🗝️ feat: Credential Variables for DB-Sourced MCP Servers (#12044)
* feat: Allow Credential Variables in Headers for DB-sourced MCP Servers
- Removed the hasCustomUserVars check from ToolService.js, directly retrieving userMCPAuthMap.
- Updated MCPConnectionFactory and related classes to include a dbSourced flag for better handling of database-sourced configurations.
- Added integration tests to ensure proper behavior of dbSourced servers, verifying that sensitive placeholders are not resolved while allowing customUserVars.
- Adjusted various MCP-related files to accommodate the new dbSourced logic, ensuring consistent handling across the codebase.
* chore: MCPConnectionFactory Tests with Additional Flow Metadata for typing
- Updated MCPConnectionFactory tests to include new fields in flowMetadata: serverUrl and state.
- Enhanced mockFlowData in multiple test cases to reflect the updated structure, ensuring comprehensive coverage of the OAuth flow scenarios.
- Added authorization_endpoint to metadata in the test setup for improved validation of the OAuth process.
* refactor: Simplify MCPManager Configuration Handling
- Removed unnecessary type assertions and streamlined the retrieval of server configuration in MCPManager.
- Enhanced the handling of OAuth and database-sourced flags for improved clarity and efficiency.
- Updated tests to reflect changes in user object structure and ensure proper processing of MCP environment variables.
* refactor: Optimize User MCP Auth Map Retrieval in ToolService
- Introduced conditional loading of userMCPAuthMap based on the presence of MCP-delimited tools, improving efficiency by avoiding unnecessary calls.
- Updated the loadToolDefinitionsWrapper and loadAgentTools functions to reflect this change, enhancing overall performance and clarity.
* test: Add userMCPAuthMap gating tests in ToolService
- Introduced new tests to validate the logic for determining if MCP tools are present in the agent's tool list.
- Implemented various scenarios to ensure accurate detection of MCP tools, including edge cases for empty, undefined, and null tool lists.
- Enhanced clarity and coverage of the ToolService capability checking logic.
* refactor: Enhance MCP Environment Variable Processing
- Simplified the handling of the dbSourced parameter in the processMCPEnv function.
- Introduced a failsafe mechanism to derive dbSourced from options if not explicitly provided, improving robustness and clarity in MCP environment variable processing.
* refactor: Update Regex Patterns for Credential Placeholders in ServerConfigsDB
- Modified regex patterns to include additional credential/env placeholders that should not be allowed in user-provided configurations.
- Clarified comments to emphasize the security risks associated with credential exfiltration when MCP servers are shared between users.
* chore: field order
* refactor: Clean Up dbSourced Parameter Handling in processMCPEnv
- Reintroduced the failsafe mechanism for deriving the dbSourced parameter from options, ensuring clarity and robustness in MCP environment variable processing.
- Enhanced code readability by maintaining consistent comment structure.
* refactor: Update MCPOptions Type to Include Optional dbId
- Modified the processMCPEnv function to extend the MCPOptions type, allowing for an optional dbId property.
- Simplified the logic for deriving the dbSourced parameter by directly checking the dbId property, enhancing code clarity and maintainability.
2026-03-03 18:02:37 -05:00
|
|
|
import { Types } from 'mongoose';
|
2025-09-08 15:38:44 -04:00
|
|
|
import { TokenExchangeMethodEnum } from 'librechat-data-provider';
|
2025-11-21 16:42:28 -05:00
|
|
|
import type { MCPOptions } from 'librechat-data-provider';
|
|
|
|
|
import type { IUser } from '@librechat/data-schemas';
|
🗝️ feat: Credential Variables for DB-Sourced MCP Servers (#12044)
* feat: Allow Credential Variables in Headers for DB-sourced MCP Servers
- Removed the hasCustomUserVars check from ToolService.js, directly retrieving userMCPAuthMap.
- Updated MCPConnectionFactory and related classes to include a dbSourced flag for better handling of database-sourced configurations.
- Added integration tests to ensure proper behavior of dbSourced servers, verifying that sensitive placeholders are not resolved while allowing customUserVars.
- Adjusted various MCP-related files to accommodate the new dbSourced logic, ensuring consistent handling across the codebase.
* chore: MCPConnectionFactory Tests with Additional Flow Metadata for typing
- Updated MCPConnectionFactory tests to include new fields in flowMetadata: serverUrl and state.
- Enhanced mockFlowData in multiple test cases to reflect the updated structure, ensuring comprehensive coverage of the OAuth flow scenarios.
- Added authorization_endpoint to metadata in the test setup for improved validation of the OAuth process.
* refactor: Simplify MCPManager Configuration Handling
- Removed unnecessary type assertions and streamlined the retrieval of server configuration in MCPManager.
- Enhanced the handling of OAuth and database-sourced flags for improved clarity and efficiency.
- Updated tests to reflect changes in user object structure and ensure proper processing of MCP environment variables.
* refactor: Optimize User MCP Auth Map Retrieval in ToolService
- Introduced conditional loading of userMCPAuthMap based on the presence of MCP-delimited tools, improving efficiency by avoiding unnecessary calls.
- Updated the loadToolDefinitionsWrapper and loadAgentTools functions to reflect this change, enhancing overall performance and clarity.
* test: Add userMCPAuthMap gating tests in ToolService
- Introduced new tests to validate the logic for determining if MCP tools are present in the agent's tool list.
- Implemented various scenarios to ensure accurate detection of MCP tools, including edge cases for empty, undefined, and null tool lists.
- Enhanced clarity and coverage of the ToolService capability checking logic.
* refactor: Enhance MCP Environment Variable Processing
- Simplified the handling of the dbSourced parameter in the processMCPEnv function.
- Introduced a failsafe mechanism to derive dbSourced from options if not explicitly provided, improving robustness and clarity in MCP environment variable processing.
* refactor: Update Regex Patterns for Credential Placeholders in ServerConfigsDB
- Modified regex patterns to include additional credential/env placeholders that should not be allowed in user-provided configurations.
- Clarified comments to emphasize the security risks associated with credential exfiltration when MCP servers are shared between users.
* chore: field order
* refactor: Clean Up dbSourced Parameter Handling in processMCPEnv
- Reintroduced the failsafe mechanism for deriving the dbSourced parameter from options, ensuring clarity and robustness in MCP environment variable processing.
- Enhanced code readability by maintaining consistent comment structure.
* refactor: Update MCPOptions Type to Include Optional dbId
- Modified the processMCPEnv function to extend the MCPOptions type, allowing for an optional dbId property.
- Simplified the logic for deriving the dbSourced parameter by directly checking the dbId property, enhancing code clarity and maintainability.
2026-03-03 18:02:37 -05:00
|
|
|
import { resolveHeaders, resolveNestedObject, processMCPEnv, encodeHeaderValue } from './env';
|
2025-06-23 12:39:27 -04:00
|
|
|
|
2025-09-08 15:38:44 -04:00
|
|
|
function isStdioOptions(options: MCPOptions): options is Extract<MCPOptions, { type?: 'stdio' }> {
|
|
|
|
|
return !options.type || options.type === 'stdio';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function isStreamableHTTPOptions(
|
|
|
|
|
options: MCPOptions,
|
|
|
|
|
): options is Extract<MCPOptions, { type: 'streamable-http' | 'http' }> {
|
|
|
|
|
return options.type === 'streamable-http' || options.type === 'http';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/** Helper function to create test user objects */
|
2025-11-21 16:42:28 -05:00
|
|
|
function createTestUser(overrides: Partial<IUser> = {}): IUser {
|
2025-06-23 12:39:27 -04:00
|
|
|
return {
|
2025-11-21 16:42:28 -05:00
|
|
|
_id: new Types.ObjectId(),
|
|
|
|
|
id: new Types.ObjectId().toString(),
|
2025-06-23 12:39:27 -04:00
|
|
|
username: 'testuser',
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
name: 'Test User',
|
|
|
|
|
avatar: 'https://example.com/avatar.png',
|
|
|
|
|
provider: 'email',
|
|
|
|
|
role: 'user',
|
2025-11-21 16:42:28 -05:00
|
|
|
createdAt: new Date('2021-01-01'),
|
|
|
|
|
updatedAt: new Date('2021-01-01'),
|
|
|
|
|
emailVerified: true,
|
2025-06-23 12:39:27 -04:00
|
|
|
...overrides,
|
2025-11-21 16:42:28 -05:00
|
|
|
} as IUser;
|
2025-06-23 12:39:27 -04:00
|
|
|
}
|
|
|
|
|
|
2026-01-21 20:00:25 +01:00
|
|
|
describe('encodeHeaderValue', () => {
|
|
|
|
|
it('should return empty string for empty input', () => {
|
|
|
|
|
expect(encodeHeaderValue('')).toBe('');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return empty string for null/undefined coerced to empty string', () => {
|
🗝️ feat: Credential Variables for DB-Sourced MCP Servers (#12044)
* feat: Allow Credential Variables in Headers for DB-sourced MCP Servers
- Removed the hasCustomUserVars check from ToolService.js, directly retrieving userMCPAuthMap.
- Updated MCPConnectionFactory and related classes to include a dbSourced flag for better handling of database-sourced configurations.
- Added integration tests to ensure proper behavior of dbSourced servers, verifying that sensitive placeholders are not resolved while allowing customUserVars.
- Adjusted various MCP-related files to accommodate the new dbSourced logic, ensuring consistent handling across the codebase.
* chore: MCPConnectionFactory Tests with Additional Flow Metadata for typing
- Updated MCPConnectionFactory tests to include new fields in flowMetadata: serverUrl and state.
- Enhanced mockFlowData in multiple test cases to reflect the updated structure, ensuring comprehensive coverage of the OAuth flow scenarios.
- Added authorization_endpoint to metadata in the test setup for improved validation of the OAuth process.
* refactor: Simplify MCPManager Configuration Handling
- Removed unnecessary type assertions and streamlined the retrieval of server configuration in MCPManager.
