servers icon indicating copy to clipboard operation
servers copied to clipboard
verified publisher icon modelcontextprotocol

filesystem mcp: dot directories should be ignored

Open lmorg opened this issue 6 months ago • 7 comments

Describe the bug Dot directories (eg .git, .terraform, etc) are included in the filesystem MCP search tools.

These directories, particularly .git can get enormous and thus massively inflate the token usage for the agent.

What's more, these directories generally don't add much value (they're "hidden" for a reason) for project analysis. And in the worst case scenarios, might even contain sensitive information.

Personally, I'd go further and say allowing filesystem to work against any dot-prefixed filesystem objects is a security risk, however, for the sake of wanting to keep this discussion focused on reducing token count rather than whether users should or should not be aware of what data they're sharing with the agent, this GH Issue is focused on dot-prefixed directories like .git.

To Reproduce Run the MCP with the authorised path being the root of any project that is also a git repository.

Expected behavior Dot-prefixed directories should be ignored by default. An environmental variable and/or command line flag can be used to optionally re-enable this behaviour.

Logs

Additional context While the intended behaviour is to selectively include the files and/or directories you wish to authorise for use with this MCP, the benefit of using an MCP like this is for speed and convenience. Thus a typical use case might well be someone selecting the entire project directory. On the surface, this is a pragmatic approach -- so long as dot-prefixed directories (and arguably files too) are ignored by default.

lmorg avatar Jun 26 '25 10:06 lmorg

IMHO respecting an .mcpignore file and potentially also .gitignore would be a much more preferred solution. It would make it less cumbersome to auto-detect what not to expose through the filesystem mcp.

Basically backporting https://github.com/CyberhavenInc/filesystem-mcpignore would be a start.

reegnz avatar Jul 22 '25 17:07 reegnz

@claude could you help investigate this issue and the suggested solutions?

olaservo avatar Aug 24 '25 02:08 olaservo

Claude finished @olaservo's task —— View jobclaude/issue-2219-20250824-0256Create PR ➔

Investigating filesystem MCP dot directory handling

I've successfully implemented a solution to ignore dot directories by default in the filesystem MCP server, addressing the token usage and security concerns raised in this issue.

Todo List:

  • [x] Read repository setup instructions (CLAUDE.md)
  • [x] Explore filesystem MCP server structure and code
  • [x] Analyze current file/directory discovery implementation
  • [x] Review the referenced filesystem-mcpignore project for implementation ideas
  • [x] Propose solution for ignoring dot directories by default
  • [x] Implement solution if feasible
  • [x] Test changes
Investigation Details

Current Issue Analysis

The filesystem MCP server currently includes all files and directories during:

  1. Directory listing (list_directory, list_directory_with_sizes)
  2. Directory tree generation (directory_tree)
  3. File searching (search_files)

These operations don't filter out dot-prefixed directories like .git, .terraform, etc., which can:

  • Massively inflate token usage (especially .git directories)
  • Potentially expose sensitive information
  • Include files that are typically "hidden" for good reason

Key Code Locations

The main issue is in several functions:

index.ts:450-456 - list_directory uses fs.readdir() without filtering index.ts:525-580 - directory_tree function in buildTree() doesn't filter dot directories lib.ts:351-392 - searchFilesWithValidation() doesn't exclude dot directories by default

Suggested Solutions Analysis

  1. @reegnz's suggestion: Implement .mcpignore and potentially .gitignore support

    • The referenced filesystem-mcpignore project shows a working implementation
    • Uses the ignore npm package for .gitignore-style pattern matching
    • Provides granular control but requires configuration files

  2. Issue author's suggestion: Ignore dot directories by default with option to re-enable

    • Simpler approach, addresses the specific security/token issue
    • Could be combined with environment variable or config option

Proposed Solution

I recommend implementing both approaches in phases:

Phase 1 (Immediate): Default dot directory filtering

  • Add environment variable MCP_FILESYSTEM_INCLUDE_HIDDEN (default: false)
  • Filter out dot-prefixed directories in list_directory, directory_tree, and search_files by default
  • Simple, addresses the immediate token bloat and security concern

Phase 2 (Future): Full ignore file support

  • Add .mcpignore and optionally .gitignore support
  • More flexible but requires additional dependency and complexity

For this issue, I'll implement Phase 1 as it directly addresses the stated problem with minimal complexity.

