fix(server): harden auth, MCP, redirect, and snapshot endpoints#1312
fix(server): harden auth, MCP, redirect, and snapshot endpoints#1312eren-karakus0 wants to merge 2 commits intoeigent-ai:mainfrom
Conversation
- Add token expiry validation in auth component - Add auth dependency to history_controller endpoint - Sanitize redirect URLs to prevent open redirect - Harden MCP controller and user_controller input validation - Add login rate-limit headers to login_controller - Add field validation to chat_snapshot model - Add tests for all security fixes
|
thanks @eren-karakus0 , could you link the issue? |
|
Linked - closes #1329. Sorry for the delay! |
server/tests/test_security_fixes.py
Outdated
There was a problem hiding this comment.
Split them to correspond to changes of each file for example tests/app/controller/chat/history_controller.py etc
There was a problem hiding this comment.
Done - split into 7 separate test files matching the source structure:
- tests/app/controller/redirect_controller.py
- tests/app/controller/mcp/mcp_controller.py
- tests/app/controller/mcp/user_controller.py
- tests/app/controller/user/login_controller.py
- tests/app/component/auth.py
- tests/app/controller/chat/history_controller.py
- tests/app/model/chat/chat_snpshot.py
All using def test_xxx style. Fixed in latest push.
| cookies = request.cookies | ||
| cookies_json = json.dumps(cookies) | ||
|
|
||
| safe_code = html.escape(code, quote=True) |
There was a problem hiding this comment.
should we use following?
| safe_code = html.escape(code, quote=True) | |
| from urllib.parse import quote # move to top | |
| safe_code = quote(code, safe='') |
if code = "abc&def", html quote will convert to eigent://callback?code=abc&def
but quote will give code=abc%26def which should be the one we expect
There was a problem hiding this comment.
Changed to urllib.parse.quote(code, safe='') which gives proper URL encoding (%26 instead of &). Fixed in latest push.
- Use urllib.parse.quote instead of html.escape for redirect callback code parameter (proper URL encoding vs HTML entity encoding) - Split test_security_fixes.py into per-file test modules matching the source structure as requested
3 participants
Related Issue
Closes #1329
Split from #1299 as requested by @bytecii.
Summary
Security hardening for the server codebase.
Changes
urllib.parse.quoteto prevent open redirectTests (split into per-file modules matching source structure)
server/tests/app/controller/test_redirect_controller.py- URL encoding, XSS preventionserver/tests/app/controller/mcp/test_mcp_controller.py- install .get() safetyserver/tests/app/controller/mcp/test_user_controller.py- IDOR get/deleteserver/tests/app/controller/user/test_login_controller.py- blocked status handlingserver/tests/app/component/test_auth.py- None token, user exists validationserver/tests/app/controller/chat/test_history_controller.py- total_failed_tasksserver/tests/app/model/chat/test_chat_snpshot.py- path traversal, valid IDFiles (14)
server/app/component/auth.pyserver/app/controller/chat/history_controller.pyserver/app/controller/mcp/mcp_controller.pyserver/app/controller/mcp/user_controller.pyserver/app/controller/redirect_controller.pyserver/app/controller/user/login_controller.pyserver/app/model/chat/chat_snpshot.pyserver/tests/app/component/test_auth.pyserver/tests/app/controller/chat/test_history_controller.pyserver/tests/app/controller/mcp/test_mcp_controller.pyserver/tests/app/controller/mcp/test_user_controller.pyserver/tests/app/controller/test_redirect_controller.pyserver/tests/app/controller/user/test_login_controller.pyserver/tests/app/model/chat/test_chat_snpshot.py