-server/issues/10).
+- **Macro expansion** - The form walker operates on unexpanded forms. Macros that wrap dangerous calls in non-tail positions (other than `let` bindings) may not be caught.
 
 **This means:** Using `eval-elisp` requires trusting the LLM completely. The security controls reduce risk of accidental harm but cannot prevent a determined adversary.
 
@@ -211,13 +211,15 @@ For higher security requirements, consider:
 
 ### Default Protected Files
 
-The server automatically protects these sensitive file patterns:
+The server automatically protects these sensitive file patterns.
+
+Patterns starting with `~/` or `/` are matched as path prefixes after expanding `~`. Patterns containing `*` or `?` are treated as shell globs (e.g. `~/.authinfo*` matches `~/.authinfo`, `~/.authinfo.gpg`, `~/.authinfo.enc`, etc.). Bare filename patterns (no leading `~/`) match against the file's basename.
 
 **Authentication Files:**
-- `~/.authinfo*` - Emacs authentication data
-- `~/.netrc*` - Network authentication credentials  
-- `~/.ssh/` - SSH keys and configuration
-- `~/.gnupg/` - GPG keys and configuration
+- `~/.authinfo` and variants - Emacs authentication data
+- `~/.netrc` and variants - Network authentication credentials
+- `~/.ssh/` - SSH keys and configuration (entire directory)
+- `~/.gnupg/` - GPG keys and configuration (entire directory)
 
 **Cloud & Service Credentials:**
 - `~/.aws/` - AWS credentials
@@ -232,17 +234,25 @@ The server automatically protects these sensitive file patterns:
 
 ### Security Configuration
 
+The default settings aim for a reasonable balance between security and usability: the most commonly dangerous functions are blocked, well-known credential files are protected, and operations fail silently rather than prompting. These defaults will not suit every workflow. You are encouraged to review them and adjust to your own needs, for example by tightening the dangerous function list, adding project-specific sensitive file patterns, or enabling prompts instead of silent denial.
+
 Users have complete control over the security model through customizable settings:
 
 **Customize Sensitive Files:**
 ```elisp
-;; Add your own sensitive file patterns
+;; Add your own sensitive file patterns.
+;; Patterns starting with ~/ or / are matched as path prefixes (after expanding ~).
+;; Patterns containing * or ? are treated as shell globs.
+;; Bare filename patterns match against the file's basename.
 (setq mcp-server-security-sensitive-file-patterns
-      '("~/.authinfo" "~/.ssh/" "~/my-secrets/" "*.key"))
+      '("~/.authinfo*"    ; glob: matches .authinfo, .authinfo.gpg, .authinfo.enc, ...
+        "~/.ssh/"         ; prefix: matches everything under ~/.ssh/
+        "~/my-secrets/"   ; prefix: matches everything under ~/my-secrets/
+        ".key"))          ; basename: matches any file whose name contains ".key"
 
 ;; Allow specific sensitive files without prompting
 (setq mcp-server-security-allowed-sensitive-files
-      '("~/.authinfo" "~/safe-config.txt"))
+      '("~/.ssh/known_hosts" "~/safe-config.txt"))
 ```
 
 **Customize Dangerous Functions:**
@@ -258,7 +268,7 @@ Users have complete control over the security model through customizable setting
 
 **Global Security Settings:**
 ```elisp
-;; Disable all permission prompts (not recommended)
+;; Block dangerous operations silently without prompting (default)
 (setq mcp-server-security-prompt-for-permissions nil)
 
 ;; Customize execution timeout
@@ -289,7 +299,7 @@ M-x customize-group RET mcp-server RET
 ```elisp
 ;; More relaxed for trusted development scenarios
 (setq mcp-server-security-allowed-dangerous-functions
-      '(find-file dired switch-to-buffer insert-file-contents))
+      '(find-file dired insert-file-contents))
 ;; Keep file protections for credentials
 (setq mcp-server-security-sensitive-file-patterns
       '("~/.authinfo*" "~/.netrc*" "~/.ssh/" "~/.gnupg/"))
@@ -327,7 +337,7 @@ M-x mcp-server-security-clear-permissions  ; Reset all cached permissions
 4. **Monitor credentials** - Be especially careful with any files containing passwords or API keys
 5. **Test security** - Verify your configuration blocks unauthorized access as expected
 
