Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-17 21:26:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
LibreChat/packages/data-provider
History
Danny Avila 951d261f5c
🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260) 
* 🔒 fix: Resolve env vars before body placeholder expansion to prevent secret exfiltration

Body placeholders ({{LIBRECHAT_BODY_*}}) were substituted before
extractEnvVariable ran, allowing user-controlled body fields containing
${SECRET} patterns to be expanded into real environment values in
outbound headers. Reorder so env vars resolve first, preventing
untrusted input from triggering env expansion.

* 🛡️ fix: Block sensitive infrastructure env vars from placeholder resolution

Add isSensitiveEnvVar blocklist to extractEnvVariable so that internal
infrastructure secrets (JWT_SECRET, JWT_REFRESH_SECRET, CREDS_KEY,
CREDS_IV, MEILI_MASTER_KEY, MONGO_URI, REDIS_URI, REDIS_PASSWORD)
can never be resolved via ${VAR} expansion — even if an attacker
manages to inject a placeholder pattern.

Uses exact-match set (not substring patterns) to avoid breaking
legitimate operator config that references OAuth/API secrets in
MCP and custom endpoint configurations.

* 🧹 test: Rename ANOTHER_SECRET test fixture to ANOTHER_VALUE

Avoid using SECRET-containing names for non-sensitive test fixtures
to prevent confusion with the new isSensitiveEnvVar blocklist.

* 🔒 fix: Resolve env vars before all user-controlled substitutions in processSingleValue

Move extractEnvVariable to run on the raw admin-authored template
BEFORE customUserVars, user fields, OIDC tokens, and body placeholders.

Previously env resolution ran after customUserVars, so a user setting
a custom MCP variable to "${SECRET}" could still trigger env expansion.
Now env vars are resolved strictly on operator config, and all
subsequent user-controlled substitutions cannot introduce ${VAR} patterns
that would be expanded.

Gated by !dbSourced so DB-stored servers continue to skip env resolution.
Adds a security-invariant comment documenting the ordering requirement.

* 🧪 test: Comprehensive security regression tests for placeholder injection

- Cover all three body fields (conversationId, parentMessageId, messageId)
- Add user-field injection test (user.name containing ${VAR})
- Add customUserVars injection test (MY_TOKEN = "${VAR}")
- Add processMCPEnv injection tests for body and customUserVars paths
- Remove redundant process.env setup/teardown already handled by beforeEach/afterEach

* 🧹 chore: Add REDIS_PASSWORD to blocklist integration test; document customUserVars gate
2026-03-16 08:48:24 -04:00
..
react-query 📦 chore: Bump Dependabot Packages (#11836) 2026-02-17 18:55:28 -05:00
specs 🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260) 2026-03-16 08:48:24 -04:00
src 🧯 fix: Prevent Env-Variable Exfil. via Placeholder Injection (#12260) 2026-03-16 08:48:24 -04:00
.gitignore 🔄 refactor: Consolidate Ask/Edit Controllers (#1365) 2023-12-15 15:47:40 -05:00
babel.config.js chore: add back data-provider 2023-07-30 11:50:24 -04:00
check_updates.sh 🔧 feat: Initial MCP Support (Tools) (#5015) 2024-12-17 13:12:57 -05:00
jest.config.js refactor: Parallelize CI Workflows with Isolated Caching and Fan-Out Test Jobs (#12088) 2026-03-05 13:56:07 -05:00
package.json v0.8.3 (#12161) 2026-03-09 15:19:57 -04:00
rollup.config.js ⚙️ chore: Update Build Config due to Windows Tests (#9511) 2025-09-08 14:16:49 -04:00
server-rollup.config.js 🚀 feat: Add Code API Proxy Support and Update MCP SDK (#6203) 2025-03-06 12:47:59 -05:00
tsconfig.json feat: OAuth for Actions (#5693) 2025-02-10 15:56:08 -05:00
tsconfig.spec.json feat: Assistants API, General File Support, Side Panel, File Explorer (#1696) 2024-02-13 20:42:27 -05:00