- Enhanced the handling of OAuth and database-sourced flags for improved clarity and efficiency.
- Updated tests to reflect changes in user object structure and ensure proper processing of MCP environment variables.
* refactor: Optimize User MCP Auth Map Retrieval in ToolService
- Introduced conditional loading of userMCPAuthMap based on the presence of MCP-delimited tools, improving efficiency by avoiding unnecessary calls.
- Updated the loadToolDefinitionsWrapper and loadAgentTools functions to reflect this change, enhancing overall performance and clarity.
* test: Add userMCPAuthMap gating tests in ToolService
- Introduced new tests to validate the logic for determining if MCP tools are present in the agent's tool list.
- Implemented various scenarios to ensure accurate detection of MCP tools, including edge cases for empty, undefined, and null tool lists.
- Enhanced clarity and coverage of the ToolService capability checking logic.
* refactor: Enhance MCP Environment Variable Processing
- Simplified the handling of the dbSourced parameter in the processMCPEnv function.
- Introduced a failsafe mechanism to derive dbSourced from options if not explicitly provided, improving robustness and clarity in MCP environment variable processing.
* refactor: Update Regex Patterns for Credential Placeholders in ServerConfigsDB
- Modified regex patterns to include additional credential/env placeholders that should not be allowed in user-provided configurations.
- Clarified comments to emphasize the security risks associated with credential exfiltration when MCP servers are shared between users.
* chore: field order
* refactor: Clean Up dbSourced Parameter Handling in processMCPEnv
- Reintroduced the failsafe mechanism for deriving the dbSourced parameter from options, ensuring clarity and robustness in MCP environment variable processing.
- Enhanced code readability by maintaining consistent comment structure.
* refactor: Update MCPOptions Type to Include Optional dbId
- Modified the processMCPEnv function to extend the MCPOptions type, allowing for an optional dbId property.
- Simplified the logic for deriving the dbSourced parameter by directly checking the dbId property, enhancing code clarity and maintainability.
2026-03-03 18:02:37 -05:00
|
|
|
expect(encodeHeaderValue(null as unknown as string)).toBe('');
|
|
|
|
|
expect(encodeHeaderValue(undefined as unknown as string)).toBe('');
|
2026-01-21 20:00:25 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return empty string for non-string values', () => {
|
🗝️ feat: Credential Variables for DB-Sourced MCP Servers (#12044)
* feat: Allow Credential Variables in Headers for DB-sourced MCP Servers
- Removed the hasCustomUserVars check from ToolService.js, directly retrieving userMCPAuthMap.
- Updated MCPConnectionFactory and related classes to include a dbSourced flag for better handling of database-sourced configurations.
- Added integration tests to ensure proper behavior of dbSourced servers, verifying that sensitive placeholders are not resolved while allowing customUserVars.
- Adjusted various MCP-related files to accommodate the new dbSourced logic, ensuring consistent handling across the codebase.
* chore: MCPConnectionFactory Tests with Additional Flow Metadata for typing
- Updated MCPConnectionFactory tests to include new fields in flowMetadata: serverUrl and state.
- Enhanced mockFlowData in multiple test cases to reflect the updated structure, ensuring comprehensive coverage of the OAuth flow scenarios.
- Added authorization_endpoint to metadata in the test setup for improved validation of the OAuth process.
* refactor: Simplify MCPManager Configuration Handling
- Removed unnecessary type assertions and streamlined the retrieval of server configuration in MCPManager.
- Enhanced the handling of OAuth and database-sourced flags for improved clarity and efficiency.
- Updated tests to reflect changes in user object structure and ensure proper processing of MCP environment variables.
* refactor: Optimize User MCP Auth Map Retrieval in ToolService
- Introduced conditional loading of userMCPAuthMap based on the presence of MCP-delimited tools, improving efficiency by avoiding unnecessary calls.
- Updated the loadToolDefinitionsWrapper and loadAgentTools functions to reflect this change, enhancing overall performance and clarity.
* test: Add userMCPAuthMap gating tests in ToolService
- Introduced new tests to validate the logic for determining if MCP tools are present in the agent's tool list.
- Implemented various scenarios to ensure accurate detection of MCP tools, including edge cases for empty, undefined, and null tool lists.
- Enhanced clarity and coverage of the ToolService capability checking logic.
* refactor: Enhance MCP Environment Variable Processing
- Simplified the handling of the dbSourced parameter in the processMCPEnv function.
- Introduced a failsafe mechanism to derive dbSourced from options if not explicitly provided, improving robustness and clarity in MCP environment variable processing.
* refactor: Update Regex Patterns for Credential Placeholders in ServerConfigsDB
- Modified regex patterns to include additional credential/env placeholders that should not be allowed in user-provided configurations.
- Clarified comments to emphasize the security risks associated with credential exfiltration when MCP servers are shared between users.
* chore: field order
* refactor: Clean Up dbSourced Parameter Handling in processMCPEnv
- Reintroduced the failsafe mechanism for deriving the dbSourced parameter from options, ensuring clarity and robustness in MCP environment variable processing.
- Enhanced code readability by maintaining consistent comment structure.
* refactor: Update MCPOptions Type to Include Optional dbId
- Modified the processMCPEnv function to extend the MCPOptions type, allowing for an optional dbId property.
- Simplified the logic for deriving the dbSourced parameter by directly checking the dbId property, enhancing code clarity and maintainability.
2026-03-03 18:02:37 -05:00
|
|
|
expect(encodeHeaderValue(123 as unknown as string)).toBe('');
|
|
|
|
|
expect(encodeHeaderValue(false as unknown as string)).toBe('');
|
|
|
|
|
expect(encodeHeaderValue({} as unknown as string)).toBe('');
|
2026-01-21 20:00:25 +01:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should pass through ASCII characters (0-127) unchanged', () => {
|
|
|
|
|
expect(encodeHeaderValue('Hello')).toBe('Hello');
|
|
|
|
|
expect(encodeHeaderValue('test@example.com')).toBe('test@example.com');
|
|
|
|
|
expect(encodeHeaderValue('ABC123')).toBe('ABC123');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should pass through Latin-1 characters (128-255) unchanged', () => {
|
|
|
|
|
// Characters with Unicode values 128-255 are safe
|
|
|
|
|
expect(encodeHeaderValue('José')).toBe('José'); // é = U+00E9 (233)
|
|
|
|
|
expect(encodeHeaderValue('Müller')).toBe('Müller'); // ü = U+00FC (252)
|
|
|
|
|
expect(encodeHeaderValue('Zoë')).toBe('Zoë'); // ë = U+00EB (235)
|
|
|
|
|
expect(encodeHeaderValue('Björk')).toBe('Björk'); // ö = U+00F6 (246)
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should Base64 encode Slavic characters (>255)', () => {
|
|
|
|
|
// Slavic characters that cause ByteString errors
|
|
|
|
|
expect(encodeHeaderValue('Marić')).toBe('b64:TWFyacSH'); // ć = U+0107 (263)
|
|
|
|
|
expect(encodeHeaderValue('Đorđe')).toBe('b64:xJBvcsSRZQ=='); // Đ = U+0110 (272), đ = U+0111 (273)
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should Base64 encode Polish characters (>255)', () => {
|
|
|
|
|
expect(encodeHeaderValue('Łukasz')).toBe('b64:xYF1a2Fzeg=='); // Ł = U+0141 (321)
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should Base64 encode various extended Unicode characters (>255)', () => {
|
|
|
|
|
expect(encodeHeaderValue('Žarko')).toBe('b64:xb1hcmtv'); // Ž = U+017D (381)
|
|
|
|
|
expect(encodeHeaderValue('Šime')).toBe('b64:xaBpbWU='); // Š = U+0160 (352)
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should have correct b64: prefix format', () => {
|
|
|
|
|
const result = encodeHeaderValue('Ćiro'); // Ć = U+0106 (262)
|
|
|
|
|
expect(result.startsWith('b64:')).toBe(true);
|
|
|
|
|
// Verify the encoded part after prefix is valid Base64
|
|
|
|
|
const base64Part = result.slice(4);
|
|
|
|
|
expect(Buffer.from(base64Part, 'base64').toString('utf8')).toBe('Ćiro');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle mixed safe and unsafe characters', () => {
|
|
|
|
|
const result = encodeHeaderValue('Hello Đorđe!');
|
|
|
|
|
expect(result).toBe('b64:SGVsbG8gxJBvcsSRZSE=');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should be reversible with Base64 decode', () => {
|
|
|
|
|
const original = 'Marko Marić';
|
|
|
|
|
const encoded = encodeHeaderValue(original);
|
|
|
|
|
expect(encoded.startsWith('b64:')).toBe(true);
|
|
|
|
|
|
|
|
|
|
// Verify decoding works
|
|
|
|
|
const decoded = Buffer.from(encoded.slice(4), 'base64').toString('utf8');
|
|
|
|
|
expect(decoded).toBe(original);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle emoji and other high Unicode characters', () => {
|
|
|
|
|
const result = encodeHeaderValue('Hello 👋');
|
|
|
|
|
expect(result.startsWith('b64:')).toBe(true);
|
|
|
|
|
const decoded = Buffer.from(result.slice(4), 'base64').toString('utf8');
|
|
|
|
|
expect(decoded).toBe('Hello 👋');
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
2025-06-23 12:39:27 -04:00
|
|
|
describe('resolveHeaders', () => {
|
|
|
|
|
beforeEach(() => {
|
|
|
|
|
process.env.TEST_API_KEY = 'test-api-key-value';
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
process.env.ANOTHER_VALUE = 'another-test-value';
|
2025-06-23 12:39:27 -04:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
delete process.env.TEST_API_KEY;
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
delete process.env.ANOTHER_VALUE;
|
2025-06-23 12:39:27 -04:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return empty object when headers is undefined', () => {
|
|
|
|
|
const result = resolveHeaders(undefined);
|
|
|
|
|
expect(result).toEqual({});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return empty object when headers is null', () => {
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({
|
|
|
|
|