-Operations requiring explicit permission include file system operations (`delete-file`, `write-region`), process execution (`shell-command`, `call-process`), system functions (`kill-emacs`, `server-start`), and access to sensitive files or buffers.
+Operations requiring explicit permission include file system operations (`delete-file`, `write-region`, `write-file`, `append-to-file`, `copy-file`, `rename-file`, `with-temp-file`), process execution (`shell-command`, `call-process`, `start-process`), network access (`make-network-process`, `open-network-stream`, `url-retrieve`), directory enumeration (`directory-files`, `directory-files-recursively`), system functions (`kill-emacs`, `server-start`), and access to sensitive files or buffers.
 
 ## Management Commands
 

mcp-server-security.el

@@ -22,41 +22,46 @@
 ;;; Variables
 
 (defcustom mcp-server-security-dangerous-functions
-  '(browse-url
+  '(append-to-file
+    async-shell-command
+    browse-url
     call-process
     copy-file
     delete-directory
     delete-file
+    directory-files
+    directory-files-recursively
     dired
     eval
     find-file
     find-file-literally
     find-file-noselect
     getenv
     insert-file-contents
+    insert-file-contents-literally
     kill-emacs
     load
     make-directory
-    process-environment
+    make-network-process
+    make-process
+    open-network-stream
     rename-file
-    require
     save-buffers-kill-emacs
     save-buffers-kill-terminal
-    save-current-buffer
     server-force-delete
     server-start
-    set-buffer
     set-file-modes
     set-file-times
+    setenv
     shell-command
     shell-command-to-string
-    shell-environment
     start-process
-    switch-to-buffer
     url-retrieve
     url-retrieve-synchronously
     view-file
     with-current-buffer
+    with-temp-file
+    write-file
     write-region)
   "List of functions that require permission before execution.
 Users can customize this list to add or remove functions that should
@@ -171,12 +176,19 @@ Returns 'yes, 'no, or 'always."
       (?! 'always))))
 
 (defun mcp-server-security--is-dangerous-operation (operation)
-  "Check if OPERATION is considered dangerous."
-  ;; First check if function is explicitly allowed
-  (unless (member operation mcp-server-security-allowed-dangerous-functions)
-    ;; Then check if it's in the dangerous functions list or matches dangerous patterns
-    (or (member operation mcp-server-security-dangerous-functions)
-        (string-match-p "delete\\|kill\\|remove\\|destroy" (symbol-name operation)))))
+  "Check if OPERATION is considered dangerous.
+OPERATION is either a symbol (a function name) or a string synthetic ID
+such as \"access-sensitive-file:find-file\" produced by the sensitive
+file/buffer check paths.  String ops prefixed with \"access-sensitive-\"
+are always treated as dangerous so they are denied when prompting is off."
+  (if (stringp operation)
+      ;; Synthetic string IDs from sensitive file/buffer checks are dangerous
+      (string-prefix-p "access-sensitive-" operation)
+    ;; Symbol: check the allowed list, dangerous list, and name patterns
+    (unless (member operation mcp-server-security-allowed-dangerous-functions)
+      (or (member operation mcp-server-security-dangerous-functions)
+          (string-match-p "delete\\|kill\\|remove\\|destroy"
+                          (symbol-name operation))))))
 
