feat: add validation for package manifests and enhance SSRF protection in OpenAPI adapter#496
Conversation
…n in OpenAPI adapter
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAdds a ChangesWorker Export Condition Support
OpenAPI SSRF Hardening (mcp-from-openapi 2.5.0)
Sequence Diagram(s)sequenceDiagram
participant Caller
participant OpenAPIAdapter
participant resolveRefResolution
participant mcpFromOpenAPI as mcp-from-openapi 2.5.0
Caller->>OpenAPIAdapter: initialize(options)
OpenAPIAdapter->>resolveRefResolution: options.loadOptions.refResolution
resolveRefResolution-->>OpenAPIAdapter: refResolution (default: { allowedProtocols: [] })
OpenAPIAdapter->>mcpFromOpenAPI: fetch spec URL (followRedirects: false, refResolution)
mcpFromOpenAPI-->>OpenAPIAdapter: spec (external $refs blocked, redirects blocked, internal IPs blocked)
OpenAPIAdapter-->>Caller: OpenAPIToolGenerator initialized
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@docs/frontmcp/adapters/openapi-adapter.mdx`:
- Around line 879-927: Update the Load Options section in
libs/adapters/src/openapi/README.md (around lines 74-95) to align the
`followRedirects` default value with the security documentation in the main
file. Change the documented default from `true` to `false` to reflect that
spec-URL redirects are not followed by default as a secure default, ensuring
consistency across all documentation surfaces and preventing contradictory
security guidance.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: ed5d2192-f3cf-4624-ad57-613bf3039954
⛔ Files ignored due to path filters (1)
yarn.lockis excluded by!**/yarn.lock,!**/*.lock
📒 Files selected for processing (14)
.github/workflows/push.ymldocs/frontmcp/adapters/openapi-adapter.mdxlibs/adapters/package.jsonlibs/adapters/src/openapi/openapi.adapter.tslibs/adapters/src/openapi/openapi.types.tslibs/protocol/package.jsonlibs/sdk/package.jsonlibs/skills/catalog/frontmcp-development/SKILL.mdlibs/skills/catalog/frontmcp-development/examples/openapi-adapter/ref-security-and-filtering.mdlibs/skills/catalog/frontmcp-development/references/openapi-adapter.mdlibs/skills/catalog/skills-manifest.jsonlibs/utils/package.jsonpackage.jsonscripts/worker-export-conditions.test.mjs
Performance Test ResultsStatus: ✅ All tests passed Summary
Total: 101 tests across 21 projects 📊 View full report in workflow run Generated at: 2026-06-21T22:50:46.980Z |
…fy SSRF guard behavior
Cherry-pick CreatedA cherry-pick PR to Please review and merge if this change should also be in If the cherry-pick is not needed, close the PR. |
Summary by CodeRabbit
New Features
workerexport-condition support to internal package entrypoints for better compatibility in worker-style bundling.Security
$ref/spec loading defaults (external refs disabled, redirects not followed, internal/private targets blocked).Documentation
refResolution/redirect configuration details.Chores
mcp-from-openapito 2.5.0.