headers: null as unknown as Record<string, string>,
|
|
|
|
|
});
|
2025-06-23 12:39:27 -04:00
|
|
|
expect(result).toEqual({});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return empty object when headers is empty', () => {
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers: {} });
|
2025-06-23 12:39:27 -04:00
|
|
|
expect(result).toEqual({});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process environment variables in headers', () => {
|
|
|
|
|
const headers = {
|
|
|
|
|
Authorization: '${TEST_API_KEY}',
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
'X-Secret': '${ANOTHER_VALUE}',
|
2025-06-23 12:39:27 -04:00
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
Authorization: 'test-api-key-value',
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
'X-Secret': 'another-test-value',
|
2025-06-23 12:39:27 -04:00
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process user ID placeholder when user has id', () => {
|
|
|
|
|
const user = { id: 'test-user-123' };
|
|
|
|
|
const headers = {
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'User-Id': 'test-user-123',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not process user ID placeholder when user is undefined', () => {
|
|
|
|
|
const headers = {
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not process user ID placeholder when user has no id', () => {
|
|
|
|
|
const user = { id: '' };
|
|
|
|
|
const headers = {
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process full user object placeholders', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
username: 'testuser',
|
|
|
|
|
name: 'Test User',
|
|
|
|
|
role: 'admin',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
'User-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
'User-Name': '{{LIBRECHAT_USER_NAME}}',
|
|
|
|
|
'User-Username': '{{LIBRECHAT_USER_USERNAME}}',
|
|
|
|
|
'User-Role': '{{LIBRECHAT_USER_ROLE}}',
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'User-Email': 'test@example.com',
|
|
|
|
|
'User-Name': 'Test User',
|
|
|
|
|
'User-Username': 'testuser',
|
|
|
|
|
'User-Role': 'admin',
|
|
|
|
|
'User-Id': 'user-123',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle missing user fields gracefully', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
|
|
|
|
email: 'test@example.com',
|
2025-09-08 15:38:44 -04:00
|
|
|
username: undefined,
|
2025-06-23 12:39:27 -04:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
'User-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
'User-Username': '{{LIBRECHAT_USER_USERNAME}}',
|
|
|
|
|
'Non-Existent': '{{LIBRECHAT_USER_NONEXISTENT}}',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'User-Email': 'test@example.com',
|
2025-09-08 15:38:44 -04:00
|
|
|
'User-Username': '',
|
|
|
|
|
'Non-Existent': '{{LIBRECHAT_USER_NONEXISTENT}}',
|
2025-06-23 12:39:27 -04:00
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process custom user variables', () => {
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
const customUserVars = {
|
|
|
|
|
CUSTOM_TOKEN: 'user-specific-token',
|
|
|
|
|
REGION: 'us-west-1',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
Authorization: 'Bearer {{CUSTOM_TOKEN}}',
|
|
|
|
|
'X-Region': '{{REGION}}',
|
|
|
|
|
'X-System-Key': '${TEST_API_KEY}',
|
|
|
|
|
'X-User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user, customUserVars });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
Authorization: 'Bearer user-specific-token',
|
|
|
|
|
'X-Region': 'us-west-1',
|
|
|
|
|
'X-System-Key': 'test-api-key-value',
|
|
|
|
|
'X-User-Id': 'user-123',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should prioritize custom user variables over user fields', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
|
|
|
|
email: 'user-email@example.com',
|
|
|
|
|
});
|
|
|
|
|
const customUserVars = {
|
|
|
|
|
LIBRECHAT_USER_EMAIL: 'custom-email@example.com',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
'Test-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user, customUserVars });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'Test-Email': 'custom-email@example.com',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle boolean user fields', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
2025-09-08 15:38:44 -04:00
|
|
|
|
2025-06-23 12:39:27 -04:00
|
|
|
role: 'admin',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
'User-Role': '{{LIBRECHAT_USER_ROLE}}',
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'User-Role': 'admin',
|
|
|
|
|
'User-Id': 'user-123',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle multiple occurrences of the same placeholder', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
'Primary-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
'Secondary-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
'Backup-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'Primary-Email': 'test@example.com',
|
|
|
|
|
'Secondary-Email': 'test@example.com',
|
|
|
|
|
'Backup-Email': 'test@example.com',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle mixed variable types in the same headers object', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
});
|
|
|
|
|
const customUserVars = {
|
|
|
|
|
CUSTOM_TOKEN: 'secret-token',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
Authorization: 'Bearer {{CUSTOM_TOKEN}}',
|
|
|
|
|
'X-User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'X-System-Key': '${TEST_API_KEY}',
|
|
|
|
|
'X-User-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user, customUserVars });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
Authorization: 'Bearer secret-token',
|
|
|
|
|
'X-User-Id': 'user-123',
|
|
|
|
|
'X-System-Key': 'test-api-key-value',
|
|
|
|
|
'X-User-Email': 'test@example.com',
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not modify the original headers object', () => {
|
|
|
|
|
const originalHeaders = {
|
|
|
|
|
Authorization: '${TEST_API_KEY}',
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
};
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers: originalHeaders, user });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
Authorization: 'test-api-key-value',
|
|
|
|
|
'User-Id': 'user-123',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(originalHeaders).toEqual({
|
|
|
|
|
Authorization: '${TEST_API_KEY}',
|
|
|
|
|
'User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle special characters in custom variable names', () => {
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
const customUserVars = {
|
|
|
|
|
'CUSTOM-VAR': 'dash-value',
|
|
|
|
|
CUSTOM_VAR: 'underscore-value',
|
|
|
|
|
'CUSTOM.VAR': 'dot-value',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
'Dash-Header': '{{CUSTOM-VAR}}',
|
|
|
|
|
'Underscore-Header': '{{CUSTOM_VAR}}',
|
|
|
|
|
'Dot-Header': '{{CUSTOM.VAR}}',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user, customUserVars });
|
2025-06-23 12:39:27 -04:00
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
'Dash-Header': 'dash-value',
|
|
|
|
|
'Underscore-Header': 'underscore-value',
|
|
|
|
|
'Dot-Header': 'dot-value',
|
|
|
|
|
});
|
|
|
|
|
});
|
2025-06-24 18:11:06 -07:00
|
|
|
|
|
|
|
|
it('should replace all allowed user field placeholders', () => {
|
|
|
|
|
const user = {
|
|
|
|
|
id: 'abc',
|
|
|
|
|
name: 'Test User',
|
|
|
|
|
username: 'testuser',
|
|
|
|
|
email: 'me@example.com',
|
|
|
|
|
provider: 'google',
|
|
|
|
|
role: 'admin',
|
|
|
|
|
googleId: 'gid',
|
|
|
|
|
facebookId: 'fbid',
|
|
|
|
|
openidId: 'oid',
|
|
|
|
|
samlId: 'sid',
|
|
|
|
|
ldapId: 'lid',
|
|
|
|
|
githubId: 'ghid',
|
|
|
|
|
discordId: 'dcid',
|
|
|
|
|
appleId: 'aid',
|
|
|
|
|
emailVerified: true,
|
|
|
|
|
twoFactorEnabled: false,
|
|
|
|
|
termsAccepted: true,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-User-ID': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'X-User-Name': '{{LIBRECHAT_USER_NAME}}',
|
|
|
|
|
'X-User-Username': '{{LIBRECHAT_USER_USERNAME}}',
|
|
|
|
|
'X-User-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
'X-User-Provider': '{{LIBRECHAT_USER_PROVIDER}}',
|
|
|
|
|
'X-User-Role': '{{LIBRECHAT_USER_ROLE}}',
|
|
|
|
|
'X-User-GoogleId': '{{LIBRECHAT_USER_GOOGLEID}}',
|
|
|
|
|
'X-User-FacebookId': '{{LIBRECHAT_USER_FACEBOOKID}}',
|
|
|
|
|
'X-User-OpenIdId': '{{LIBRECHAT_USER_OPENIDID}}',
|
|
|
|
|
'X-User-SamlId': '{{LIBRECHAT_USER_SAMLID}}',
|
|
|
|
|
'X-User-LdapId': '{{LIBRECHAT_USER_LDAPID}}',
|
|
|
|
|
'X-User-GithubId': '{{LIBRECHAT_USER_GITHUBID}}',
|
|
|
|
|
'X-User-DiscordId': '{{LIBRECHAT_USER_DISCORDID}}',
|
|
|
|
|
'X-User-AppleId': '{{LIBRECHAT_USER_APPLEID}}',
|
|
|
|
|
'X-User-EmailVerified': '{{LIBRECHAT_USER_EMAILVERIFIED}}',
|
|
|
|
|
'X-User-TwoFactorEnabled': '{{LIBRECHAT_USER_TWOFACTORENABLED}}',
|
|
|
|
|
'X-User-TermsAccepted': '{{LIBRECHAT_USER_TERMSACCEPTED}}',
|
|
|
|
|
};
|
|
|
|
|
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-24 18:11:06 -07:00
|
|
|
|
|
|
|
|
expect(result['X-User-ID']).toBe('abc');
|
|
|
|
|
expect(result['X-User-Name']).toBe('Test User');
|
|
|
|
|
expect(result['X-User-Username']).toBe('testuser');
|
|
|
|
|
expect(result['X-User-Email']).toBe('me@example.com');
|
|
|
|
|
expect(result['X-User-Provider']).toBe('google');
|
|
|
|
|
expect(result['X-User-Role']).toBe('admin');
|
|
|
|
|
expect(result['X-User-GoogleId']).toBe('gid');
|
|
|
|
|
expect(result['X-User-FacebookId']).toBe('fbid');
|
|
|
|
|
expect(result['X-User-OpenIdId']).toBe('oid');
|
|
|
|
|
expect(result['X-User-SamlId']).toBe('sid');
|
|
|
|
|
expect(result['X-User-LdapId']).toBe('lid');
|
|
|
|
|
expect(result['X-User-GithubId']).toBe('ghid');
|
|
|
|
|
expect(result['X-User-DiscordId']).toBe('dcid');
|
|
|
|
|
expect(result['X-User-AppleId']).toBe('aid');
|
|
|
|
|
expect(result['X-User-EmailVerified']).toBe('true');
|
|
|
|
|
expect(result['X-User-TwoFactorEnabled']).toBe('false');
|
|
|
|
|
expect(result['X-User-TermsAccepted']).toBe('true');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle multiple placeholders in one value', () => {
|
|
|
|
|
const user = { id: 'abc', email: 'me@example.com' };
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Multi': 'User: {{LIBRECHAT_USER_ID}}, Env: ${TEST_API_KEY}, Custom: {{MY_CUSTOM}}',
|
|
|
|
|
};
|
|
|
|
|
const customVars = { MY_CUSTOM: 'custom-value' };
