fix(base-action): default enableAllProjectMcpServers to false (H1 #3639058)

OctavianGuzu · OctavianGuzu · commit c352b338ee52 · 2026-04-23T10:00:59.000Z
The base-action previously hardcoded enableAllProjectMcpServers=true in ~/.claude/settings.json. In pull_request workflows the checkout's .mcp.json is PR-controlled, so a malicious PR could drop a stdio MCP server and have it auto-spawned as a subprocess on the runner — arbitrary command execution before any tool-permission gating applies. This change: - defaults enableAllProjectMcpServers to false in the base-action - adds an enable_all_project_mcp_servers input so trusted workflows can opt back in - threads the input through the wrapper action, which keeps a 'true' default because it already restores .mcp.json from the PR base branch Complements PR #1115 (setting_sources default change) — same threat surface, different config knob. :house: Remote-Dev: homespace
diff --git a/action.yml b/action.yml
@@ -62,6 +62,10 @@ inputs:
     description: "Claude Code settings as JSON string or path to settings JSON file"
     required: false
     default: ""
+  enable_all_project_mcp_servers:
+    description: "Auto-enable every MCP server defined in the checkout's .mcp.json. Defaults to 'true' — safe here because .mcp.json is restored from the PR base branch before execution. Set to 'false' to ignore in-repo MCP servers entirely."
+    required: false
+    default: "true"
 
   # Auth configuration
   anthropic_api_key:
@@ -279,6 +283,7 @@ runs:
         # Base-action inputs
         INPUT_PROMPT_FILE: ${{ runner.temp }}/claude-prompts/claude-prompt.txt
         INPUT_SETTINGS: ${{ inputs.settings }}
+        INPUT_ENABLE_ALL_PROJECT_MCP_SERVERS: ${{ inputs.enable_all_project_mcp_servers }}
         INPUT_EXPERIMENTAL_SLASH_COMMANDS_DIR: ${{ github.action_path }}/slash-commands
         INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
         INPUT_PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
diff --git a/base-action/README.md b/base-action/README.md
@@ -85,27 +85,28 @@ Add the following to your workflow file:
 