 (defun mcp-server-security--is-sensitive-file (path)
   "Check if PATH points to a sensitive file."
@@ -186,10 +198,25 @@ Returns 'yes, 'no, or 'always."
       (unless (cl-some (lambda (allowed-file)
                          (string-equal (expand-file-name allowed-file) expanded-path))
                        mcp-server-security-allowed-sensitive-files)
-        ;; Then check if it matches any sensitive patterns
+        ;; Then check if it matches any sensitive patterns.
+        ;;
+        ;; Patterns starting with ~ or / are expanded before comparison so that
+        ;; e.g. "~/.ssh/" correctly matches the expanded path "/home/user/.ssh/id_rsa".
+        ;;
+        ;; Patterns containing * or ? are treated as shell glob wildcards via
+        ;; `wildcard-to-regexp', so "~/.authinfo*" matches "~/.authinfo.gpg" etc.
+        ;;
+        ;; Bare filename patterns (no leading ~ or /) are matched literally
+        ;; against the file's basename only.
         (cl-some (lambda (pattern)
-                   (or (string-match-p (regexp-quote pattern) expanded-path)
-                       (string-match-p pattern (file-name-nondirectory expanded-path))))
+                   (if (string-match-p "^[~/]" pattern)
+                       (let ((expanded-pattern (expand-file-name pattern)))
+                         (if (string-match-p "[*?]" pattern)
+                             (string-match-p (wildcard-to-regexp expanded-pattern)
+                                             expanded-path)
+                           (string-prefix-p expanded-pattern expanded-path)))
+                     (string-match-p (regexp-quote pattern)
+                                     (file-name-nondirectory expanded-path))))
                  mcp-server-security-sensitive-file-patterns)))))
 
 (defun mcp-server-security--is-sensitive-buffer (buffer-name)
@@ -279,14 +306,32 @@ to allow, or set `mcp-server-security-prompt-for-permissions' to t to prompt" fo
               (error "Security: `%s' is blocked. Add it to `mcp-server-security-allowed-dangerous-functions' \
 to allow, or set `mcp-server-security-prompt-for-permissions' to t to prompt" func)))
 
-          ;; Special checks for file access functions
-          (when (memq func '(find-file find-file-noselect view-file insert-file-contents))
-            (let ((file-path (car args)))
-              (when (and file-path (stringp file-path))
-                (when (mcp-server-security--is-sensitive-file file-path)
-                  (unless (mcp-server-security-check-permission
-                           (format "access-sensitive-file:%s" func) file-path)
-                    (error "Permission denied for sensitive file access: %s" file-path))))))
+          ;; Special checks for file access functions.
+          ;; Each entry maps a function to the 1-based positions of its file-path
+          ;; arguments.  Both read and write paths are covered so that sensitive
+          ;; files cannot be read from OR written to, even when the function is
+          ;; listed in `mcp-server-security-allowed-dangerous-functions'.
+          (let ((file-arg-specs
+                 '((find-file                    . (1))
+                   (find-file-noselect           . (1))
+                   (find-file-literally          . (1))
+                   (view-file                    . (1))
+                   (insert-file-contents         . (1))
+                   (insert-file-contents-literally . (1))
+                   (write-file                   . (1))
+                   (copy-file                    . (1 2))
+                   (rename-file                  . (1 2))
+                   (write-region                 . (3))
+                   (append-to-file               . (3)))))
+            (when-let ((positions (alist-get func file-arg-specs)))
+              (dolist (pos positions)
+                (let ((file-path (nth (1- pos) args)))
+                  (when (and file-path (stringp file-path))
+                    (when (mcp-server-security--is-sensitive-file file-path)
+                      (unless (mcp-server-security-check-permission
+                               (format "access-sensitive-file:%s" func) file-path)
+                        (error "Permission denied for sensitive file access: %s"
+                               file-path))))))))
 
           ;; Special checks for buffer access functions
           (when (memq func '(switch-to-buffer set-buffer with-current-buffer))

mcp-server.el

@@ -5,7 +5,7 @@
 ;; Author: Claude Code + Rolf Håvard Blindheim<rhblind@gmail.com>
 ;; URL: https://github.com/rhblind/emacs-mcp-server
 ;; Keywords: mcp, protocol, integration, tools
-;; Version: 0.5.0
+;; Version: 0.6.0
 ;; Package-Requires: ((emacs "27.1"))
 
 ;; This file is NOT part of GNU Emacs.
@@ -61,7 +61,7 @@
 
 ;;; Constants
 
-(defconst mcp-server-version "0.5.0"
+(defconst mcp-server-version "0.6.0"
   "Version of the Emacs MCP server.")
 
 (defconst mcp-server-protocol-version "2024-11-05"