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user, customUserVars: customVars });
|
2025-06-24 18:11:06 -07:00
|
|
|
expect(result['X-Multi']).toBe('User: abc, Env: test-api-key-value, Custom: custom-value');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should leave unknown placeholders unchanged', () => {
|
|
|
|
|
const user = { id: 'abc' };
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Unknown': '{{SOMETHING_NOT_RECOGNIZED}}',
|
|
|
|
|
'X-Known': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
};
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user });
|
2025-06-24 18:11:06 -07:00
|
|
|
expect(result['X-Unknown']).toBe('{{SOMETHING_NOT_RECOGNIZED}}');
|
|
|
|
|
expect(result['X-Known']).toBe('abc');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle a mix of all types', () => {
|
|
|
|
|
const user = {
|
|
|
|
|
id: 'abc',
|
|
|
|
|
email: 'me@example.com',
|
|
|
|
|
emailVerified: true,
|
|
|
|
|
twoFactorEnabled: false,
|
|
|
|
|
};
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-User': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'X-Env': '${TEST_API_KEY}',
|
|
|
|
|
'X-Custom': '{{MY_CUSTOM}}',
|
|
|
|
|
'X-Multi': 'ID: {{LIBRECHAT_USER_ID}}, ENV: ${TEST_API_KEY}, CUSTOM: {{MY_CUSTOM}}',
|
|
|
|
|
'X-Unknown': '{{NOT_A_REAL_PLACEHOLDER}}',
|
|
|
|
|
'X-Empty': '',
|
|
|
|
|
'X-Boolean': '{{LIBRECHAT_USER_EMAILVERIFIED}}',
|
|
|
|
|
};
|
|
|
|
|
const customVars = { MY_CUSTOM: 'custom-value' };
|
2025-08-16 20:45:55 -04:00
|
|
|
const result = resolveHeaders({ headers, user, customUserVars: customVars });
|
2025-06-24 18:11:06 -07:00
|
|
|
|
|
|
|
|
expect(result['X-User']).toBe('abc');
|
|
|
|
|
expect(result['X-Env']).toBe('test-api-key-value');
|
|
|
|
|
expect(result['X-Custom']).toBe('custom-value');
|
|
|
|
|
expect(result['X-Multi']).toBe('ID: abc, ENV: test-api-key-value, CUSTOM: custom-value');
|
|
|
|
|
expect(result['X-Unknown']).toBe('{{NOT_A_REAL_PLACEHOLDER}}');
|
|
|
|
|
expect(result['X-Empty']).toBe('');
|
|
|
|
|
expect(result['X-Boolean']).toBe('true');
|
|
|
|
|
});
|
2025-08-16 20:45:55 -04:00
|
|
|
|
|
|
|
|
it('should process LIBRECHAT_BODY placeholders', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 'conv-123',
|
|
|
|
|
parentMessageId: 'parent-456',
|
|
|
|
|
messageId: 'msg-789',
|
|
|
|
|
};
|
|
|
|
|
const headers = { 'X-Conversation': '{{LIBRECHAT_BODY_CONVERSATIONID}}' };
|
|
|
|
|
const result = resolveHeaders({ headers, body });
|
|
|
|
|
expect(result['X-Conversation']).toBe('conv-123');
|
|
|
|
|
});
|
2025-11-21 16:42:28 -05:00
|
|
|
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
it('should not resolve env vars introduced via LIBRECHAT_BODY placeholders', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: '${TEST_API_KEY}',
|
|
|
|
|
parentMessageId: '${TEST_API_KEY}',
|
|
|
|
|
messageId: '${TEST_API_KEY}',
|
|
|
|
|
};
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Conv': '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
'X-Parent': '{{LIBRECHAT_BODY_PARENTMESSAGEID}}',
|
|
|
|
|
'X-Msg': '{{LIBRECHAT_BODY_MESSAGEID}}',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers, body });
|
|
|
|
|
|
|
|
|
|
expect(result['X-Conv']).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(result['X-Parent']).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(result['X-Msg']).toBe('${TEST_API_KEY}');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not resolve env vars introduced via LIBRECHAT_USER placeholders', () => {
|
|
|
|
|
const user = createTestUser({ name: '${TEST_API_KEY}' });
|
|
|
|
|
const headers = { 'X-Name': '{{LIBRECHAT_USER_NAME}}' };
|
|
|
|
|
const result = resolveHeaders({ headers, user });
|
|
|
|
|
|
|
|
|
|
expect(result['X-Name']).toBe('${TEST_API_KEY}');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not resolve env vars introduced via customUserVars', () => {
|
|
|
|
|
const customUserVars = { MY_TOKEN: '${TEST_API_KEY}' };
|
|
|
|
|
const headers = { Authorization: 'Bearer {{MY_TOKEN}}' };
|
|
|
|
|
const result = resolveHeaders({ headers, customUserVars });
|
|
|
|
|
|
|
|
|
|
expect(result.Authorization).toBe('Bearer ${TEST_API_KEY}');
|
|
|
|
|
});
|
|
|
|
|
|
2025-11-21 16:42:28 -05:00
|
|
|
describe('non-string header values (type guard tests)', () => {
|
|
|
|
|
it('should handle numeric header values without crashing', () => {
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Number': 12345 as unknown as string,
|
|
|
|
|
'X-String': 'normal-string',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers });
|
|
|
|
|
expect(result['X-Number']).toBe('12345');
|
|
|
|
|
expect(result['X-String']).toBe('normal-string');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle boolean header values without crashing', () => {
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Boolean-True': true as unknown as string,
|
|
|
|
|
'X-Boolean-False': false as unknown as string,
|
|
|
|
|
'X-String': 'normal-string',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers });
|
|
|
|
|
expect(result['X-Boolean-True']).toBe('true');
|
|
|
|
|
expect(result['X-Boolean-False']).toBe('false');
|
|
|
|
|
expect(result['X-String']).toBe('normal-string');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle null and undefined header values', () => {
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Null': null as unknown as string,
|
|
|
|
|
'X-Undefined': undefined as unknown as string,
|
|
|
|
|
'X-String': 'normal-string',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers });
|
|
|
|
|
expect(result['X-Null']).toBe('null');
|
|
|
|
|
expect(result['X-Undefined']).toBe('undefined');
|
|
|
|
|
expect(result['X-String']).toBe('normal-string');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle numeric values with placeholders', () => {
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Number': 42 as unknown as string,
|
|
|
|
|
'X-String-With-Placeholder': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers, user });
|
|
|
|
|
expect(result['X-Number']).toBe('42');
|
|
|
|
|
expect(result['X-String-With-Placeholder']).toBe('user-123');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle objects in header values', () => {
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Object': { nested: 'value' } as unknown as string,
|
|
|
|
|
'X-String': 'normal-string',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers });
|
|
|
|
|
expect(result['X-Object']).toBe('[object Object]');
|
|
|
|
|
expect(result['X-String']).toBe('normal-string');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle arrays in header values', () => {
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Array': ['value1', 'value2'] as unknown as string,
|
|
|
|
|
'X-String': 'normal-string',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers });
|
|
|
|
|
expect(result['X-Array']).toBe('value1,value2');
|
|
|
|
|
expect(result['X-String']).toBe('normal-string');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle numeric values with env variables', () => {
|
|
|
|
|
process.env.TEST_API_KEY = 'test-api-key-value';
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Number': 12345 as unknown as string,
|
|
|
|
|
'X-Env': '${TEST_API_KEY}',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers });
|
|
|
|
|
expect(result['X-Number']).toBe('12345');
|
|
|
|
|
expect(result['X-Env']).toBe('test-api-key-value');
|
|
|
|
|
delete process.env.TEST_API_KEY;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle numeric values with body placeholders', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 'conv-123',
|
|
|
|
|
parentMessageId: 'parent-456',
|
|
|
|
|
messageId: 'msg-789',
|
|
|
|
|
};
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Number': 999 as unknown as string,
|
|
|
|
|
'X-Conv': '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers, body });
|
|
|
|
|
expect(result['X-Number']).toBe('999');
|
|
|
|
|
expect(result['X-Conv']).toBe('conv-123');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle mixed type headers with user and custom vars', () => {
|
|
|
|
|
const user = { id: 'user-123', email: 'test@example.com' };
|
|
|
|
|
const customUserVars = { CUSTOM_TOKEN: 'secret-token' };
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Number': 42 as unknown as string,
|
|
|
|
|
'X-Boolean': true as unknown as string,
|
|
|
|
|
'X-User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'X-Custom': '{{CUSTOM_TOKEN}}',
|
|
|
|
|
'X-String': 'normal',
|
|
|
|
|
};
|
|
|
|
|
const result = resolveHeaders({ headers, user, customUserVars });
|
|
|
|
|
expect(result['X-Number']).toBe('42');
|
|
|
|
|
expect(result['X-Boolean']).toBe('true');
|
|
|
|
|
expect(result['X-User-Id']).toBe('user-123');
|
|
|
|
|
expect(result['X-Custom']).toBe('secret-token');
|
|
|
|
|
expect(result['X-String']).toBe('normal');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not crash when calling includes on non-string body field values', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 12345 as unknown as string,
|
|
|
|
|
parentMessageId: 'parent-456',
|
|
|
|
|
messageId: 'msg-789',
|
|
|
|
|
};
|
|
|
|
|
const headers = {
|
|
|
|
|
'X-Conv-Id': '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
'X-Number': 999 as unknown as string,
|
|
|
|
|
};
|
|
|
|
|
expect(() => resolveHeaders({ headers, body })).not.toThrow();
|
|
|
|
|
const result = resolveHeaders({ headers, body });
|
|
|
|
|
expect(result['X-Number']).toBe('999');
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
describe('resolveNestedObject', () => {
|
|
|
|
|
beforeEach(() => {
|
|
|
|
|
process.env.TEST_API_KEY = 'test-api-key-value';
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
process.env.ANOTHER_VALUE = 'another-test-value';
|
2025-11-21 16:42:28 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
delete process.env.TEST_API_KEY;
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
delete process.env.ANOTHER_VALUE;
|
2025-11-21 16:42:28 -05:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should preserve nested object structure', () => {
|
|
|
|
|
const obj = {
|
|
|
|
|
thinking: {
|
|
|
|
|
type: 'enabled',
|
|
|
|
|
budget_tokens: 2000,
|
|
|
|
|
},
|
|
|
|
|
anthropic_beta: ['output-128k-2025-02-19'],
|
|
|
|
|
max_tokens: 4096,
|
|
|
|
|
