Patches (#2225)

* feat: implement URL validation to prevent SSRF * feat: add zip extraction security * ruff fixes * fix: standardize error messages across API responses * fix: improve error handling and standardize error messages across multiple routes * fix: enhance JavaScript string safety in ConnectorCallbackStatus * fix: improve OAuth error handling and message formatting in MCPOAuthCallback
2026-02-11 16:51:04 +00:00 · 2025-12-25 00:57:25 +00:00
parent 197e94302b
commit b0eee7be24
7 changed files with 33 additions and 24 deletions
--- a/application/api/user/tools/mcp.py
+++ b/application/api/user/tools/mcp.py
@@ -1,7 +1,7 @@
 """Tool management MCP server integration."""

 import json
-from email.quoprimime import unquote
+from urllib.parse import unquote, urlencode

 from bson.objectid import ObjectId
 from flask import current_app, jsonify, make_response, redirect, request
@@ -64,6 +64,11 @@ class TestMCPServerConfig(Resource):
            mcp_tool = MCPTool(config=test_config, user_id=user)
            result = mcp_tool.test_connection()

+            # Sanitize the response to avoid exposing internal error details
+            if not result.get("success") and "message" in result:
+                current_app.logger.error(f"MCP connection test failed: {result.get('message')}")
+                result["message"] = "Connection test failed"
+
            return make_response(jsonify(result), 200)
        except Exception as e:
            current_app.logger.error(f"Error testing MCP server: {e}", exc_info=True)
@@ -263,9 +268,12 @@ class MCPOAuthCallback(Resource):
        error = request.args.get("error")

        if error:
-            return redirect(
-                f"/api/connectors/callback-status?status=error&message=OAuth+error:+{error}.+Please+try+again+and+make+sure+to+grant+all+requested+permissions,+including+offline+access.&provider=mcp_tool"
-            )
+            params = {
+                "status": "error",
+                "message": f"OAuth error: {error}. Please try again and make sure to grant all requested permissions, including offline access.",
+                "provider": "mcp_tool"
+            }
+            return redirect(f"/api/connectors/callback-status?{urlencode(params)}")
        if not code or not state:
            return redirect(
                "/api/connectors/callback-status?status=error&message=Authorization+code+or+state+not+provided.+Please+complete+the+authorization+process+and+make+sure+to+grant+offline+access.&provider=mcp_tool"
--- a/application/api/user/tools/routes.py
+++ b/application/api/user/tools/routes.py
@@ -462,10 +462,8 @@ class ParseSpec(Resource):
                200,
            )
        except ValueError as e:
-            error_msg = str(e)
-            current_app.logger.error(f"Spec validation error: {error_msg}")
-            return make_response(jsonify({"success": False, "error": error_msg}), 400)
+            current_app.logger.error(f"Spec validation error: {e}")
+            return make_response(jsonify({"success": False, "error": "Invalid specification format"}), 400)
        except Exception as err:
-            error_msg = str(err)
-            current_app.logger.error(f"Error parsing spec: {error_msg}", exc_info=True)
-            return make_response(jsonify({"success": False, "error": error_msg}), 500)
+            current_app.logger.error(f"Error parsing spec: {err}", exc_info=True)
+            return make_response(jsonify({"success": False, "error": "Failed to parse specification"}), 500)