MCP Server Git: Path Traversal via Missing Repository Path Validation

# Root Cause Analysis Report

## Summary
mcp-server-git versions prior to 2025.12.18 do not validate that the `repo_path` argument supplied to tool calls remains within the repository configured by the `--repository` flag. As a result, a client can call tools (e.g., `git_status`) against any other Git repository accessible to the server process, defeating the intended restriction.

## Impact
- **Affected component:** mcp-server-git Python package (stdio MCP server)
- **Affected versions:** < 2025.12.18 (reproduced with 2025.11.25)
- **Risk level:** Medium
- **Consequence:** Clients can read or manipulate repositories outside the configured allowed repository, including via path traversal or symlink escapes.

## Root Cause
The vulnerable server implementation directly converts `repo_path` from tool call arguments into a `Path` and opens it with `git.Repo(...)` without checking whether it is inside the configured `--repository` path. The fix (2025.12.18) introduces `validate_repo_path`, which resolves both the allowed repository and requested path (following symlinks) and rejects paths outside the allowed root before executing Git operations.

## Reproduction Steps
1. Run `repro/reproduction_steps.sh`.
2. The script creates two Git repositories, starts the vulnerable server (2025.11.25) with `--repository` set to the allowed repo, and calls `git_status` against outside paths (direct, traversal, and symlink).
3. The script repeats the call against the fixed server (2025.12.18) and confirms rejection.

## Evidence
- Vulnerable behavior (access outside repo succeeds):
  - `logs/vuln_outside_repo.log` (shows `isError False` with status output for the outside repo)
  - `logs/vuln_traversal_repo.log`
  - `logs/vuln_symlink_repo.log`
- Fixed behavior (access outside repo blocked):
  - `logs/fixed_outside_repo.log`
  - `logs/fixed_symlink_repo.log`
- Environment: Python 3.11 with venvs created by the script, Git CLI used to initialize test repos.

## Recommendations / Next Steps
- Upgrade mcp-server-git to 2025.12.18 or later.
- Ensure all tool entry points validate repository paths using resolved paths (including symlinks) before performing Git operations.
- Add regression tests covering path traversal and symlink escape cases.

## Additional Notes
- `repro/reproduction_steps.sh` was executed twice successfully to verify idempotence.
- The test covers direct path usage, relative traversal, and symlink escapes to match the fixed validation logic.