 ## Inputs
 
-| Input                     | Description                                                                                                             | Required | Default                      |
-| ------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
-| `prompt`                  | The prompt to send to Claude Code                                                                                       | No\*     | ''                           |
-| `prompt_file`             | Path to a file containing the prompt to send to Claude Code                                                             | No\*     | ''                           |
-| `allowed_tools`           | Comma-separated list of allowed tools for Claude Code to use                                                            | No       | ''                           |
-| `disallowed_tools`        | Comma-separated list of disallowed tools that Claude Code cannot use                                                    | No       | ''                           |
-| `max_turns`               | Maximum number of conversation turns (default: no limit)                                                                | No       | ''                           |
-| `mcp_config`              | Path to the MCP configuration JSON file, or MCP configuration JSON string                                               | No       | ''                           |
-| `settings`                | Path to Claude Code settings JSON file, or settings JSON string                                                         | No       | ''                           |
-| `system_prompt`           | Override system prompt                                                                                                  | No       | ''                           |
-| `append_system_prompt`    | Append to system prompt                                                                                                 | No       | ''                           |
-| `claude_env`              | Custom environment variables to pass to Claude Code execution (YAML multiline format)                                   | No       | ''                           |
-| `model`                   | Model to use (provider-specific format required for Bedrock/Vertex)                                                     | No       | 'claude-4-0-sonnet-20250219' |
-| `anthropic_model`         | DEPRECATED: Use 'model' instead                                                                                         | No       | 'claude-4-0-sonnet-20250219' |
-| `fallback_model`          | Enable automatic fallback to specified model when default model is overloaded                                           | No       | ''                           |
-| `anthropic_api_key`       | Anthropic API key (required for direct Anthropic API)                                                                   | No       | ''                           |
-| `claude_code_oauth_token` | Claude Code OAuth token (alternative to anthropic_api_key)                                                              | No       | ''                           |
-| `use_bedrock`             | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                             | No       | 'false'                      |
-| `use_vertex`              | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                           | No       | 'false'                      |
-| `use_node_cache`          | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files)                       | No       | 'false'                      |
-| `show_full_output`        | Show full JSON output (⚠️ May expose secrets - see [security docs](../docs/security.md#️-full-output-security-warning)) | No       | 'false'\*\*                  |
+| Input                            | Description                                                                                                             | Required | Default                      |
+| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------- | ---------------------------- |
+| `prompt`                         | The prompt to send to Claude Code                                                                                       | No\*     | ''                           |
+| `prompt_file`                    | Path to a file containing the prompt to send to Claude Code                                                             | No\*     | ''                           |
+| `allowed_tools`                  | Comma-separated list of allowed tools for Claude Code to use                                                            | No       | ''                           |
+| `disallowed_tools`               | Comma-separated list of disallowed tools that Claude Code cannot use                                                    | No       | ''                           |
+| `max_turns`                      | Maximum number of conversation turns (default: no limit)                                                                | No       | ''                           |
+| `mcp_config`                     | Path to the MCP configuration JSON file, or MCP configuration JSON string                                               | No       | ''                           |
+| `settings`                       | Path to Claude Code settings JSON file, or settings JSON string                                                         | No       | ''                           |
+| `enable_all_project_mcp_servers` | Auto-enable every MCP server in the checkout's `.mcp.json`. Off by default because `.mcp.json` is PR-controlled.        | No       | 'false'                      |
+| `system_prompt`                  | Override system prompt                                                                                                  | No       | ''                           |
+| `append_system_prompt`           | Append to system prompt                                                                                                 | No       | ''                           |
+| `claude_env`                     | Custom environment variables to pass to Claude Code execution (YAML multiline format)                                   | No       | ''                           |
+| `model`                          | Model to use (provider-specific format required for Bedrock/Vertex)                                                     | No       | 'claude-4-0-sonnet-20250219' |
+| `anthropic_model`                | DEPRECATED: Use 'model' instead                                                                                         | No       | 'claude-4-0-sonnet-20250219' |
+| `fallback_model`                 | Enable automatic fallback to specified model when default model is overloaded                                           | No       | ''                           |
+| `anthropic_api_key`              | Anthropic API key (required for direct Anthropic API)                                                                   | No       | ''                           |
+| `claude_code_oauth_token`        | Claude Code OAuth token (alternative to anthropic_api_key)                                                              | No       | ''                           |
+| `use_bedrock`                    | Use Amazon Bedrock with OIDC authentication instead of direct Anthropic API                                             | No       | 'false'                      |
+| `use_vertex`                     | Use Google Vertex AI with OIDC authentication instead of direct Anthropic API                                           | No       | 'false'                      |
+| `use_node_cache`                 | Whether to use Node.js dependency caching (set to true only for Node.js projects with lock files)                       | No       | 'false'                      |
+| `show_full_output`               | Show full JSON output (⚠️ May expose secrets - see [security docs](../docs/security.md#️-full-output-security-warning)) | No       | 'false'\*\*                  |
 
 \*Either `prompt` or `prompt_file` must be provided, but not both.
 
diff --git a/base-action/action.yml b/base-action/action.yml
@@ -18,6 +18,10 @@ inputs:
     description: "Claude Code settings as JSON string or path to settings JSON file"
     required: false
     default: ""
+  enable_all_project_mcp_servers:
+    description: "Auto-enable every MCP server defined in the checkout's .mcp.json. Defaults to 'false' because .mcp.json is PR-controlled in pull_request workflows; set to 'true' only when the checkout is trusted."
+    required: false
+    default: "false"
 
