Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-01-28 13:16:13 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

🔒 fix: SSRF Protection and Domain Handling in MCP Server Config (#11234)

Browse source 
* 🔒 fix: Enhance SSRF Protection and Domain Handling in MCP Server Configuration

- Updated the `extractMCPServerDomain` function to return the full origin (protocol://hostname:port) for improved protocol/port matching against allowed domains.
- Enhanced tests for `isMCPDomainAllowed` to validate domain access for internal hostnames and .local TLDs, ensuring proper SSRF protection.
- Added detailed comments in the configuration file to clarify security measures regarding allowed domains and internal target access.

* refactor: Domain Validation for WebSocket Protocols in Action and MCP Handling

- Added comprehensive tests to validate handling of WebSocket URLs in `isActionDomainAllowed` and `isMCPDomainAllowed` functions, ensuring that WebSocket protocols are rejected for OpenAPI Actions while allowed for MCP.
- Updated domain validation logic to support HTTP, HTTPS, WS, and WSS protocols, enhancing security and compliance with specifications.
- Refactored `parseDomainSpec` to improve protocol recognition and validation, ensuring robust handling of domain specifications.
- Introduced detailed comments to clarify the purpose and security implications of domain validation functions.
This commit is contained in:
Danny Avila 2026-01-06 13:04:52 -05:00 committed by GitHub
parent a7645f4705
commit 3b41e392ba
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 212 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

19
librechat.example.yaml
View file

@ -177,22 +177,29 @@ registration:
# userMax: 50
# userWindowInMinutes: 60 # Rate limit window for conversation imports per user
# Example Actions Object Structure
# Agent Actions domain restrictions (OpenAPI spec validation)
# SECURITY: If not configured, SSRF targets are blocked (localhost, private IPs, .internal/.local TLDs).
# To allow internal targets, you MUST explicitly add them to allowedDomains.
# Supports wildcards: '*.example.com' and protocol/port restrictions: 'https://api.example.com:8443'
actions:
allowedDomains:
- 'swapi.dev'
- 'librechat.ai'
- 'google.com'
# - 'http://10.225.26.25:7894' # Internal IP with protocol/port (uncomment if needed)
# MCP Server domain restrictions for remote transports (SSE, WebSocket, HTTP)
# Stdio transports (local processes) are not restricted.
# If not configured, all domains are allowed (permissive default).
# SECURITY: If not configured, SSRF targets are blocked (localhost, private IPs, .internal/.local TLDs).
# To allow internal targets like host.docker.internal, you MUST explicitly add them to allowedDomains.
# Supports wildcards: '*.example.com' matches 'api.example.com', 'staging.example.com', etc.
# Supports protocol/port restrictions: 'https://api.example.com:8443' restricts to specific protocol/port.
# mcpSettings:
# allowedDomains:
# - 'localhost'
# - '*.example.com'
# - 'trusted-mcp-provider.com'
# - 'host.docker.internal' # Docker host access (required for Docker setups)
# - 'localhost' # Local development
# - '*.example.com' # Wildcard subdomain
# - 'https://secure.api.com' # Protocol-restricted
# - 'http://internal:8080' # Protocol and port restricted
# Example MCP Servers Object Structure
# mcpServers: