LibreChat/packages/api/src/auth
Danny Avila 3b41e392ba
🔒 fix: SSRF Protection and Domain Handling in MCP Server Config (#11234)
* 🔒 fix: Enhance SSRF Protection and Domain Handling in MCP Server Configuration

- Updated the `extractMCPServerDomain` function to return the full origin (protocol://hostname:port) for improved protocol/port matching against allowed domains.
- Enhanced tests for `isMCPDomainAllowed` to validate domain access for internal hostnames and .local TLDs, ensuring proper SSRF protection.
- Added detailed comments in the configuration file to clarify security measures regarding allowed domains and internal target access.

* refactor: Domain Validation for WebSocket Protocols in Action and MCP Handling

- Added comprehensive tests to validate handling of WebSocket URLs in `isActionDomainAllowed` and `isMCPDomainAllowed` functions, ensuring that WebSocket protocols are rejected for OpenAPI Actions while allowed for MCP.
- Updated domain validation logic to support HTTP, HTTPS, WS, and WSS protocols, enhancing security and compliance with specifications.
- Refactored `parseDomainSpec` to improve protocol recognition and validation, ensuring robust handling of domain specifications.
- Introduced detailed comments to clarify the purpose and security implications of domain validation functions.
2026-01-06 13:04:52 -05:00
..
domain.spec.ts 🔒 fix: SSRF Protection and Domain Handling in MCP Server Config (#11234) 2026-01-06 13:04:52 -05:00
domain.ts 🔒 fix: SSRF Protection and Domain Handling in MCP Server Config (#11234) 2026-01-06 13:04:52 -05:00
index.ts 📧 fix: Case-Insensitive Domain Matching (#9868) 2025-09-27 21:20:19 -04:00
openid.spec.ts 📬 refactor: Normalize Email Handling in User Methods (#10743) 2025-12-01 09:41:25 -05:00
openid.ts 🆔 fix: Prioritize Immutable Sub Claim for OIDC User ID (#9788) 2025-09-23 14:46:53 -04:00