temperature: 0.7,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
thinking: {
|
|
|
|
|
type: 'enabled',
|
|
|
|
|
budget_tokens: 2000,
|
|
|
|
|
},
|
|
|
|
|
anthropic_beta: ['output-128k-2025-02-19'],
|
|
|
|
|
max_tokens: 4096,
|
|
|
|
|
temperature: 0.7,
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process placeholders in string values while preserving structure', () => {
|
|
|
|
|
const user = { id: 'user-123', email: 'test@example.com' };
|
|
|
|
|
const obj = {
|
|
|
|
|
thinking: {
|
|
|
|
|
type: 'enabled',
|
|
|
|
|
budget_tokens: 2000,
|
|
|
|
|
user_context: '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
},
|
|
|
|
|
anthropic_beta: ['output-128k-2025-02-19'],
|
|
|
|
|
api_key: '${TEST_API_KEY}',
|
|
|
|
|
max_tokens: 4096,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj, user });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
thinking: {
|
|
|
|
|
type: 'enabled',
|
|
|
|
|
budget_tokens: 2000,
|
|
|
|
|
user_context: 'user-123',
|
|
|
|
|
},
|
|
|
|
|
anthropic_beta: ['output-128k-2025-02-19'],
|
|
|
|
|
api_key: 'test-api-key-value',
|
|
|
|
|
max_tokens: 4096,
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process strings in arrays', () => {
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
const obj = {
|
|
|
|
|
headers: ['Authorization: Bearer ${TEST_API_KEY}', 'X-User-Id: {{LIBRECHAT_USER_ID}}'],
|
|
|
|
|
values: [1, 2, 3],
|
|
|
|
|
mixed: ['string', 42, true, '{{LIBRECHAT_USER_ID}}'],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj, user });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
headers: ['Authorization: Bearer test-api-key-value', 'X-User-Id: user-123'],
|
|
|
|
|
values: [1, 2, 3],
|
|
|
|
|
mixed: ['string', 42, true, 'user-123'],
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle deeply nested structures', () => {
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
const obj = {
|
|
|
|
|
level1: {
|
|
|
|
|
level2: {
|
|
|
|
|
level3: {
|
|
|
|
|
user_id: '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
settings: {
|
|
|
|
|
api_key: '${TEST_API_KEY}',
|
|
|
|
|
enabled: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj, user });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
level1: {
|
|
|
|
|
level2: {
|
|
|
|
|
level3: {
|
|
|
|
|
user_id: 'user-123',
|
|
|
|
|
settings: {
|
|
|
|
|
api_key: 'test-api-key-value',
|
|
|
|
|
enabled: true,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should preserve all primitive types', () => {
|
|
|
|
|
const obj = {
|
|
|
|
|
string: 'text',
|
|
|
|
|
number: 42,
|
|
|
|
|
float: 3.14,
|
|
|
|
|
boolean_true: true,
|
|
|
|
|
boolean_false: false,
|
|
|
|
|
null_value: null,
|
|
|
|
|
undefined_value: undefined,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual(obj);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle empty objects and arrays', () => {
|
|
|
|
|
const obj = {
|
|
|
|
|
empty_object: {},
|
|
|
|
|
empty_array: [],
|
|
|
|
|
nested: {
|
|
|
|
|
also_empty: {},
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual(obj);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle body placeholders in nested objects', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 'conv-123',
|
|
|
|
|
parentMessageId: 'parent-456',
|
|
|
|
|
messageId: 'msg-789',
|
|
|
|
|
};
|
|
|
|
|
const obj = {
|
|
|
|
|
metadata: {
|
|
|
|
|
conversation: '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
parent: '{{LIBRECHAT_BODY_PARENTMESSAGEID}}',
|
|
|
|
|
count: 5,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj, body });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
metadata: {
|
|
|
|
|
conversation: 'conv-123',
|
|
|
|
|
parent: 'parent-456',
|
|
|
|
|
count: 5,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle custom user variables in nested objects', () => {
|
|
|
|
|
const customUserVars = {
|
|
|
|
|
CUSTOM_TOKEN: 'secret-token',
|
|
|
|
|
REGION: 'us-west-1',
|
|
|
|
|
};
|
|
|
|
|
const obj = {
|
|
|
|
|
auth: {
|
|
|
|
|
token: '{{CUSTOM_TOKEN}}',
|
|
|
|
|
region: '{{REGION}}',
|
|
|
|
|
timeout: 3000,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj, customUserVars });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
auth: {
|
|
|
|
|
token: 'secret-token',
|
|
|
|
|
region: 'us-west-1',
|
|
|
|
|
timeout: 3000,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle mixed placeholders in nested objects', () => {
|
|
|
|
|
const user = { id: 'user-123', email: 'test@example.com' };
|
|
|
|
|
const customUserVars = { CUSTOM_VAR: 'custom-value' };
|
|
|
|
|
const body = { conversationId: 'conv-456' };
|
|
|
|
|
|
|
|
|
|
const obj = {
|
|
|
|
|
config: {
|
|
|
|
|
user_id: '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
custom: '{{CUSTOM_VAR}}',
|
|
|
|
|
api_key: '${TEST_API_KEY}',
|
|
|
|
|
conversation: '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
nested: {
|
|
|
|
|
email: '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
port: 8080,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj, user, customUserVars, body });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
config: {
|
|
|
|
|
user_id: 'user-123',
|
|
|
|
|
custom: 'custom-value',
|
|
|
|
|
api_key: 'test-api-key-value',
|
|
|
|
|
conversation: 'conv-456',
|
|
|
|
|
nested: {
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
port: 8080,
|
|
|
|
|
},
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle Bedrock additionalModelRequestFields example', () => {
|
|
|
|
|
const obj = {
|
|
|
|
|
thinking: {
|
|
|
|
|
type: 'enabled',
|
|
|
|
|
budget_tokens: 2000,
|
|
|
|
|
},
|
|
|
|
|
anthropic_beta: ['output-128k-2025-02-19'],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
thinking: {
|
|
|
|
|
type: 'enabled',
|
|
|
|
|
budget_tokens: 2000,
|
|
|
|
|
},
|
|
|
|
|
anthropic_beta: ['output-128k-2025-02-19'],
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(typeof result.thinking).toBe('object');
|
|
|
|
|
expect(Array.isArray(result.anthropic_beta)).toBe(true);
|
|
|
|
|
expect(result.thinking).not.toBe('[object Object]');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return undefined when obj is undefined', () => {
|
|
|
|
|
const result = resolveNestedObject({ obj: undefined });
|
|
|
|
|
expect(result).toBeUndefined();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return null when obj is null', () => {
|
|
|
|
|
const result = resolveNestedObject({ obj: null });
|
|
|
|
|
expect(result).toBeNull();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle arrays of objects', () => {
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
const obj = {
|
|
|
|
|
items: [
|
|
|
|
|
{ name: 'item1', user: '{{LIBRECHAT_USER_ID}}', count: 1 },
|
|
|
|
|
{ name: 'item2', user: '{{LIBRECHAT_USER_ID}}', count: 2 },
|
|
|
|
|
],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj, user });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
items: [
|
|
|
|
|
{ name: 'item1', user: 'user-123', count: 1 },
|
|
|
|
|
{ name: 'item2', user: 'user-123', count: 2 },
|
|
|
|
|
],
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not modify the original object', () => {
|
|
|
|
|
const user = { id: 'user-123' };
|
|
|
|
|
const originalObj = {
|
|
|
|
|
thinking: {
|
|
|
|
|
type: 'enabled',
|
|
|
|
|
budget_tokens: 2000,
|
|
|
|
|
user_id: '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = resolveNestedObject({ obj: originalObj, user });
|
|
|
|
|
|
|
|
|
|
expect(result.thinking.user_id).toBe('user-123');
|
|
|
|
|
expect(originalObj.thinking.user_id).toBe('{{LIBRECHAT_USER_ID}}');
|
|
|
|
|
});
|
2025-06-23 12:39:27 -04:00
|
|
|
});
|
2025-09-08 15:38:44 -04:00
|
|
|
|
|
|
|
|
describe('processMCPEnv', () => {
|
|
|
|
|
beforeEach(() => {
|
|
|
|
|
process.env.TEST_API_KEY = 'test-api-key-value';
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
process.env.ANOTHER_VALUE = 'another-test-value';
|
2025-09-08 15:38:44 -04:00
|
|
|
process.env.OAUTH_CLIENT_ID = 'oauth-client-id-value';
|
|
|
|
|
process.env.OAUTH_CLIENT_SECRET = 'oauth-client-secret-value';
|
|
|
|
|
process.env.MCP_SERVER_URL = 'https://mcp.example.com';
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
delete process.env.TEST_API_KEY;
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
delete process.env.ANOTHER_VALUE;
|
2025-09-08 15:38:44 -04:00
|
|
|
delete process.env.OAUTH_CLIENT_ID;
|
|
|
|
|
delete process.env.OAUTH_CLIENT_SECRET;
|
|
|
|
|
delete process.env.MCP_SERVER_URL;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should return null/undefined as-is', () => {
|
|
|
|
|
expect(processMCPEnv({ options: null as unknown as MCPOptions })).toBeNull();
|
|
|
|
|
expect(processMCPEnv({ options: undefined as unknown as MCPOptions })).toBeUndefined();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process stdio type MCP options with env and args', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
env: {
|
|
|
|
|
API_KEY: '${TEST_API_KEY}',
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
SECRET: '${ANOTHER_VALUE}',
|
2025-09-08 15:38:44 -04:00
|
|
|
PLAIN_VALUE: 'plain-text',
|
|
|
|
|
},
|
|
|
|
|
args: ['--key', '${TEST_API_KEY}', '--url', '${MCP_SERVER_URL}'],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
env: {
|
|
|
|
|
API_KEY: 'test-api-key-value',
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
SECRET: 'another-test-value',
|
2025-09-08 15:38:44 -04:00
|
|
|
PLAIN_VALUE: 'plain-text',
|
|
|
|
|
},
|
|
|
|
|
args: ['--key', 'test-api-key-value', '--url', 'https://mcp.example.com'],
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process WebSocket type MCP options with url', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'websocket',
|
|
|
|
|
url: '${MCP_SERVER_URL}/ws',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
type: 'websocket',
|
|
|
|
|
url: 'https://mcp.example.com/ws',
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process OAuth configuration with environment variables', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: '${MCP_SERVER_URL}/api',
|
|
|
|
|
headers: {
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
},
|
|
|
|
|
oauth: {
|
|
|
|
|
authorization_url: 'https://auth.example.com/authorize',
|
|
|
|
|
token_url: 'https://auth.example.com/token',
|
|
|
|
|
client_id: '${OAUTH_CLIENT_ID}',
|
|
|
|
|
client_secret: '${OAUTH_CLIENT_SECRET}',
|
|
|
|
|
scope: 'read:data write:data',
|
|
