fix(mcp,tools): correct fetchFn fallback order and Drive size-check hardening#5423
Conversation
Spread order previously let an explicit fetchFn (including fetchFn: undefined) in options silently disable the SSRF-guarded default. Fallback is now applied after the spread so the guard always wins unless a real override is passed. fix(tools): handle non-numeric Drive file size in early size check Guard the pre-download size check against a malformed metadata.size string so it's skipped explicitly instead of relying on an incidental NaN no-op; the streaming cap on the actual download still enforces the limit either way.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview For Google Drive downloads, the pre-download metadata size check now runs only when Reviewed by Cursor Bugbot for commit 7d40bc9. Configure here. |
Summary
mcpAuthGuarded: fix spread order so the SSRF-guarded fetch is only overridden by a genuine caller-suppliedfetchFn, not silently disabled whenoptionsmerely contains the key (e.g.fetchFn: undefined)metadata.sizestring so it's skipped explicitly rather than relying on an incidentalNaNno-op; the streaming cap on the actual download still enforces the limit either wayType of Change
Testing
mcpAuthGuardedfalls back to the guarded fetch whenfetchFn: undefinedis passed explicitly (in addition to existing default/override coverage)metadata.sizedoesn't crash and the download proceeds to the (separately tested) streaming capbun vitest runon both touched test files,tsc --noEmit,biome check, andbun run check:api-validationall passChecklist