feat: Incorporate allowlist for destinations

dimovpetar · dimovpetar · commit 3884f951bbe8 · 2026-02-17T12:40:44.000+02:00
diff --git a/src/tools/create_integration_card/create_integration_card.ts b/src/tools/create_integration_card/create_integration_card.ts
@@ -7,6 +7,7 @@ import ejs from "ejs";
 import {getLogger} from "@ui5/logger";
 import {Destination, SupportedCardType} from "./schema.js";
 import semver from "semver";
+import {getAllowedOdataV4Domains, isValidUrl} from "../../utils/URLHelper.js";
 
 const log = getLogger("tools:create_integration_card:create_integration_card");
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
@@ -41,6 +42,30 @@ export async function createIntegrationCard({
 		throw new InvalidInputError("The provided manifest version is not valid!");
 	}
 
+	if (destinations?.length) {
+		const allowedDomains = getAllowedOdataV4Domains();
+
+		for (const destination of destinations) {
+			if (!isValidUrl(destination.defaultUrl, allowedDomains)) {
+				let allowedDomainsNote = "";
+				if (allowedDomains.length) {
+					allowedDomainsNote =
+						`As per the MCP server configuration, only the following domains are currently allowed: ` +
+						`'${allowedDomains.join("', '")}'. See https://github.com/UI5/mcp-server#configuration ` +
+						`for information on how to configure the allow list.`;
+				}
+				throw new InvalidInputError(
+					`The provided destination 'defaultUrl' service URL is not valid.` +
+					`It must be either an absolute URL` +
+					`starting with http:// or https:// or pathname like '/api/v1/serviceName' in case ` +
+					`the service is exposed on the same server as the application. In this case, ` +
+					`the protocol and host 'http://localhost:4004' will be assumed and used by this tool for inquiries ` +
+					`about the service. ${allowedDomainsNote}`
+				);
+			}
+		}
+	}
+
 	try {
 		// create target directory
 		await mkdir(folderPath, {recursive: true});
diff --git a/src/utils/URLHelper.ts b/src/utils/URLHelper.ts
@@ -0,0 +1,104 @@
+import {getLogger} from "@ui5/logger";
+import {InvalidInputError} from "../utils.js";
+
+const log = getLogger("tools:create_ui5_app:create_ui5_app");
+
+/**
+ * Validates a URL against a set of specified rules, including protocol and domain allow lists.
+ *
+ * @param urlString The string to validate as a URL.
+ * @param domainAllowList An array of allowed domain names.
+ *                        - An empty array allows any domain.
+ *                        - e.g., ["localhost", "example.com", "sub.example.com"]
+ *                        - For wildcard subdomains, prefix the domain with a dot: ".example.com".
+ *                          This will match "www.example.com" but not "example.com".
+ * @param protocolAllowList An array of allowed protocols (without the trailing colon).
+ *                         - An empty array allows any protocol.
+ *                         - e.g., ["http", "https"]
+ * @returns `true` if the URL is valid according to the rules, otherwise `false`.
+ * @throws {InvalidInputError} if the URL's domain is not in the provided allow list.
+ */
+export function isValidUrl(
+	urlString: string,
+	domainAllowList: string[] = [],
+	protocolAllowList: string[] = ["http", "https"]
+): boolean {
+	let url: URL;
+
+	// 1. Validate URL structure using the WHATWG URL API.
+	try {
+		url = new URL(urlString);
+	} catch (_err) {
+		// If the URL constructor throws an error, the URL is malformed.
+		return false;
+	}
+
+	// 2. Validate the protocol.
+	if (protocolAllowList.length > 0) {
+		// The `protocol` property includes the colon (e.g., "https:").
