Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-15 12:16:33 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/api/server/routes
History
Danny Avila f32907cd36
Some checks are pending
Docker Dev Branch Images Build / build (Dockerfile, lc-dev, node) (push) Waiting to run
Details
Docker Dev Branch Images Build / build (Dockerfile.multi, lc-dev-api, api-build) (push) Waiting to run
Details
🔏 fix: MCP Server URL Schema Validation (#12204) 
* fix: MCP server configuration validation and schema

- Added tests to reject URLs containing environment variable references for SSE, streamable-http, and websocket types in the MCP routes.
- Introduced a new schema in the data provider to ensure user input URLs do not resolve environment variables, enhancing security against potential leaks.
- Updated existing MCP server user input schema to utilize the new validation logic, ensuring consistent handling of user-supplied URLs across the application.

* fix: MCP URL validation to reject env variable references

- Updated tests to ensure that URLs for SSE, streamable-http, and websocket types containing environment variable patterns are rejected, improving security against potential leaks.
- Refactored the MCP server user input schema to enforce stricter validation rules, preventing the resolution of environment variables in user-supplied URLs.
- Introduced new test cases for various URL types to validate the rejection logic, ensuring consistent handling across the application.

* test: Enhance MCPServerUserInputSchema tests for environment variable handling

- Introduced new test cases to validate the prevention of environment variable exfiltration through user input URLs in the MCPServerUserInputSchema.
- Updated existing tests to confirm that URLs containing environment variable patterns are correctly resolved or rejected, improving security against potential leaks.
- Refactored test structure to better organize environment variable handling scenarios, ensuring comprehensive coverage of edge cases.
2026-03-12 23:19:31 -04:00
..
__tests__ 🔏 fix: MCP Server URL Schema Validation (#12204) 2026-03-12 23:19:31 -04:00
admin 🔐 feat: Admin Auth. Routes with Secure Cross-Origin Token Exchange (#11297) 2026-01-28 17:44:31 -05:00
agents 🧬 feat: Allow Agent Editors to Duplicate Agents (#12041) 2026-03-03 20:45:02 -05:00
assistants 📦 chore: Bump Express.js to v5 (#10671) 2025-12-11 16:36:15 -05:00
files 🔀 refactor: Endpoint Check for File Uploads in Images Route (#11352) 2026-01-14 14:07:58 -05:00
types WIP: Update UI to match Official Style; Vision and Assistants 👷🏽 (#1190) 2023-11-16 10:42:24 -05:00
accessPermissions.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
accessPermissions.test.js 🪪 fix: Misleading MCP Server Lookup Method Name (#11315) 2026-01-12 21:04:25 -05:00
actions.js 🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756) 2026-02-12 14:22:05 -05:00
apiKeys.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
auth.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
balance.js feat: Accurate Token Usage Tracking & Optional Balance (#1018) 2023-10-05 18:34:10 -04:00
banner.js 🚀 feat: Banner (#3952) 2024-09-11 09:34:25 -04:00
categories.js 🗨️ feat: Prompts (#3131) 2024-06-20 20:24:32 -04:00
config.js 🔒 refactor: Set ALLOW_SHARED_LINKS_PUBLIC to false by Default (#12100) 2026-03-06 19:05:56 -05:00
convos.js 🔱 chore: Harden API Routes Against IDOR and DoS Attacks (#11760) 2026-02-12 18:08:24 -05:00
endpoints.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
index.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
keys.js 🔱 chore: Harden API Routes Against IDOR and DoS Attacks (#11760) 2026-02-12 18:08:24 -05:00
mcp.js 🛂 fix: MCP OAuth Race Conditions, CSRF Fallback, and Token Expiry Handling (#12171) 2026-03-10 21:15:01 -04:00
memories.js 🛜 refactor: Streamline App Config Usage (#9234) 2025-08-26 12:10:18 -04:00
messages.js 🔧 fix: Sorting and Pagination logic for Conversations (#11242) 2026-01-07 09:44:45 -05:00
models.js 🛠️ refactor: Model Loading and Custom Endpoint Error Handling (#1849) 2024-02-20 12:57:58 -05:00
oauth.js 🛡️ fix: Secure MCP/Actions OAuth Flows, Resolve Race Condition & Tool Cache Cleanup (#11756) 2026-02-12 14:22:05 -05:00
presets.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
prompts.js 🔧 refactor: Permission handling for Resource Sharing (#11283) 2026-01-10 14:02:56 -05:00
prompts.test.js 🔧 refactor: Permission handling for Resource Sharing (#11283) 2026-01-10 14:02:56 -05:00
roles.js 🛸 feat: Remote Agent Access with External API Support (#11503) 2026-01-28 17:44:33 -05:00
search.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
settings.js 📌 feat: Pin Agents and Models in the Sidebar (#10634) 2025-12-11 16:38:20 -05:00
share.js 🔒 refactor: Set ALLOW_SHARED_LINKS_PUBLIC to false by Default (#12100) 2026-03-06 19:05:56 -05:00
static.js 🧹 chore: Cleanup Logger and Utility Imports (#9935) 2025-10-01 23:30:47 -04:00
tags.js 🔒 fix: Agents Config/Permission Checks after Streamline Change (#8089) 2025-06-26 18:53:05 -04:00
user.js 📌 feat: Pin Agents and Models in the Sidebar (#10634) 2025-12-11 16:38:20 -05:00