github/sim
1
1
Fork 0
mirror of https://github.com/simstudioai/sim.git synced 2026-04-06 03:00:16 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(mcp): validate json headers, add domain check, fix empty api key header

Browse Source
This commit is contained in:
Waleed Latif
2026-02-27 13:35:46 -08:00
parent e41fbcc266
commit 9b72b5c83b
2 changed files with 36 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/mcp/mcp.tsx
View File

@@ -681,7 +681,14 @@ export function MCP({ initialServerId }: MCPProps) {
return {
name,
url: config.url,
headers: (config.headers as Record<string, string>) || {},
headers:
typeof config.headers === 'object' && config.headers !== null
? Object.fromEntries(
Object.entries(config.headers).filter(
(entry): entry is [string, string] => typeof entry[1] === 'string'
)
)
: {},
}
}
@@ -690,7 +697,14 @@ export function MCP({ initialServerId }: MCPProps) {
return {
name: '',
url: parsed.url,
headers: (parsed.headers as Record<string, string>) || {},
headers:
typeof parsed.headers === 'object' && parsed.headers !== null
? Object.fromEntries(
Object.entries(parsed.headers).filter(
(entry): entry is [string, string] => typeof entry[1] === 'string'
)
)
: {},
}
}
@@ -718,6 +732,11 @@ export function MCP({ initialServerId }: MCPProps) {
return
}
if (!isDomainAllowed(config.url, allowedMcpDomains)) {
setJsonError('Domain not permitted by server policy')
return
}
setIsAddingServer(true)
try {
const serverConfig = {
@@ -758,7 +777,15 @@ export function MCP({ initialServerId }: MCPProps) {
} finally {
setIsAddingServer(false)
}
}, [jsonInput, parseJsonConfig, testConnection, createServerMutation, workspaceId, resetForm])
}, [
jsonInput,
parseJsonConfig,
testConnection,
createServerMutation,
workspaceId,
resetForm,
allowedMcpDomains,
])
/**
* Opens the delete confirmation dialog for an MCP server.
@@ -1620,6 +1647,10 @@ export function MCP({ initialServerId }: MCPProps) {
)
return
}
if (!isDomainAllowed(config.url, allowedMcpDomains)) {
setJsonError('Domain not permitted by server policy')
return
}
testConnection({
name: config.name,
transport: 'streamable-http',

4
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/workflow-mcp-servers/workflow-mcp-servers.tsx
View File

@@ -480,7 +480,7 @@ function ServerDetailView({ workspaceId, serverId, onBack }: ServerDetailViewPro
try {
const headers: Record<string, string> = server.isPublic
? {}
: { 'X-API-Key': '' }
: { 'X-API-Key': '{{SIM_API_KEY}}' }
await addToWorkspaceMutation.mutateAsync({
workspaceId,
config: {
@@ -515,7 +515,7 @@ function ServerDetailView({ workspaceId, serverId, onBack }: ServerDetailViewPro
</Button>
{!server.isPublic && (
<p className='text-[11px] text-[var(--text-muted)]'>
After adding, set your API key in Settings &gt; MCP Tools, or{' '}
Set the SIM_API_KEY environment variable, or{' '}
<button
type='button'
onClick={() => setShowCreateApiKeyModal(true)}