   # Action settings
   claude_args:
@@ -165,6 +169,7 @@ runs:
         INPUT_PROMPT: ${{ inputs.prompt }}
         INPUT_PROMPT_FILE: ${{ inputs.prompt_file }}
         INPUT_SETTINGS: ${{ inputs.settings }}
+        INPUT_ENABLE_ALL_PROJECT_MCP_SERVERS: ${{ inputs.enable_all_project_mcp_servers }}
         INPUT_CLAUDE_ARGS: ${{ inputs.claude_args }}
         INPUT_PATH_TO_CLAUDE_CODE_EXECUTABLE: ${{ inputs.path_to_claude_code_executable }}
         INPUT_PATH_TO_BUN_EXECUTABLE: ${{ inputs.path_to_bun_executable }}
diff --git a/base-action/src/index.ts b/base-action/src/index.ts
@@ -22,6 +22,7 @@ async function run() {
     await setupClaudeCodeSettings(
       process.env.INPUT_SETTINGS,
       undefined, // homeDir
+      process.env.INPUT_ENABLE_ALL_PROJECT_MCP_SERVERS === "true",
     );
 
     // Install Claude Code plugins if specified
diff --git a/base-action/src/setup-claude-code-settings.ts b/base-action/src/setup-claude-code-settings.ts
@@ -5,6 +5,7 @@ import { readFile } from "fs/promises";
 export async function setupClaudeCodeSettings(
   settingsInput?: string,
   homeDir?: string,
+  enableAllProjectMcpServers: boolean = false,
 ) {
   const home = homeDir ?? homedir();
   const settingsPath = `${home}/.claude/settings.json`;
@@ -59,9 +60,14 @@ export async function setupClaudeCodeSettings(
     console.log(`Merged settings with input settings`);
   }
 
-  // Always set enableAllProjectMcpServers to true
-  settings.enableAllProjectMcpServers = true;
-  console.log(`Updated settings with enableAllProjectMcpServers: true`);
+  // Default enableAllProjectMcpServers to false: when true, Claude Code will
+  // auto-spawn every server in the checkout's .mcp.json, which is PR-controlled
+  // in pull_request workflows and yields arbitrary command execution on the
+  // runner. Workflows that trust the checkout must opt in explicitly.
+  settings.enableAllProjectMcpServers = enableAllProjectMcpServers;
+  console.log(
+    `Updated settings with enableAllProjectMcpServers: ${enableAllProjectMcpServers}`,
+  );
 
   await $`echo ${JSON.stringify(settings, null, 2)} > ${settingsPath}`.quiet();
   console.log(`Settings saved successfully`);
diff --git a/base-action/test/setup-claude-code-settings.test.ts b/base-action/test/setup-claude-code-settings.test.ts
@@ -27,12 +27,21 @@ describe("setupClaudeCodeSettings", () => {
     await rm(testHomeDir, { recursive: true, force: true });
   });
 
-  test("should always set enableAllProjectMcpServers to true when no input", async () => {
+  test("should default enableAllProjectMcpServers to false when no input", async () => {
     await setupClaudeCodeSettings(undefined, testHomeDir);
 
     const settingsContent = await readFile(settingsPath, "utf-8");
     const settings = JSON.parse(settingsContent);
 
+    expect(settings.enableAllProjectMcpServers).toBe(false);
+  });
+
+  test("should set enableAllProjectMcpServers to true when explicitly opted in", async () => {
+    await setupClaudeCodeSettings(undefined, testHomeDir, true);
+
+    const settingsContent = await readFile(settingsPath, "utf-8");
+    const settings = JSON.parse(settingsContent);
+
     expect(settings.enableAllProjectMcpServers).toBe(true);
   });
 
@@ -47,7 +56,7 @@ describe("setupClaudeCodeSettings", () => {
     const settingsContent = await readFile(settingsPath, "utf-8");
     const settings = JSON.parse(settingsContent);
 
-    expect(settings.enableAllProjectMcpServers).toBe(true);
+    expect(settings.enableAllProjectMcpServers).toBe(false);
     expect(settings.model).toBe("claude-sonnet-4-20250514");
     expect(settings.env).toEqual({ API_KEY: "test-key" });
   });
@@ -74,23 +83,23 @@ describe("setupClaudeCodeSettings", () => {
     const settingsContent = await readFile(settingsPath, "utf-8");
     const settings = JSON.parse(settingsContent);
 
