feat(server): add MCP server configuration validation (#830)

* feat(server): add MCP server configuration validation Add comprehensive validation for MCP server configurations, inspired by Flowise's validateMCPServerConfig implementation. MCPServerConfig checks implemented: - Command allowlist validation (node, npx, python, docker, uvx, etc.) - Path traversal prevention (blocks ../, absolute paths, ~/) - Shell command injection prevention (blocks ; & | ` $ etc.) - Dangerous environment variable blocking (PATH, LD_PRELOAD, etc.) - URL validation for SSE/HTTP transports (scheme, credentials) - HTTP header injection prevention (blocks newlines) * fix the unit test error of test_chat_request * Added the related path cases as reviewer commented * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestions from code review Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-20 04:44:46 +08:00 · 2026-01-24 17:32:17 +08:00
parent c0849af37e
commit 612bddd3fb
7 changed files with 1072 additions and 19 deletions
--- a/tests/unit/server/test_chat_request.py
+++ b/tests/unit/server/test_chat_request.py
@@ -163,6 +163,6 @@ async def test_load_mcp_tools_exception_handling(
    mock_stdio_client.return_value = MagicMock()

    with pytest.raises(HTTPException) as exc:
-        await mcp_utils.load_mcp_tools(server_type="stdio", command="foo")  # Use await
+        await mcp_utils.load_mcp_tools(server_type="stdio", command="node")  # Use await
    assert exc.value.status_code == 500
    assert "unexpected error" in exc.value.detail