feat(server): add MCP server configuration validation (#830)

* feat(server): add MCP server configuration validation Add comprehensive validation for MCP server configurations, inspired by Flowise's validateMCPServerConfig implementation. MCPServerConfig checks implemented: - Command allowlist validation (node, npx, python, docker, uvx, etc.) - Path traversal prevention (blocks ../, absolute paths, ~/) - Shell command injection prevention (blocks ; & | ` $ etc.) - Dangerous environment variable blocking (PATH, LD_PRELOAD, etc.) - URL validation for SSE/HTTP transports (scheme, credentials) - HTTP header injection prevention (blocks newlines) * fix the unit test error of test_chat_request * Added the related path cases as reviewer commented * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-20 12:54:45 +08:00 · 2026-01-24 17:32:17 +08:00
parent c0849af37e
commit 612bddd3fb
7 changed files with 1072 additions and 19 deletions
--- a/tests/unit/server/test_app.py
+++ b/tests/unit/server/test_app.py
@@ -352,9 +352,9 @@ class TestMCPEndpoint:

        request_data = {
            "transport": "stdio",
-            "command": "test_command",
-            "args": ["arg1", "arg2"],
-            "env": {"ENV_VAR": "value"},
+            "command": "node",
+            "args": ["server.js"],
+            "env": {"API_KEY": "test123"},
        }

        response = client.post("/api/mcp/server/metadata", json=request_data)
@@ -362,7 +362,7 @@ class TestMCPEndpoint:
        assert response.status_code == 200
        response_data = response.json()
        assert response_data["transport"] == "stdio"
-        assert response_data["command"] == "test_command"
+        assert response_data["command"] == "node"
        assert len(response_data["tools"]) == 1

    @patch("src.server.app.load_mcp_tools")
@@ -375,7 +375,7 @@ class TestMCPEndpoint:

        request_data = {
            "transport": "stdio",
-            "command": "test_command",
+            "command": "node",
            "timeout_seconds": 60,
        }

@@ -424,9 +424,9 @@ class TestMCPEndpoint:

        request_data = {
            "transport": "stdio",
-            "command": "test_command",
-            "args": ["arg1", "arg2"],
-            "env": {"ENV_VAR": "value"},
+            "command": "node",
+            "args": ["server.js"],
+            "env": {"API_KEY": "test123"},
        }

        response = client.post("/api/mcp/server/metadata", json=request_data)
@@ -444,9 +444,9 @@ class TestMCPEndpoint:
    ):
        request_data = {
            "transport": "stdio",
-            "command": "test_command",
-            "args": ["arg1", "arg2"],
-            "env": {"ENV_VAR": "value"},
+            "command": "node",
+            "args": ["server.js"],
+            "env": {"API_KEY": "test123"},
        }

        response = client.post("/api/mcp/server/metadata", json=request_data)