-    expect(settings.enableAllProjectMcpServers).toBe(true);
+    expect(settings.enableAllProjectMcpServers).toBe(false);
     expect(settings.hooks).toEqual(testSettings.hooks);
     expect(settings.permissions).toEqual(testSettings.permissions);
   });
 
-  test("should override enableAllProjectMcpServers even if false in input", async () => {
+  test("should override enableAllProjectMcpServers from settings input with action input", async () => {
     const inputSettings = JSON.stringify({
-      enableAllProjectMcpServers: false,
+      enableAllProjectMcpServers: true,
       model: "test-model",
     });
 
-    await setupClaudeCodeSettings(inputSettings, testHomeDir);
+    await setupClaudeCodeSettings(inputSettings, testHomeDir, false);
 
     const settingsContent = await readFile(settingsPath, "utf-8");
     const settings = JSON.parse(settingsContent);
 
-    expect(settings.enableAllProjectMcpServers).toBe(true);
+    expect(settings.enableAllProjectMcpServers).toBe(false);
     expect(settings.model).toBe("test-model");
   });
 
@@ -112,7 +121,7 @@ describe("setupClaudeCodeSettings", () => {
     const settingsContent = await readFile(settingsPath, "utf-8");
     const settings = JSON.parse(settingsContent);
 
-    expect(settings.enableAllProjectMcpServers).toBe(true);
+    expect(settings.enableAllProjectMcpServers).toBe(false);
   });
 
   test("should handle whitespace-only input", async () => {
@@ -121,7 +130,7 @@ describe("setupClaudeCodeSettings", () => {
     const settingsContent = await readFile(settingsPath, "utf-8");
     const settings = JSON.parse(settingsContent);
 
-    expect(settings.enableAllProjectMcpServers).toBe(true);
+    expect(settings.enableAllProjectMcpServers).toBe(false);
   });
 
   test("should merge with existing settings", async () => {
@@ -142,7 +151,7 @@ describe("setupClaudeCodeSettings", () => {
     const settingsContent = await readFile(settingsPath, "utf-8");
     const settings = JSON.parse(settingsContent);
 
-    expect(settings.enableAllProjectMcpServers).toBe(true);
+    expect(settings.enableAllProjectMcpServers).toBe(false);
     expect(settings.existingKey).toBe("existingValue");
     expect(settings.newKey).toBe("newValue");
     expect(settings.model).toBe("claude-opus-4-1-20250805");
diff --git a/src/entrypoints/run.ts b/src/entrypoints/run.ts
@@ -256,7 +256,11 @@ async function run() {
       }
     }
 
-    await setupClaudeCodeSettings(process.env.INPUT_SETTINGS);
+    await setupClaudeCodeSettings(
+      process.env.INPUT_SETTINGS,
+      undefined, // homeDir
+      process.env.INPUT_ENABLE_ALL_PROJECT_MCP_SERVERS === "true",
+    );
 
     await installPlugins(
       process.env.INPUT_PLUGIN_MARKETPLACES,

Original file line number	Diff line number	Diff line change
`@@ -256,7 +256,11 @@ async function run() {`
`256`	`256`	`}`
`257`	`257`	`}`
`258`	`258`
`259`		`- await setupClaudeCodeSettings(process.env.INPUT_SETTINGS);`
	`259`	`+ await setupClaudeCodeSettings(`
	`260`	`+ process.env.INPUT_SETTINGS,`
	`261`	`+ undefined, // homeDir`
	`262`	`+ process.env.INPUT_ENABLE_ALL_PROJECT_MCP_SERVERS === "true",`
	`263`	`+ );`
`260`	`264`
`261`	`265`	`await installPlugins(`
`262`	`266`	`process.env.INPUT_PLUGIN_MARKETPLACES,`