fix(tools/http): prevent path traversal and base path scope escape#3218
Merged
Conversation
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces path validation and scope enforcement to prevent path traversal vulnerabilities when resolving URLs. It includes a new test suite covering various edge cases such as URL-encoded dot segments and sibling path traversal. The review feedback identifies that the current dot-segment check is overly restrictive because it scans the entire relative path string, which could incorrectly block valid query parameters or filenames; a more precise approach involving segment-based validation is suggested.
39aaf52 to
9257d65
Compare
kurtisvg
approved these changes
May 12, 2026
Contributor
|
🧨 Preview deployments removed. Cloudflare Pages environments for |
github-actions Bot
pushed a commit
that referenced
this pull request
May 12, 2026
…scape (#3218) - Rejects relative or URL-encoded dot segments (`..`, `%2e%2e`) to prevent directory traversal. - Enforces verification to ensure resolved paths do not escape the intended base path scope or allow unauthorized access to sibling paths sharing a simple string prefix. - Add `pathEscape` and `queryEscape` template functions to prevent path tempering. 80a6602
github-actions Bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
May 12, 2026
…scape (googleapis#3218) - Rejects relative or URL-encoded dot segments (`..`, `%2e%2e`) to prevent directory traversal. - Enforces verification to ensure resolved paths do not escape the intended base path scope or allow unauthorized access to sibling paths sharing a simple string prefix. - Add `pathEscape` and `queryEscape` template functions to prevent path tempering. 80a6602
github-actions Bot
pushed a commit
to pepe57/genai-toolbox
that referenced
this pull request
May 12, 2026
…scape (googleapis#3218) - Rejects relative or URL-encoded dot segments (`..`, `%2e%2e`) to prevent directory traversal. - Enforces verification to ensure resolved paths do not escape the intended base path scope or allow unauthorized access to sibling paths sharing a simple string prefix. - Add `pathEscape` and `queryEscape` template functions to prevent path tempering. 80a6602
github-actions Bot
pushed a commit
to Jaleel-zhu/genai-toolbox
that referenced
this pull request
May 12, 2026
…scape (googleapis#3218) - Rejects relative or URL-encoded dot segments (`..`, `%2e%2e`) to prevent directory traversal. - Enforces verification to ensure resolved paths do not escape the intended base path scope or allow unauthorized access to sibling paths sharing a simple string prefix. - Add `pathEscape` and `queryEscape` template functions to prevent path tempering. 80a6602
pavankrishna13
pushed a commit
to pavankrishna13/genai-toolbox
that referenced
this pull request
May 19, 2026
…oogleapis#3218) - Rejects relative or URL-encoded dot segments (`..`, `%2e%2e`) to prevent directory traversal. - Enforces verification to ensure resolved paths do not escape the intended base path scope or allow unauthorized access to sibling paths sharing a simple string prefix. - Add `pathEscape` and `queryEscape` template functions to prevent path tempering.
