Redact secrets from substitution warning; fix manifest version precedence#274
Open
aosmcleod wants to merge 1 commit into
Open
Redact secrets from substitution warning; fix manifest version precedence#274aosmcleod wants to merge 1 commit into
aosmcleod wants to merge 1 commit into
Conversation
…ence Two minor correctness fixes from modelcontextprotocol#267: - replaceVariables logged the raw replacement value (and array) via console.warn when an array was used in string context. user_config values can be sensitive (API keys, passwords), so log the key name only — never the value. - getManifestVersionFromRawData fell back to the deprecated dxt_version when manifest_version was present but unsupported, silently ignoring the authoritative field. Treat a present-but-unsupported manifest_version as a resolution failure (null); only consult dxt_version when manifest_version is absent. Adds tests for both. Addresses modelcontextprotocol#267 (items 2 and 3).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Two minor correctness fixes from #267.
1. Secret leakage in
replaceVariableswarning (#267 item 2)When an array value was used in a string-substitution context,
config.tslogged the raw value/array viaconsole.warn(msg, { key, replacement }).user_configoptions can besensitive: true(API keys, passwords), so the value must never be logged. Now logs the key name only.2. manifest_version vs dxt_version precedence (#267 item 3)
getManifestVersionFromRawDatafell through to the deprecateddxt_versionwhenmanifest_versionwas present but unsupported (e.g."99.0"), silently ignoring the authoritative field. Now a present-but-unsupportedmanifest_versionresolves tonull;dxt_versionis consulted only whenmanifest_versionis absent. Supported-version and absent-field behaviour is unchanged.Tests
config.test.ts: the array-in-string warning references the key but not the sensitive values (serializes object args so a value logged inside an object is caught).manifestVersionResolve.test.ts(new): supported version resolves; dxt_version fallback works when manifest_version absent; present-but-unsupported manifest_version returns null; non-object input returns null.Both new assertions fail against the old code and pass with the fix.
yarn lint+yarn test(these suites) green.Addresses #267.