github/genai-toolbox
1
0
Fork 0
mirror of https://github.com/googleapis/genai-toolbox.git synced 2026-02-01 18:55:04 -05:00
Code Issues Packages Projects Releases 14 Wiki Activity
1,275 Commits 105 Branches 32 Tags
bea97054502cfa236aa10e2ebc8ff58eb00ad035
Commit Graph

4 Commits

Author SHA1 Message Date
Yuan Teoh
862868f284 feat: add allowed-origins flag (#1984) 
Support `allowed-origins` flag to allow secure deployment of Toolbox.
Current Toolbox is **insecure by default**, which allows all origin
(`*`). This PR also updated docs to notify user of the new
`allowed-origins` flag in the Cloud Run, kubernetes, and docker
deployment docs.

This PR was tested manually by mocking a browser access:
1. Created a HTML file with Javascript fetch named
`malicious-client.html`:
```
<!DOCTYPE html>
<html>
<head>
    <title>Malicious CORS Test</title>
</head>
<body>
    <h1>Attempting to access API at http://127.0.0.1:5000/mcp</h1>
    <p>Check the **Chrome Developer Console** (F12 -> Console tab) for the result.</p>

    <script>
        fetch('http://127.0.0.1:5000/mcp', {
            method: 'POST',
            headers: {
                'Content-Type': 'application/json',
                // The browser automatically adds the 'Origin' header based on where this HTML is served from (http://localhost:8000)
            },
            body: JSON.stringify({
                "jsonrpc": "2.0",
                "id": 1,
                "method": "tools/list"
            })
        })
        .then(response => {
            console.log('Success (but check console for CORS enforcement details):', response);
            return response.json();
        })
        .then(data => console.log('Data received (only if CORS passes):', data))
        .catch(error => console.error('Fetch Error:', error));
    </script>

</body>
</html>
```
2. Run `python3 -m http.server 8000`
3. Open `http://localhost:8000/malicious-client.html` in browser.
4. Tried without `--allowed-origins` flag -- success.
     Tried with `--allowed-origins=http://localhost:8000` -- success.
     Tried with `--allowed-origins=http://foo.com` -- unsuccessful.

---------

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Averi Kitsch <akitsch@google.com>
 2025-11-27 17:03:53 +00:00
Yuan Teoh
735cb760ea docs: update long lines and tables (#1952) 
Update long lines and tables formatting in markdown doc files.
 2025-11-14 20:25:49 +00:00
Yuan Teoh
3d8a041782 docs: fix docs linting (#1520) 2025-09-18 16:30:46 -07:00
Averi Kitsch
e8f4ed7e85 docs: add prebuilt reference and CLI reference (#1176) 
## Description
---
Add reference documentation

## PR Checklist
---
> Thank you for opening a Pull Request! Before submitting your PR, there
are a
> few things you can do to make sure it goes smoothly:
- [ ] Make sure you reviewed

[CONTRIBUTING.md](https://github.com/googleapis/genai-toolbox/blob/main/CONTRIBUTING.md)
- [ ] Make sure to open an issue as a

[bug/issue](https://github.com/googleapis/langchain-google-alloydb-pg-python/issues/new/choose)
before writing your code! That way we can discuss the change, evaluate
  designs, and agree on the general idea
- [ ] Ensure the tests and linter pass
- [ ] Code coverage does not decrease (if any source code was changed)
- [ ] Appropriate docs were updated (if necessary)
- [ ] Make sure to add `!` if this involve a breaking change

🛠️ Fixes #<issue_number_goes_here>

---------

Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>
 2025-08-21 22:30:39 +00:00