farcasclaudiu/Flowise
1
0
Fork 0
mirror of https://github.com/farcasclaudiu/Flowise.git synced 2026-06-28 23:01:09 +03:00
Code Issues Packages Projects Releases Wiki Activity

Bugfix/Custom MCP Security (#4963)

Browse Source 
* - Implemented a validation function to check for banned commands and dangerous patterns.
- Added checks for potential shell injection attempts in command and arguments.
- Security validation is conditionally enabled based on environment variable CUSTOM_MCP_SECURITY_CHECK.

* Enhance security by implementing command and argument validation in SupergatewayMCP. Added checks for banned commands, dangerous patterns, and potential shell injection attempts. Security validation is conditionally enabled based on the CUSTOM_MCP_SECURITY_CHECK environment variable.

* add validateMCPServerSecurity
This commit is contained in:
Henry Heng
2025-07-30 16:44:20 +01:00
committed by GitHub
parent 498129e9d2
commit e8dac2048f
3 changed files with 423 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
packages/components/nodes/tools/MCP/CustomMCP/CustomMCP.ts
+5 -1
View File
@@ -1,6 +1,6 @@
import { Tool } from '@langchain/core/tools'
import { ICommonObject, IDatabaseEntity, INode, INodeData, INodeOptionsValue, INodeParams } from '../../../../src/Interface'
import { MCPToolkit } from '../core'
import { MCPToolkit, validateMCPServerSecurity } from '../core'
import { getVars, prepareSandboxVars } from '../../../../src/utils'
import { DataSource } from 'typeorm'
import hash from 'object-hash'
@@ -169,6 +169,10 @@ class Custom_MCP implements INode {
serverParams = JSON.parse(serverParamsString)
}
if (process.env.CUSTOM_MCP_SECURITY_CHECK === 'true') {
validateMCPServerSecurity(serverParams)
}
// Compatible with stdio and SSE
let toolkit: MCPToolkit
if (serverParams?.command === undefined) {