|
|
|
redirect_uri: 'http://localhost:3000/callback',
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://mcp.example.com/api',
|
|
|
|
|
headers: {
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
},
|
|
|
|
|
oauth: {
|
|
|
|
|
authorization_url: 'https://auth.example.com/authorize',
|
|
|
|
|
token_url: 'https://auth.example.com/token',
|
|
|
|
|
client_id: 'oauth-client-id-value',
|
|
|
|
|
client_secret: 'oauth-client-secret-value',
|
|
|
|
|
scope: 'read:data write:data',
|
|
|
|
|
redirect_uri: 'http://localhost:3000/callback',
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process user field placeholders in all fields', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
username: 'testuser',
|
|
|
|
|
role: 'admin',
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
env: {
|
|
|
|
|
USER_ID: '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
USER_EMAIL: '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
USER_ROLE: '{{LIBRECHAT_USER_ROLE}}',
|
|
|
|
|
},
|
|
|
|
|
args: ['--user', '{{LIBRECHAT_USER_USERNAME}}', '--id', '{{LIBRECHAT_USER_ID}}'],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, user });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
env: {
|
|
|
|
|
USER_ID: 'user-123',
|
|
|
|
|
USER_EMAIL: 'test@example.com',
|
|
|
|
|
USER_ROLE: 'admin',
|
|
|
|
|
},
|
|
|
|
|
args: ['--user', 'testuser', '--id', 'user-123'],
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process custom user variables', () => {
|
|
|
|
|
const customUserVars = {
|
|
|
|
|
CUSTOM_TOKEN: 'user-specific-token',
|
|
|
|
|
REGION: 'us-west-1',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'sse',
|
|
|
|
|
url: 'https://sse.example.com/{{REGION}}',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{CUSTOM_TOKEN}}',
|
|
|
|
|
'X-Region': '{{REGION}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, customUserVars });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
type: 'sse',
|
|
|
|
|
url: 'https://sse.example.com/us-west-1',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer user-specific-token',
|
|
|
|
|
'X-Region': 'us-west-1',
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should process body placeholders in all fields', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 'conv-123',
|
|
|
|
|
parentMessageId: 'parent-456',
|
|
|
|
|
messageId: 'msg-789',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com/conversations/{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Parent-Message': '{{LIBRECHAT_BODY_PARENTMESSAGEID}}',
|
|
|
|
|
'X-Message-Id': '{{LIBRECHAT_BODY_MESSAGEID}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, body });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com/conversations/conv-123',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Parent-Message': 'parent-456',
|
|
|
|
|
'X-Message-Id': 'msg-789',
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260)
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration
Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.
* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution
Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.
Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.
* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE
Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.
* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue
Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.
Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.
Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.
* 🧪 test: Comprehensive security regression tests for placeholder injection
- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach
* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
|
|
|
it('should not resolve env vars introduced via body placeholders in MCP headers', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: '${TEST_API_KEY}',
|
|
|
|
|
parentMessageId: '${TEST_API_KEY}',
|
|
|
|
|
messageId: '${TEST_API_KEY}',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Conv': '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
'X-Parent': '{{LIBRECHAT_BODY_PARENTMESSAGEID}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, body });
|
|
|
|
|
|
|
|
|
|
if (!isStreamableHTTPOptions(result)) {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
expect(result.headers?.['X-Conv']).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(result.headers?.['X-Parent']).toBe('${TEST_API_KEY}');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not resolve env vars introduced via customUserVars in MCP headers', () => {
|
|
|
|
|
const customUserVars = { MY_TOKEN: '${TEST_API_KEY}' };
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{MY_TOKEN}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, customUserVars });
|
|
|
|
|
|
|
|
|
|
if (!isStreamableHTTPOptions(result)) {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer ${TEST_API_KEY}');
|
|
|
|
|
});
|
|
|
|
|
|
2025-09-08 15:38:44 -04:00
|
|
|
it('should handle mixed placeholders in OAuth configuration', () => {
|
|
|
|
|
const user = createTestUser({
|
|
|
|
|
id: 'user-123',
|
|
|
|
|
email: 'test@example.com',
|
|
|
|
|
});
|
|
|
|
|
const customUserVars = {
|
|
|
|
|
TENANT_ID: 'tenant-456',
|
|
|
|
|
};
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 'conv-789',
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: '${MCP_SERVER_URL}',
|
|
|
|
|
oauth: {
|
|
|
|
|
authorization_url: 'https://auth.example.com/{{TENANT_ID}}/authorize',
|
|
|
|
|
token_url: 'https://auth.example.com/{{TENANT_ID}}/token',
|
|
|
|
|
client_id: '${OAUTH_CLIENT_ID}',
|
|
|
|
|
client_secret: '${OAUTH_CLIENT_SECRET}',
|
|
|
|
|
scope: 'user:{{LIBRECHAT_USER_ID}} conversation:{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
redirect_uri: 'http://localhost:3000/user/{{LIBRECHAT_USER_EMAIL}}/callback',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, user, customUserVars, body });
|
|
|
|
|
|
|
|
|
|
expect(result).toEqual({
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://mcp.example.com',
|
|
|
|
|
oauth: {
|
|
|
|
|
authorization_url: 'https://auth.example.com/tenant-456/authorize',
|
|
|
|
|
token_url: 'https://auth.example.com/tenant-456/token',
|
|
|
|
|
client_id: 'oauth-client-id-value',
|
|
|
|
|
client_secret: 'oauth-client-secret-value',
|
|
|
|
|
scope: 'user:user-123 conversation:conv-789',
|
|
|
|
|
redirect_uri: 'http://localhost:3000/user/test@example.com/callback',
|
|
|
|
|
},
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not modify non-string OAuth values', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
oauth: {
|
|
|
|
|
client_id: '${OAUTH_CLIENT_ID}',
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
|
|
|
|
|
scope: 'read:data write:data',
|
|
|
|
|
grant_types_supported: ['authorization_code', 'refresh_token'],
|
|
|
|
|
token_endpoint_auth_methods_supported: ['client_secret_basic'],
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result) && result.oauth) {
|
|
|
|
|
expect(result.oauth).toEqual({
|
|
|
|
|
client_id: 'oauth-client-id-value',
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
|
|
|
|
|
scope: 'read:data write:data',
|
|
|
|
|
grant_types_supported: ['authorization_code', 'refresh_token'],
|
|
|
|
|
token_endpoint_auth_methods_supported: ['client_secret_basic'],
|
|
|
|
|
});
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options with oauth');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle missing OAuth values gracefully', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
oauth: {
|
|
|
|
|
client_id: '${OAUTH_CLIENT_ID}',
|
|
|
|
|
client_secret: undefined,
|
|
|
|
|
scope: null as unknown as string,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
expect(result.oauth).toEqual({
|
|
|
|
|
client_id: 'oauth-client-id-value',
|
|
|
|
|
client_secret: undefined,
|
|
|
|
|
scope: null,
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not modify the original options object', () => {
|
|
|
|
|
const originalOptions: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
env: {
|
|
|
|
|
API_KEY: '${TEST_API_KEY}',
|
|
|
|
|
},
|
|
|
|
|
args: ['--key', '${TEST_API_KEY}'],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options: originalOptions });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.API_KEY).toBe('test-api-key-value');
|
|
|
|
|
expect(result.args[1]).toBe('test-api-key-value');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected stdio options');
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(originalOptions)) {
|
|
|
|
|
expect(originalOptions.env?.API_KEY).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(originalOptions.args[1]).toBe('${TEST_API_KEY}');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle all placeholder types in a single value', () => {
|
|
|
|
|
const user = createTestUser({ id: 'user-123' });
|
|
|
|
|
const customUserVars = { CUSTOM_VAR: 'custom-value' };
|
|
|
|
|
const body = { conversationId: 'conv-456' };
|
|
|
|
|
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: [],
|
|
|
|
|
env: {
|
|
|
|
|
COMPLEX_VALUE:
|
|
|
|
|
'User: {{LIBRECHAT_USER_ID}}, Custom: {{CUSTOM_VAR}}, Body: {{LIBRECHAT_BODY_CONVERSATIONID}}, Env: ${TEST_API_KEY}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, user, customUserVars, body });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.COMPLEX_VALUE).toBe(
|
|
|
|
|
'User: user-123, Custom: custom-value, Body: conv-456, Env: test-api-key-value',
|
|
|
|
|
);
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected stdio options');
|
|
|
|
|
}
|
|
|
|
|
});
|
2025-11-21 16:42:28 -05:00
|
|
|
|
|
|
|
|
describe('non-string values (type guard tests)', () => {
|
|
|
|
|
it('should handle numeric values in env without crashing', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: [],
|
|
|
|
|
env: {
|
|
|
|
|
PORT: 8080 as unknown as string,
|
|
|
|
|
TIMEOUT: 30000 as unknown as string,
|
|
|
|
|
API_KEY: '${TEST_API_KEY}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.PORT).toBe('8080');
|
|
|
|
|
expect(result.env?.TIMEOUT).toBe('30000');
|
|
|
|
|
expect(result.env?.API_KEY).toBe('test-api-key-value');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle boolean values in env without crashing', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: [],
|
|
|
|
|
env: {
|
|
|
|
|