Yuan325
added a commit
that referenced
this pull request
May 21, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([#3049](#3049)) ([c528985](c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([#3253](#3253)) ([75da6c2](75da6c2)) * Setup SQLCommenter and allow client metadata ([#3064](#3064)) ([9f1f9b3](9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([#3083](#3083)) ([ef300a8](ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([#3251](#3251)) ([f4d16c0](f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([#3036](#3036)) ([c739b80](c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([#3218](#3218)) ([80a6602](80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([#3233](#3233)) ([4f409a3](4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([#3273](#3273)) ([1e3de96](1e3de96)) * **tools:** Initialize query result slices to empty array ([#3250](#3250)) ([60ddf48](60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
github-actions Bot
pushed a commit
that referenced
this pull request
May 21, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([#3049](#3049)) ([c528985](c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([#3253](#3253)) ([75da6c2](75da6c2)) * Setup SQLCommenter and allow client metadata ([#3064](#3064)) ([9f1f9b3](9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([#3083](#3083)) ([ef300a8](ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([#3251](#3251)) ([f4d16c0](f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([#3036](#3036)) ([c739b80](c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([#3218](#3218)) ([80a6602](80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([#3233](#3233)) ([4f409a3](4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([#3273](#3273)) ([1e3de96](1e3de96)) * **tools:** Initialize query result slices to empty array ([#3250](#3250)) ([60ddf48](60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> b001006
github-actions Bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
May 21, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](googleapis/mcp-toolbox@v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([googleapis#3049](googleapis#3049)) ([c528985](googleapis@c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([googleapis#3253](googleapis#3253)) ([75da6c2](googleapis@75da6c2)) * Setup SQLCommenter and allow client metadata ([googleapis#3064](googleapis#3064)) ([9f1f9b3](googleapis@9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([googleapis#3083](googleapis#3083)) ([ef300a8](googleapis@ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([googleapis#3251](googleapis#3251)) ([f4d16c0](googleapis@f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([googleapis#3036](googleapis#3036)) ([c739b80](googleapis@c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([googleapis#3218](googleapis#3218)) ([80a6602](googleapis@80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([googleapis#3233](googleapis#3233)) ([4f409a3](googleapis@4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([googleapis#3273](googleapis#3273)) ([1e3de96](googleapis@1e3de96)) * **tools:** Initialize query result slices to empty array ([googleapis#3250](googleapis#3250)) ([60ddf48](googleapis@60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> b001006
github-actions Bot
pushed a commit
to rodineyw/mcp-toolbox
that referenced
this pull request
May 21, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](googleapis/mcp-toolbox@v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([googleapis#3049](googleapis#3049)) ([c528985](googleapis@c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([googleapis#3253](googleapis#3253)) ([75da6c2](googleapis@75da6c2)) * Setup SQLCommenter and allow client metadata ([googleapis#3064](googleapis#3064)) ([9f1f9b3](googleapis@9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([googleapis#3083](googleapis#3083)) ([ef300a8](googleapis@ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([googleapis#3251](googleapis#3251)) ([f4d16c0](googleapis@f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([googleapis#3036](googleapis#3036)) ([c739b80](googleapis@c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([googleapis#3218](googleapis#3218)) ([80a6602](googleapis@80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([googleapis#3233](googleapis#3233)) ([4f409a3](googleapis@4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([googleapis#3273](googleapis#3273)) ([1e3de96](googleapis@1e3de96)) * **tools:** Initialize query result slices to empty array ([googleapis#3250](googleapis#3250)) ([60ddf48](googleapis@60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> b001006
github-actions Bot
pushed a commit
to Jaleel-zhu/genai-toolbox
that referenced
this pull request
