10 Commits

Author SHA1 Message Date
Pet3cy
306ffe21b9 Merge pull request #11 from Pet3cy/relax-header-validation-16962389466518057682
🧹 Relax overly restrictive HTTP header name validation
2026-02-24 18:45:30 +01:00
google-labs-jules[bot]
326b9a12f4 chore: relax HTTP header name validation to match RFC 7230
Updated the regex in `src/helpers.ts` to allow all valid characters in an HTTP token (RFC 7230, section 3.2.6), including symbols like `_`, `.`, `!`, and `*`. Previously, the validation was overly restrictive, only allowing alphanumeric characters and hyphens.

Also updated the corresponding unit test in `__tests__/helpers.test.ts` to reflect the change.
2026-02-24 17:44:57 +00:00
google-labs-jules[bot]
c6c19e0fb7 🔒 [security fix] Fix sensitive data exposure in logs
- Change core.info to core.debug for model responses in src/inference.ts
- Change core.info to core.debug for tool execution details in src/mcp.ts
- Change core.info to core.debug for custom header logging in src/helpers.ts
- Remove sensitive response previews from error messages in src/inference.ts
- Update tests to reflect changes from core.info to core.debug
2026-02-24 17:42:20 +00:00
Yonatan Golick
15ae50ae2f Add CRLF injection protection for header values
Implement security validation to prevent HTTP header injection attacks:
- Reject header values containing \r or \n characters
- Add comprehensive test coverage for CRLF protection
- Replace multiline YAML test with proper rejection test

Security improvements:
- Validates header values to prevent header injection
- Clear warning messages when values are rejected
- Four new test cases covering LF, CR, CRLF, and multiline scenarios

This addresses a critical security concern where malicious headers
could be injected via newline characters in header values.

All 84 tests passing.
2026-01-18 12:19:43 +02:00
Yonatan Golick
ce720b3d0c Fix header validation per RFC 7230 and add null check
Address Copilot AI feedback:
- Remove underscore support from header names (RFC 7230 compliance)
- Add explicit null check for JSON parsing
- Update validation regex to /^[A-Za-z0-9-]+$/
- Add test case for null value handling
- Update documentation to clarify header name requirements

Changes:
- Header names now only accept alphanumeric characters and hyphens
- Improved error messages for invalid headers
- Added test for null JSON input
- Updated APIM example tests

All 81 tests passing.
2026-01-18 11:35:18 +02:00
Yonatan Golick
6d144ac474 Add custom headers support for API Management integration
This change adds support for custom HTTP headers in AI inference requests,
enabling integration with API Management platforms (Azure APIM, AWS API
Gateway, Kong, etc.) and custom request routing/tracking.

Features:
- New 'custom-headers' input supporting both YAML and JSON formats
- Auto-detection of input format for better UX
- Header name validation (alphanumeric, hyphens, underscores)
- Automatic masking of sensitive headers in logs
- Full backward compatibility (optional parameter)

Changes:
- Added parseCustomHeaders() function in helpers.ts
- Updated InferenceRequest interface with optional customHeaders field
- Modified simpleInference() and mcpInference() to pass headers to OpenAI client
- Added 18 comprehensive test cases
- Updated documentation with examples and use cases

All 80 tests passing. Zero breaking changes.
2026-01-18 11:24:13 +02:00
Marais Rossouw
7e2aa19f3b chore: use github's shared prettier-config 2025-07-24 19:11:15 +10:00
Marais Rossouw
4ba8e6bc1e feat: moves project to using vitest 2025-07-24 18:08:26 +10:00
Sean Goedecke
4fd6464105 Add read-only MCP support 2025-07-16 02:19:49 +00:00
Sean Goedecke
86c0691fbf Add tests 2025-07-16 00:12:41 +00:00