DEBUG: true as unknown as string,
|
|
|
|
|
PRODUCTION: false as unknown as string,
|
|
|
|
|
API_KEY: '${TEST_API_KEY}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.DEBUG).toBe('true');
|
|
|
|
|
expect(result.env?.PRODUCTION).toBe('false');
|
|
|
|
|
expect(result.env?.API_KEY).toBe('test-api-key-value');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle numeric values in args without crashing', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: ['--port', 8080 as unknown as string, '--timeout', 30000 as unknown as string],
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.args).toEqual(['--port', '8080', '--timeout', '30000']);
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle null and undefined values in env', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: [],
|
|
|
|
|
env: {
|
|
|
|
|
NULL_VALUE: null as unknown as string,
|
|
|
|
|
UNDEFINED_VALUE: undefined as unknown as string,
|
|
|
|
|
NORMAL_VALUE: 'normal',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.NULL_VALUE).toBe('null');
|
|
|
|
|
expect(result.env?.UNDEFINED_VALUE).toBe('undefined');
|
|
|
|
|
expect(result.env?.NORMAL_VALUE).toBe('normal');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle numeric values in headers without crashing', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Timeout': 5000 as unknown as string,
|
|
|
|
|
'X-Retry-Count': 3 as unknown as string,
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-Timeout']).toBe('5000');
|
|
|
|
|
expect(result.headers?.['X-Retry-Count']).toBe('3');
|
|
|
|
|
expect(result.headers?.['Content-Type']).toBe('application/json');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle numeric URL values', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'websocket',
|
|
|
|
|
url: 12345 as unknown as string,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
expect((result as unknown as { url?: string }).url).toBe('12345');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle mixed numeric and placeholder values', () => {
|
|
|
|
|
const user = createTestUser({ id: 'user-123' });
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: [],
|
|
|
|
|
env: {
|
|
|
|
|
PORT: 8080 as unknown as string,
|
|
|
|
|
USER_ID: '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
API_KEY: '${TEST_API_KEY}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, user });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.PORT).toBe('8080');
|
|
|
|
|
expect(result.env?.USER_ID).toBe('user-123');
|
|
|
|
|
expect(result.env?.API_KEY).toBe('test-api-key-value');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle objects and arrays in env values', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: [],
|
|
|
|
|
env: {
|
|
|
|
|
OBJECT_VALUE: { nested: 'value' } as unknown as string,
|
|
|
|
|
ARRAY_VALUE: ['item1', 'item2'] as unknown as string,
|
|
|
|
|
STRING_VALUE: 'normal',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.OBJECT_VALUE).toBe('[object Object]');
|
|
|
|
|
expect(result.env?.ARRAY_VALUE).toBe('item1,item2');
|
|
|
|
|
expect(result.env?.STRING_VALUE).toBe('normal');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not crash with numeric body field values', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 12345 as unknown as string,
|
|
|
|
|
parentMessageId: 'parent-456',
|
|
|
|
|
messageId: 'msg-789',
|
|
|
|
|
};
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: [],
|
|
|
|
|
env: {
|
|
|
|
|
CONV_ID: '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
PORT: 8080 as unknown as string,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
expect(() => processMCPEnv({ options, body })).not.toThrow();
|
|
|
|
|
const result = processMCPEnv({ options, body });
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.PORT).toBe('8080');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
});
|
2025-12-12 19:51:49 +01:00
|
|
|
|
|
|
|
|
describe('admin-provided API key header injection', () => {
|
|
|
|
|
it('should apply admin-provided bearer API key to Authorization header', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'admin',
|
|
|
|
|
authorization_type: 'bearer',
|
|
|
|
|
key: 'my-secret-api-key',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer my-secret-api-key');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should apply admin-provided basic API key to Authorization header', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'admin',
|
|
|
|
|
authorization_type: 'basic',
|
|
|
|
|
key: 'base64encodedcreds',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Basic base64encodedcreds');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should apply admin-provided custom API key to custom header', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'admin',
|
|
|
|
|
authorization_type: 'custom',
|
|
|
|
|
custom_header: 'X-Api-Key',
|
|
|
|
|
key: 'my-custom-api-key',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-Api-Key']).toBe('my-custom-api-key');
|
|
|
|
|
expect(result.headers?.Authorization).toBeUndefined();
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should use default X-Api-Key header when custom_header is not provided', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'admin',
|
|
|
|
|
authorization_type: 'custom',
|
|
|
|
|
key: 'my-api-key',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-Api-Key']).toBe('my-api-key');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not apply user-provided API key (handled via placeholders)', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'user',
|
|
|
|
|
authorization_type: 'bearer',
|
|
|
|
|
},
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{MCP_API_KEY}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
// User-provided key should NOT be injected - placeholder remains
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer {{MCP_API_KEY}}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should merge admin API key header with existing headers', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'Content-Type': 'application/json',
|
|
|
|
|
'X-Custom-Header': 'custom-value',
|
|
|
|
|
},
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'admin',
|
|
|
|
|
authorization_type: 'bearer',
|
|
|
|
|
key: 'my-api-key',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['Content-Type']).toBe('application/json');
|
|
|
|
|
expect(result.headers?.['X-Custom-Header']).toBe('custom-value');
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer my-api-key');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not inject header when apiKey.key is missing', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'admin',
|
|
|
|
|
authorization_type: 'bearer',
|
|
|
|
|
// key is missing
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBeUndefined();
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
});
|
🗝️ feat: Credential Variables for DB-Sourced MCP Servers (#12044)
* feat: Allow Credential Variables in Headers for DB-sourced MCP Servers
- Removed the hasCustomUserVars check from ToolService.js, directly retrieving userMCPAuthMap.
- Updated MCPConnectionFactory and related classes to include a dbSourced flag for better handling of database-sourced configurations.
- Added integration tests to ensure proper behavior of dbSourced servers, verifying that sensitive placeholders are not resolved while allowing customUserVars.
- Adjusted various MCP-related files to accommodate the new dbSourced logic, ensuring consistent handling across the codebase.
* chore: MCPConnectionFactory Tests with Additional Flow Metadata for typing
- Updated MCPConnectionFactory tests to include new fields in flowMetadata: serverUrl and state.
- Enhanced mockFlowData in multiple test cases to reflect the updated structure, ensuring comprehensive coverage of the OAuth flow scenarios.
- Added authorization_endpoint to metadata in the test setup for improved validation of the OAuth process.
* refactor: Simplify MCPManager Configuration Handling
- Removed unnecessary type assertions and streamlined the retrieval of server configuration in MCPManager.
- Enhanced the handling of OAuth and database-sourced flags for improved clarity and efficiency.
- Updated tests to reflect changes in user object structure and ensure proper processing of MCP environment variables.
* refactor: Optimize User MCP Auth Map Retrieval in ToolService
- Introduced conditional loading of userMCPAuthMap based on the presence of MCP-delimited tools, improving efficiency by avoiding unnecessary calls.
- Updated the loadToolDefinitionsWrapper and loadAgentTools functions to reflect this change, enhancing overall performance and clarity.
* test: Add userMCPAuthMap gating tests in ToolService
- Introduced new tests to validate the logic for determining if MCP tools are present in the agent's tool list.
- Implemented various scenarios to ensure accurate detection of MCP tools, including edge cases for empty, undefined, and null tool lists.
- Enhanced clarity and coverage of the ToolService capability checking logic.
* refactor: Enhance MCP Environment Variable Processing
- Simplified the handling of the dbSourced parameter in the processMCPEnv function.
- Introduced a failsafe mechanism to derive dbSourced from options if not explicitly provided, improving robustness and clarity in MCP environment variable processing.
* refactor: Update Regex Patterns for Credential Placeholders in ServerConfigsDB
- Modified regex patterns to include additional credential/env placeholders that should not be allowed in user-provided configurations.
- Clarified comments to emphasize the security risks associated with credential exfiltration when MCP servers are shared between users.
* chore: field order
* refactor: Clean Up dbSourced Parameter Handling in processMCPEnv
- Reintroduced the failsafe mechanism for deriving the dbSourced parameter from options, ensuring clarity and robustness in MCP environment variable processing.
- Enhanced code readability by maintaining consistent comment structure.
* refactor: Update MCPOptions Type to Include Optional dbId
- Modified the processMCPEnv function to extend the MCPOptions type, allowing for an optional dbId property.
- Simplified the logic for deriving the dbSourced parameter by directly checking the dbId property, enhancing code clarity and maintainability.