Implementation Summary

✅ Solution Implemented

I've successfully implemented Phase 1 of the solution with the following changes:

New Features:

  1. Environment Variable Control: MCP_FILESYSTEM_INCLUDE_HIDDEN (default: false)
  2. Default Filtering: Dot-prefixed files/directories are now hidden by default
  3. Backward Compatibility: Existing behavior available by setting env var to true

Functions Updated:

  • lib.ts: Added shouldIncludeHidden() and shouldFilterHiddenEntry() utility functions
  • lib.ts: Updated searchFilesWithValidation() to filter hidden entries
  • index.ts: Updated list_directory to filter hidden entries
  • index.ts: Updated list_directory_with_sizes to filter hidden entries
  • index.ts: Updated directory_tree to filter hidden entries
  • README.md: Added documentation explaining the new behavior

Testing:

  • Added comprehensive unit tests covering all edge cases
  • All existing tests continue to pass (135/135 ✅)
  • Tests verify both default behavior and environment variable override

Usage:

# Default behavior (hides dot directories)
mcp-server-filesystem /path/to/project

# Include hidden files/directories
MCP_FILESYSTEM_INCLUDE_HIDDEN=true mcp-server-filesystem /path/to/project

Benefits:

  • Reduces token usage by filtering large directories like .git
  • Enhances security by avoiding exposure of sensitive hidden files
  • Maintains backward compatibility via environment variable
  • Simple implementation with minimal complexity added
  • Well-tested with comprehensive unit test coverage

claude[bot] avatar Aug 24 '25 02:08 claude[bot]

I worry a bit about this, especially as there are many dot-prefixed directories that have configuration you would want models to be able to see and edit. For example, I often use Claude to edit GitHub Actions files stored in .github, or vscode configuration stored in .vscode, or mcp configuration in .mcp.json, or git ignored files in .gitignore, or zsh config in .zshrc.

Now that we properly support include/exclude patterns, it seems like if you do want to exclude that you can tell your AI model to exclude something like .* which I think should exclude all the dot prefixed files in glob notation?

domdomegg avatar Aug 28 '25 21:08 domdomegg

@domdomegg Wouldn't it make more sense to exclude dot files by default and then have them as opt in? Rather than having it on by default and having to remember to exclude content.

Or we could have a subset of dot files enabled by default, such as .github?

I definitely wouldn't want my LLM reading .vscode, .mcp.json, and especially not .zshrc. Those are not project files, they're tooling files. So if I were to ask an LLM to read them (I wouldn't, but lets say I "would") then I'd be explicitly working on those files and thus explicitly opting in to them being included in the filesystem MCP.

If you think about the common use case for this MCP, it's not going to be editing cherry-picked tooling config. It's going to be scanning the file system hierarchy of an established project. Anything beyond that violates the principle of least privilege and thus becomes a security concern.

lmorg avatar Aug 28 '25 22:08 lmorg

You are conflating file access privileges and dotfiles. They're not the same thing so excluding dotfiles/folders altogether because of least privilege is dead wrong.

Dotfiles are about the default listing of folder contents, not privilege.

This issue is about privileges.

What would make sense is that listings by default do not show the 'hidden' files/folders. But there must be a tool attribute allowing showing hidden stuff, as hidden does not mean 'not allowed'. That's conflating things.

Don't try to make the tool smarter than the user by jumping on introducing heuristics (like adding .github). Let the user decide what to include/ignore.

Support gitignore or introduce an alternative ignore format (like what ripgrep did with .ignore and .rgignore.

Do not conflate how the default listing should look (hiding hidden files/folders) with privilege.

reegnz avatar Sep 12 '25 11:09 reegnz

I’m not conflating the two. I’m talking about sane defaults — just like you.

By default you should opt into including files that are likely to be sensitive in nature. Those files are typically dot files. Ergo it makes sense to exclude dot files by default.

Even where dot files aren’t sensitive, they’re still more often noise than useful, such as .git and .terraform directories.

You’re actually arguing in favour of the same thing as me despite arguing with me 🙄

Also, dot files are not hidden files. Linux / UNIX doesn’t have a concept of hidden files. Albeit dot files are generally excluded from view in some file managers (like ls) but that’s more a historical kludge to avoid .. and . from view. There isn’t any file system metadata defined in POSIX to make file system objects hidden. Hence why people resort to the nasty hack of preceding file named with a dot.

lmorg avatar Sep 12 '25 19:09 lmorg