From 6d46fcf3785ea460f9c76a380eda69779a0c2882 Mon Sep 17 00:00:00 2001
From: LuoPengcheng <2653972504@qq.com>
Date: Mon, 8 Dec 2025 19:14:22 +0800
Subject: [PATCH 1/8] fix Reflected server-side cross-site scripting
---
server/app/controller/mcp/proxy_controller.py | 44 +++++++++++++++++--
.../app/controller/oauth/oauth_controller.py | 4 +-
server/app/controller/redirect_controller.py | 3 +-
3 files changed, 46 insertions(+), 5 deletions(-)
diff --git a/server/app/controller/mcp/proxy_controller.py b/server/app/controller/mcp/proxy_controller.py
index 0ec1a0cfd..8dc978692 100644
--- a/server/app/controller/mcp/proxy_controller.py
+++ b/server/app/controller/mcp/proxy_controller.py
@@ -20,6 +20,15 @@
def exa_search(search: ExaSearch, key: Key = Depends(key_must)):
"""Search using Exa API."""
EXA_API_KEY = env_not_empty("EXA_API_KEY")
+ secrets_to_redact = (EXA_API_KEY,)
+
+ def _redact_secret(text: str) -> str:
+ redacted = text
+ for secret in secrets_to_redact:
+ if secret:
+ redacted = redacted.replace(secret, "[REDACTED]")
+ return redacted
+
try:
# Validate input parameters
if search.num_results is not None and not 0 < search.num_results <= 100:
@@ -81,7 +90,11 @@ def exa_search(search: ExaSearch, key: Key = Depends(key_must)):
logger.warning("Exa search validation error", extra={"error": str(e)})
raise HTTPException(status_code=500, detail="Internal server error")
except Exception as e:
- logger.error("Exa search failed", extra={"query": search.query, "error": str(e)}, exc_info=True)
+ logger.error(
+ "Exa search failed",
+ extra={"query": search.query, "error_type": type(e).__name__, "error": _redact_secret(str(e))},
+ exc_info=False,
+ )
raise HTTPException(status_code=500, detail="Internal server error")
@@ -93,6 +106,14 @@ def google_search(query: str, search_type: str = "web", key: Key = Depends(key_m
GOOGLE_API_KEY = env_not_empty("GOOGLE_API_KEY")
# https://cse.google.com/cse/all
SEARCH_ENGINE_ID = env_not_empty("SEARCH_ENGINE_ID")
+ secrets_to_redact = (GOOGLE_API_KEY, SEARCH_ENGINE_ID)
+
+ def _redact_secret(text: str) -> str:
+ redacted = text
+ for secret in secrets_to_redact:
+ if secret:
+ redacted = redacted.replace(secret, "[REDACTED]")
+ return redacted
# Using the first page
start_page_idx = 1
@@ -186,11 +207,28 @@ def google_search(query: str, search_type: str = "web", key: Key = Depends(key_m
logger.info("Google search completed", extra={"query": query, "search_type": search_type, "result_count": len(responses)})
else:
error_info = data.get("error", {})
- logger.error("Google search API error", extra={"query": query, "api_error": error_info})
+ sanitized_error = {
+ "code": error_info.get("code"),
+ "reason": (error_info.get("errors") or [{}])[0].get("reason"),
+ "message": _redact_secret(error_info.get("message", "")),
+ }
+ logger.error(
+ "Google search API error",
+ extra={"query": query, "search_type": search_type, "api_error": sanitized_error},
+ )
raise HTTPException(status_code=500, detail="Internal server error")
except Exception as e:
- logger.error("Google search failed", extra={"query": query, "search_type": search_type, "error": str(e)}, exc_info=True)
+ logger.error(
+ "Google search failed",
+ extra={
+ "query": query,
+ "search_type": search_type,
+ "error_type": type(e).__name__,
+ "error": _redact_secret(str(e)),
+ },
+ exc_info=False,
+ )
raise HTTPException(status_code=500, detail="Internal server error")
return responses
\ No newline at end of file
diff --git a/server/app/controller/oauth/oauth_controller.py b/server/app/controller/oauth/oauth_controller.py
index c43e50973..2bf891d2e 100644
--- a/server/app/controller/oauth/oauth_controller.py
+++ b/server/app/controller/oauth/oauth_controller.py
@@ -1,3 +1,4 @@
+import json
from fastapi import APIRouter, Request, HTTPException
from fastapi.responses import RedirectResponse, JSONResponse, HTMLResponse
from app.component.environment import env
@@ -46,6 +47,7 @@ def oauth_callback(app: str, request: Request, code: Optional[str] = None, state
logger.info("OAuth callback received", extra={"provider": app, "has_state": state is not None})
redirect_url = f"eigent://callback/oauth?provider={app}&code={code}&state={state}"
+ safe_redirect_url = json.dumps(redirect_url)
html_content = f"""
@@ -53,7 +55,7 @@ def oauth_callback(app: str, request: Request, code: Optional[str] = None, state
Redirecting, please wait...
diff --git a/server/app/controller/redirect_controller.py b/server/app/controller/redirect_controller.py
index 3695a8fb4..568b428c3 100644
--- a/server/app/controller/redirect_controller.py
+++ b/server/app/controller/redirect_controller.py
@@ -11,6 +11,7 @@
def redirect_callback(code: str, request: Request):
cookies = request.cookies
cookies_json = json.dumps(cookies)
+ safe_code = json.dumps(code)
html_content = f"""
@@ -59,7 +60,7 @@ def redirect_callback(code: str, request: Request):
- Redirecting, please wait...
-
-
-
- """
- return HTMLResponse(content=html_content)
+ redirect_url = f"eigent://callback/oauth?{query}"
+ return RedirectResponse(redirect_url)
@router.post("/{app}/token", name="OAuth Fetch Token")
diff --git a/server/app/controller/redirect_controller.py b/server/app/controller/redirect_controller.py
index 568b428c3..54121c382 100644
--- a/server/app/controller/redirect_controller.py
+++ b/server/app/controller/redirect_controller.py
@@ -1,7 +1,6 @@
-import json
-from fastapi import APIRouter, Depends, Request
-from fastapi_babel import _
-from fastapi.responses import HTMLResponse
+from urllib.parse import urlencode, quote
+from fastapi import APIRouter, Request
+from fastapi.responses import RedirectResponse
router = APIRouter(tags=["Redirect"])
@@ -9,65 +8,8 @@
@router.get("/redirect/callback")
def redirect_callback(code: str, request: Request):
- cookies = request.cookies
- cookies_json = json.dumps(cookies)
- safe_code = json.dumps(code)
- html_content = f"""
-
-
-
-
-
- Authorization successful
-
-
-
-
-
Authorization Successful
-
Redirecting to application...
-
Please wait...
-