+		// We remove it for a clean comparison.
+		const urlProtocol = url.protocol.slice(0, -1);
+		if (!protocolAllowList.includes(urlProtocol)) {
+			return false;
+		}
+	}
+
+	// 3. Validate the domain/hostname.
+	if (domainAllowList.length > 0) {
+		const hostname = url.hostname;
+
+		const isDomainAllowed = domainAllowList.some((allowedDomain) => {
+			// Wildcard domain check (e.g., ".example.com")
+			if (allowedDomain.startsWith(".")) {
+				// Must match the suffix and not be the root domain itself.
+				// e.g., "api.example.com" ends with ".example.com"
+				// e.g., "example.com" does NOT end with ".example.com"
+				return hostname.endsWith(allowedDomain);
+			}
+
+			// Exact domain match
+			return hostname === allowedDomain;
+		});
+
+		if (!isDomainAllowed) {
+			throw new InvalidInputError(
+				`Domain "${hostname}" is not allowed. Allowed domains are: ${domainAllowList.join(", ")}. See ` +
+				`https://github.com/UI5/mcp-server#configuration for information on how to configure the allow list.`);
+		}
+	}
+
+	// If all checks pass, the URL is valid.
+	return true;
+};
+
+export function getAllowedOdataV4Domains() {
+	if ("UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS" in process.env) {
+		const inputDomainList = process.env.UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS;
+		if (!inputDomainList?.trim()) {
+			// Empty list allows all domains
+			log.verbose("Empty value for UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS, allowing all domains");
+			return [];
+		}
+		// Use the environment variable if set
+		const domainList = inputDomainList.split(",").map((d) => d.trim());
+		// Validate domains to catch user errors
+		for (const domain of domainList) {
+			try {
+				// Note that the dot prefix (which we use for wildcards) is valid in a domain
+				new URL(`https://${domain}`);
+			} catch (err) {
+				throw new InvalidInputError(
+					`Invalid domain '${domain}' in UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS: ` +
+					(err instanceof Error ? err.message : String(err))
+				);
+			}
+		}
+		log.verbose(`${domainList.length} allowed OData V4 domains configured: ${domainList.join(", ")}`);
+		return domainList;
+	}
+	return [
+		// Default allowed domains for OData V4 services
+		"localhost",
+		"services.odata.org",
+	];
+}
diff --git a/test/expected/create_integration_card/destinations/card/manifest.json b/test/expected/create_integration_card/destinations/card/manifest.json
@@ -26,7 +26,7 @@
 				},
 				"myapi": {
 					"name": "myapi",
-					"defaultUrl": "https://api.example.com/v1/"
+					"defaultUrl": "http://localhost:8080/v1/"
 				}
 			},
 			"editor": "./dt/Configuration"
diff --git a/test/expected/create_integration_card/destinations/test/App.js b/test/expected/create_integration_card/destinations/test/App.js
@@ -9,7 +9,7 @@ sap.ui.define(["sap/ui/integration/Host"], async (Host) => {
 	const resetBtn = document.getElementById("resetBtn");
 	const destinations = {
 		"northwind": "https://services.odata.org/V4/Northwind/Northwind.svc/",
-		"myapi": "https://api.example.com/v1/"
+		"myapi": "http://localhost:8080/v1/"
 	};
 	const host = new Host({
 		resolveDestination: function(destinationName) {
diff --git a/test/lib/tools/create_integration_card/create_integration_card.integration.ts b/test/lib/tools/create_integration_card/create_integration_card.integration.ts
@@ -155,7 +155,7 @@ test.serial("Generate card template with multiple destinations", async (t) => {
 		},
 		{
 			name: "myapi",
-			defaultUrl: "https://api.example.com/v1/",
+			defaultUrl: "http://localhost:8080/v1/",
 		},
 	];
 