2026-03-03 18:02:37 -05:00
|
|
|
|
|
|
|
|
describe('dbSourced flag', () => {
|
|
|
|
|
beforeEach(() => {
|
|
|
|
|
process.env.TEST_API_KEY = 'test-api-key-value';
|
|
|
|
|
process.env.DATABASE_URL = 'mongodb://secret-host:27017/db';
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
afterEach(() => {
|
|
|
|
|
delete process.env.TEST_API_KEY;
|
|
|
|
|
delete process.env.DATABASE_URL;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should resolve customUserVars when dbSourced is true', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{MCP_API_KEY}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({
|
|
|
|
|
options,
|
|
|
|
|
dbSourced: true,
|
|
|
|
|
customUserVars: { MCP_API_KEY: 'user-secret-key' },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer user-secret-key');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should NOT resolve ${ENV_VAR} when dbSourced is true', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Leaked': '${DATABASE_URL}',
|
|
|
|
|
'X-Key': '${TEST_API_KEY}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, dbSourced: true });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-Leaked']).toBe('${DATABASE_URL}');
|
|
|
|
|
expect(result.headers?.['X-Key']).toBe('${TEST_API_KEY}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should NOT resolve {{LIBRECHAT_USER_*}} when dbSourced is true', () => {
|
|
|
|
|
const user = createTestUser({ id: 'user-123', email: 'test@example.com' });
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'X-User-Email': '{{LIBRECHAT_USER_EMAIL}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, user, dbSourced: true });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-User-Id']).toBe('{{LIBRECHAT_USER_ID}}');
|
|
|
|
|
expect(result.headers?.['X-User-Email']).toBe('{{LIBRECHAT_USER_EMAIL}}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should NOT resolve {{LIBRECHAT_OPENID_*}} when dbSourced is true', () => {
|
|
|
|
|
const user = {
|
|
|
|
|
...createTestUser({ id: 'user-123', provider: 'openid' }),
|
|
|
|
|
federatedTokens: {
|
|
|
|
|
access_token: 'oidc-access-token',
|
|
|
|
|
id_token: 'oidc-id-token',
|
|
|
|
|
refresh_token: 'oidc-refresh-token',
|
|
|
|
|
token_type: 'Bearer',
|
|
|
|
|
expires_at: Date.now() + 3600000,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{LIBRECHAT_OPENID_ACCESS_TOKEN}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, user, dbSourced: true });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer {{LIBRECHAT_OPENID_ACCESS_TOKEN}}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should NOT resolve {{LIBRECHAT_BODY_*}} when dbSourced is true', () => {
|
|
|
|
|
const body = {
|
|
|
|
|
conversationId: 'conv-123',
|
|
|
|
|
parentMessageId: 'parent-456',
|
|
|
|
|
messageId: 'msg-789',
|
|
|
|
|
};
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Conversation': '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, body, dbSourced: true });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-Conversation']).toBe('{{LIBRECHAT_BODY_CONVERSATIONID}}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should resolve customUserVars but block all other placeholders when dbSourced is true', () => {
|
|
|
|
|
const user = createTestUser({ id: 'user-123' });
|
|
|
|
|
const body = { conversationId: 'conv-123', parentMessageId: 'p-1', messageId: 'm-1' };
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: '${DATABASE_URL}',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{MCP_API_KEY}}',
|
|
|
|
|
'X-Env-Leak': '${TEST_API_KEY}',
|
|
|
|
|
'X-User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
'X-Body': '{{LIBRECHAT_BODY_CONVERSATIONID}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({
|
|
|
|
|
options,
|
|
|
|
|
user,
|
|
|
|
|
body,
|
|
|
|
|
dbSourced: true,
|
|
|
|
|
customUserVars: { MCP_API_KEY: 'user-key-value' },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer user-key-value');
|
|
|
|
|
expect(result.headers?.['X-Env-Leak']).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(result.headers?.['X-User-Id']).toBe('{{LIBRECHAT_USER_ID}}');
|
|
|
|
|
expect(result.headers?.['X-Body']).toBe('{{LIBRECHAT_BODY_CONVERSATIONID}}');
|
|
|
|
|
expect(result.url).toBe('${DATABASE_URL}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should resolve all placeholders when dbSourced is false (default)', () => {
|
|
|
|
|
const user = createTestUser({ id: 'user-123' });
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{MCP_API_KEY}}',
|
|
|
|
|
'X-Env': '${TEST_API_KEY}',
|
|
|
|
|
'X-User-Id': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({
|
|
|
|
|
options,
|
|
|
|
|
user,
|
|
|
|
|
dbSourced: false,
|
|
|
|
|
customUserVars: { MCP_API_KEY: 'user-key-value' },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer user-key-value');
|
|
|
|
|
expect(result.headers?.['X-Env']).toBe('test-api-key-value');
|
|
|
|
|
expect(result.headers?.['X-User-Id']).toBe('user-123');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should apply dbSourced to env, args, and URL — not just headers', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'stdio',
|
|
|
|
|
command: 'mcp-server',
|
|
|
|
|
args: ['--key', '${TEST_API_KEY}', '--custom', '{{MY_VAR}}'],
|
|
|
|
|
env: {
|
|
|
|
|
SECRET: '${DATABASE_URL}',
|
|
|
|
|
CUSTOM: '{{MY_VAR}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({
|
|
|
|
|
options,
|
|
|
|
|
dbSourced: true,
|
|
|
|
|
customUserVars: { MY_VAR: 'resolved-value' },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (isStdioOptions(result)) {
|
|
|
|
|
expect(result.env?.SECRET).toBe('${DATABASE_URL}');
|
|
|
|
|
expect(result.env?.CUSTOM).toBe('resolved-value');
|
|
|
|
|
expect(result.args?.[1]).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(result.args?.[3]).toBe('resolved-value');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected stdio options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should still apply admin API key header injection when dbSourced is true', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
apiKey: {
|
|
|
|
|
source: 'admin',
|
|
|
|
|
authorization_type: 'bearer',
|
|
|
|
|
key: 'admin-managed-key',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, dbSourced: true });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer admin-managed-key');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should block env vars in OAuth config when dbSourced is true', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
oauth: {
|
|
|
|
|
client_id: '${TEST_API_KEY}',
|
|
|
|
|
client_secret: '${DATABASE_URL}',
|
|
|
|
|
token_url: 'https://auth.example.com/token',
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, dbSourced: true });
|
|
|
|
|
|
|
|
|
|
const oauth = (result as { oauth?: Record<string, unknown> }).oauth;
|
|
|
|
|
expect(oauth?.client_id).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(oauth?.client_secret).toBe('${DATABASE_URL}');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should resolve customUserVars in OAuth config when dbSourced is true', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
oauth: {
|
|
|
|
|
client_id: '{{MY_CLIENT_ID}}',
|
|
|
|
|
client_secret: '{{MY_CLIENT_SECRET}}',
|
|
|
|
|
token_url: 'https://auth.example.com/token',
|
|
|
|
|
token_exchange_method: TokenExchangeMethodEnum.DefaultPost,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({
|
|
|
|
|
options,
|
|
|
|
|
dbSourced: true,
|
|
|
|
|
customUserVars: { MY_CLIENT_ID: 'resolved-client', MY_CLIENT_SECRET: 'resolved-secret' },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
const oauth = (result as { oauth?: Record<string, unknown> }).oauth;
|
|
|
|
|
expect(oauth?.client_id).toBe('resolved-client');
|
|
|
|
|
expect(oauth?.client_secret).toBe('resolved-secret');
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should leave unresolved customUserVars as literal placeholders', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{MCP_API_KEY}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
// No customUserVars provided — placeholder should remain
|
|
|
|
|
const result = processMCPEnv({ options, dbSourced: true });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.Authorization).toBe('Bearer {{MCP_API_KEY}}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should not modify the original options when dbSourced is true', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: '${DATABASE_URL}',
|
|
|
|
|
headers: {
|
|
|
|
|
Authorization: 'Bearer {{MCP_API_KEY}}',
|
|
|
|
|
'X-Env': '${TEST_API_KEY}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const originalUrl = options.url;
|
|
|
|
|
const originalAuth = (options as { headers: Record<string, string> }).headers.Authorization;
|
|
|
|
|
|
|
|
|
|
processMCPEnv({
|
|
|
|
|
options,
|
|
|
|
|
dbSourced: true,
|
|
|
|
|
customUserVars: { MCP_API_KEY: 'resolved' },
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
expect(options.url).toBe(originalUrl);
|
|
|
|
|
expect((options as { headers: Record<string, string> }).headers.Authorization).toBe(
|
|
|
|
|
originalAuth,
|
|
|
|
|
);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('should handle empty customUserVars object without errors', () => {
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Key': '${TEST_API_KEY}',
|
|
|
|
|
'X-Custom': '{{MCP_API_KEY}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, dbSourced: true, customUserVars: {} });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-Key']).toBe('${TEST_API_KEY}');
|
|
|
|
|
expect(result.headers?.['X-Custom']).toBe('{{MCP_API_KEY}}');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
it('dbSourced undefined should behave like false (resolve everything)', () => {
|
|
|
|
|
const user = createTestUser({ id: 'user-abc' });
|
|
|
|
|
const options: MCPOptions = {
|
|
|
|
|
type: 'streamable-http',
|
|
|
|
|
url: 'https://api.example.com',
|
|
|
|
|
headers: {
|
|
|
|
|
'X-Env': '${TEST_API_KEY}',
|
|
|
|
|
'X-User': '{{LIBRECHAT_USER_ID}}',
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
const result = processMCPEnv({ options, user });
|
|
|
|
|
|
|
|
|
|
if (isStreamableHTTPOptions(result)) {
|
|
|
|
|
expect(result.headers?.['X-Env']).toBe('test-api-key-value');
|
|
|
|
|
expect(result.headers?.['X-User']).toBe('user-abc');
|
|
|
|
|
} else {
|
|
|
|
|
throw new Error('Expected streamable-http options');
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
});
|
2025-09-08 15:38:44 -04:00
|
|
|
});
|