May 21, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](googleapis/mcp-toolbox@v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([googleapis#3049](googleapis#3049)) ([c528985](googleapis@c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([googleapis#3253](googleapis#3253)) ([75da6c2](googleapis@75da6c2)) * Setup SQLCommenter and allow client metadata ([googleapis#3064](googleapis#3064)) ([9f1f9b3](googleapis@9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([googleapis#3083](googleapis#3083)) ([ef300a8](googleapis@ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([googleapis#3251](googleapis#3251)) ([f4d16c0](googleapis@f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([googleapis#3036](googleapis#3036)) ([c739b80](googleapis@c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([googleapis#3218](googleapis#3218)) ([80a6602](googleapis@80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([googleapis#3233](googleapis#3233)) ([4f409a3](googleapis@4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([googleapis#3273](googleapis#3273)) ([1e3de96](googleapis@1e3de96)) * **tools:** Initialize query result slices to empty array ([googleapis#3250](googleapis#3250)) ([60ddf48](googleapis@60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> b001006
github-actions Bot
pushed a commit
to pepe57/genai-toolbox
that referenced
this pull request
May 22, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](googleapis/mcp-toolbox@v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([googleapis#3049](googleapis#3049)) ([c528985](googleapis@c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([googleapis#3253](googleapis#3253)) ([75da6c2](googleapis@75da6c2)) * Setup SQLCommenter and allow client metadata ([googleapis#3064](googleapis#3064)) ([9f1f9b3](googleapis@9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([googleapis#3083](googleapis#3083)) ([ef300a8](googleapis@ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([googleapis#3251](googleapis#3251)) ([f4d16c0](googleapis@f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([googleapis#3036](googleapis#3036)) ([c739b80](googleapis@c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([googleapis#3218](googleapis#3218)) ([80a6602](googleapis@80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([googleapis#3233](googleapis#3233)) ([4f409a3](googleapis@4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([googleapis#3273](googleapis#3273)) ([1e3de96](googleapis@1e3de96)) * **tools:** Initialize query result slices to empty array ([googleapis#3250](googleapis#3250)) ([60ddf48](googleapis@60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> b001006
github-actions Bot
pushed a commit
to CrazyForks/genai-toolbox
that referenced
this pull request
May 22, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](googleapis/mcp-toolbox@v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([googleapis#3049](googleapis#3049)) ([c528985](googleapis@c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([googleapis#3253](googleapis#3253)) ([75da6c2](googleapis@75da6c2)) * Setup SQLCommenter and allow client metadata ([googleapis#3064](googleapis#3064)) ([9f1f9b3](googleapis@9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([googleapis#3083](googleapis#3083)) ([ef300a8](googleapis@ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([googleapis#3251](googleapis#3251)) ([f4d16c0](googleapis@f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([googleapis#3036](googleapis#3036)) ([c739b80](googleapis@c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([googleapis#3218](googleapis#3218)) ([80a6602](googleapis@80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([googleapis#3233](googleapis#3233)) ([4f409a3](googleapis@4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([googleapis#3273](googleapis#3273)) ([1e3de96](googleapis@1e3de96)) * **tools:** Initialize query result slices to empty array ([googleapis#3250](googleapis#3250)) ([60ddf48](googleapis@60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> b001006
github-actions Bot
pushed a commit
to bhardwajRahul/genai-toolbox
that referenced
this pull request
May 23, 2026
🤖 I have created a release *beep* *boop* --- ## [1.3.0](googleapis/mcp-toolbox@v1.2.0...v1.3.0) (2026-05-21) ### Features * **auth:** Implement MCP auth tool-level scopes validation ([googleapis#3049](googleapis#3049)) ([c528985](googleapis@c528985)) * **looker:** Propagate client IP from incoming MCP requests to downstream SDK calls ([googleapis#3253](googleapis#3253)) ([75da6c2](googleapis@75da6c2)) * Setup SQLCommenter and allow client metadata ([googleapis#3064](googleapis#3064)) ([9f1f9b3](googleapis@9f1f9b3)) * **tool/cloudsqladmin:** Add `cloud-sql-admin-execute-sql-many` and `cloud-sql-admin-sql-many` ([googleapis#3083](googleapis#3083)) ([ef300a8](googleapis@ef300a8)) ### Bug Fixes * **auth/generic:** Fix generic auth expiration field and integration with `authRequired` ([googleapis#3251](googleapis#3251)) ([f4d16c0](googleapis@f4d16c0)) * Enforce toolset/promptset boundary on tools/call and prompts/get ([googleapis#3036](googleapis#3036)) ([c739b80](googleapis@c739b80)) * **tools/http:** Prevent path traversal and base path scope escape ([googleapis#3218](googleapis#3218)) ([80a6602](googleapis@80a6602)) * **tools/looker:** Return a 401 error to MCP client when Looker returns a 401 ([googleapis#3233](googleapis#3233)) ([4f409a3](googleapis@4f409a3)) * **tools/looker:** Strip wrapping quotes from filter values for unquoted parameters ([googleapis#3273](googleapis#3273)) ([1e3de96](googleapis@1e3de96)) * **tools:** Initialize query result slices to empty array ([googleapis#3250](googleapis#3250)) ([60ddf48](googleapis@60ddf48)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> b001006
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
..,%2e%2e) to prevent directory traversal.pathEscapeandqueryEscapetemplate functions to prevent path tempering.