diff --git a/test/lib/tools/create_integration_card/create_integration_card.ts b/test/lib/tools/create_integration_card/create_integration_card.ts
@@ -3,6 +3,7 @@ import esmock from "esmock";
 import sinonGlobal from "sinon";
 import {InvalidInputError} from "../../../../src/utils.js";
 import path from "node:path";
+import {isValidUrl as realIsValidUrl, getAllowedOdataV4Domains} from "../../../../src/utils/URLHelper.js";
 
 // Define test context type
 const test = anyTest as TestFn<{
@@ -23,6 +24,7 @@ const test = anyTest as TestFn<{
 		isLevelEnabled: sinonGlobal.SinonStub;
 	};
 	globbyStub: sinonGlobal.SinonStub;
+	isValidUrlStub: sinonGlobal.SinonStub;
 	createIntegrationCard: typeof import(
 		"../../../../src/tools/create_integration_card/create_integration_card.js"
 	).createIntegrationCard;
@@ -66,6 +68,9 @@ test.beforeEach(async (t) => {
 	];
 	t.context.globbyStub = t.context.sinon.stub().resolves(t.context.staticFiles);
 
+	// Create a stub that wraps the real isValidUrl function
+	t.context.isValidUrlStub = t.context.sinon.stub().callsFake(realIsValidUrl);
+
 	const {createIntegrationCard} = await esmock(
 		"../../../../src/tools/create_integration_card/create_integration_card.js", {
 			"@ui5/logger": {
@@ -86,6 +91,10 @@ test.beforeEach(async (t) => {
 			"../../../../src/utils.js": {
 				dirExists: t.context.dirExistsStub,
 			},
+			"../../../../src/utils/URLHelper.js": {
+				isValidUrl: t.context.isValidUrlStub,
+				getAllowedOdataV4Domains,
+			},
 		}
 	);
 
@@ -224,3 +233,77 @@ test("Error processing template file", async (t) => {
 		instanceOf: Error,
 	});
 });
+
+test.serial("Destinations: Throws error when there is not allowed domain", async (t) => {
+	const {createIntegrationCard, mkdirStub} = t.context;
+	const folderPath = "/some/folder/path/card";
+	const destinations = [
+		{
+			name: "invalidDomain",
+			defaultUrl: "https://invalid-domain.com/api/v1/",
+		},
+	];
+	const currentAllowedDomains = process.env.UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS;
+	const allowedDomains = ["allowed-domain.com"];
+
+	process.env.UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS = "allowed-domain.com";
+
+	await t.throwsAsync(async () => {
+		await createIntegrationCard({
+			folderPath,
+			cardType: "List",
+			manifestVersion: "1.78.0",
+			destinations,
+		});
+	}, {
+		message: `Domain "invalid-domain.com" is not allowed. Allowed domains are: ${allowedDomains.join(", ")}. See ` +
+			`https://github.com/UI5/mcp-server#configuration for information on how to configure the allow list.`,
+		instanceOf: InvalidInputError,
+	});
+
+	t.true(mkdirStub.notCalled);
+
+	// Assert that isValidUrl from URLHelper was called once
+	t.true(t.context.isValidUrlStub.calledOnce, "isValidUrl should be called once");
+	t.deepEqual(
+		t.context.isValidUrlStub.firstCall.args,
+		[destinations[0].defaultUrl, allowedDomains],
+		"isValidUrl should be called with the destination URL and allowed domains"
+	);
+
+	// Restore original allowed domains after test
+	process.env.UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS = currentAllowedDomains;
+});
+
+test.serial("Destinations: Successfully generates card template with allowed destination domain", async (t) => {
+	const {createIntegrationCard} = t.context;
+	const folderPath = "/some/folder/path/card";
+	const destinations = [
+		{
+			name: "validDomain",
+			defaultUrl: "https://allowed-domain.com/api/v1/",
+		},
+	];
+	const currentAllowedDomains = process.env.UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS;
+	process.env.UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS = "allowed-domain.com";
+
+	await t.notThrowsAsync(async () => {
+		await createIntegrationCard({
+			folderPath,
+			cardType: "List",
+			manifestVersion: "1.78.0",
+			destinations,
+		});
+	});
+
+	// Assert that isValidUrl from URLHelper was called once	with the correct parameters
+	t.true(t.context.isValidUrlStub.calledOnce, "isValidUrl should be called once");
+	t.deepEqual(
+		t.context.isValidUrlStub.firstCall.args,
+		[destinations[0].defaultUrl, ["allowed-domain.com"]],
+		"isValidUrl should be called with the destination URL and allowed domains"
+	);
+
+	// Restore original allowed domains after test
+	process.env.UI5_MCP_SERVER_ALLOWED_ODATA_DOMAINS = currentAllowedDomains;
+});

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@`
`26`	`26`	`},`
`27`	`27`	`"myapi": {`
`28`	`28`	`"name": "myapi",`
`29`		`- "defaultUrl": "https://api.example.com/v1/"`
	`29`	`+ "defaultUrl": "http://localhost:8080/v1/"`
`30`	`30`	`}`
`31`	`31`	`},`
`32`	`32`	`"editor": "./dt/Configuration"`
Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ test.serial("Generate card template with multiple destinations", async (t) => {`
`155`	`155`	`},`
`156`	`156`	`{`
`157`	`157`	`name: "myapi",`
`158`		`- defaultUrl: "https://api.example.com/v1/",`
	`158`	`+ defaultUrl: "http://localhost:8080/v1/",`
`159`	`159`	`},`
`160`	`160`	`];`
`161`	`161`