fix/3811-pipe-validation-issue

[Nayana-R-Gowda]

Signed-off-by: NAYANA.R nayana.r7813@gmail.com

closes #3811

💡 Fix Description

Fixes false-positive validation that rejected tool descriptions containing the pipe (|) character.

Problem

The validation logic blocked "|" as an unsafe character, causing legitimate tool descriptions (e.g., LogQL queries like {app="foo"} |= "error") to fail.

This prevented critical tools such as query_loki_logs from being registered.

Solution

Removed "|" from the forbidden patterns list, while keeping "||" to block shell OR injection.

Changes

• Updated forbidden_patterns in ToolCreate.validate_description()
• Added comments explaining why "|" is allowed

Testing

• ✅ Tool creation with LogQL (|=) succeeds
• ❌ Unsafe patterns like && are still blocked
• Verified via API using curl

Impact

• Fixes Grafana Loki MCP backend registration
• Prevents false positives for LogQL, PromQL, regex, and Markdown tables

🧪 Verification

Check	Command	Status
Lint suite	make lint	Pass
Unit tests	make test	pass

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[crivetimihai]

Review Summary

Rebased onto main and substantially reworked this PR to align with the current codebase architecture.

Changes from the original PR

The original PR removed "|" from a hardcoded forbidden_patterns list in schemas.py. However, main has since moved ToolCreate.validate_description to use configurable patterns from settings.tool_description_forbidden_patterns. The original approach would have caused a merge conflict and wouldn't have addressed the ToolUpdate path.

What this PR now does (2 commits)

Commit 1 — fix(validation): remove single pipe from forbidden description patterns

• mcpgateway/config.py: Removes "|" from the default tool_description_forbidden_patterns list. "||" (shell OR) remains blocked.
• mcpgateway/schemas.py: Aligns ToolUpdate.validate_description with ToolCreate — replaces the hardcoded pattern list with the config-driven settings.tool_description_forbidden_patterns + settings.tool_description_forbidden_patterns_enabled. This was a pre-existing inconsistency: ToolCreate already used the config, ToolUpdate did not.
• Tests: Removes "|" from strict-mode rejection loops, adds test_single_pipe_allowed_in_strict_mode for both ToolCreate and ToolUpdate, adds test_disabled_allows_any_description and test_empty_pattern_skipped for ToolUpdate's new config-driven paths. 100% differential coverage verified.
• Docs/config: Updates all 5 references to the default pattern list (docker-compose.yml, charts/mcp-stack/values.yaml, charts/mcp-stack/README.md, docs/docs/best-practices/input-validation.md, docs/docs/manage/configuration.md).

Commit 2 — fix(env): align .env.example JWT secret with docker-compose default

• Fixes .env.example to use my-test-key-but-now-longer-than-32-bytes, matching docker-compose.yml and mcp_test_helpers.py (updated in chore: remove redundant linters, fix coverage output, update roadmap #3716 but .env.example was missed). See [BUG]: JWT secret default mismatch after #3716 — E2E tests, docker-compose variants, and scripts still use old key #3889 for remaining files.

Verification

• 168 unit tests pass (90 validator + 78 schema tests)
• 22/22 make test-mcp-cli E2E tests pass
• Full E2E testing against localhost:8080 docker-compose deployment:
  • Single-pipe descriptions accepted via curl (POST create, PUT update) and Playwright admin UI
  • ||, &&, ;, $(, > , < still correctly rejected (422)
  • Zero unexpected errors in docker logs

Closes #3811

[crivetimihai]

Reviewed, rebased, reworked, and verified. LGTM.

[lucarlig]

Thanks for tackling this. I found three issues:

• Default-secret detection is now inconsistent with the new published JWT secret. This PR changes examples/defaults to my-test-key-but-now-longer-than-32-bytes, but the runtime still only treats my-test-key as the insecure default, so users can follow the new docs and bypass the existing warning/guard paths. See .env.example:22, mcpgateway/config.py:1087, and mcpgateway/main.py:1955.

• The helper/doc defaults now disagree with the actual app default, which can break standalone local flows. The application still defaults JWT_SECRET_KEY to my-test-key, but updated helpers/docs mint tokens with the new long secret, so no-env make dev style setups can generate invalid tokens. See mcpgateway/config.py:285 and smoketest.py:236.

• The | fix may not cover the full request path. The schema validators now allow single pipe characters in tool descriptions, but the broader dangerous-pattern middleware still appears to reject | in JSON bodies, so LogQL-style descriptions may still fail when validation middleware is enabled. See mcpgateway/config.py:360, mcpgateway/config.py:368, and mcpgateway/middleware/validation_middleware.py:143.

[crivetimihai]

Follow-up: Review feedback addressed + JWT secret alignment

Feedback response

Point 1 (guards inconsistent with new default) — Fixed in 0c6f44e99.
config.py:1088, main.py:1955, and main.py:2040 now check in ("my-test-key", "my-test-key-but-now-longer-than-32-bytes") so both defaults trigger the secure_secrets: false flag and critical-issues warning.

Point 2 (helper/doc defaults disagree with app default) — By design.
config.py:286 intentionally defaults to the short key for standalone make dev. Docker-compose overrides to the long key. Helpers use os.getenv("JWT_SECRET_KEY", "long-key") which resolves correctly in both contexts. This two-tier default is the intended design from #3716.

Point 3 (validation middleware dangerous_patterns still blocks |) — Pre-existing, not this PR.
The dangerous_patterns regex [;&|...] is part of EXPERIMENTAL_VALIDATE_IO which defaults to False and is warn-only in dev/staging. It operates on all JSON body values broadly — a different layer from tool_description_forbidden_patterns. When opt-in in production, | in any JSON value is flagged — but that's the intended behavior of that experimental feature. The pipe fix correctly targets the tool-description-specific validation path.

Additional changes since last review

• fix(security): detect both JWT default secrets in guard paths — addresses feedback point 1
• fix(env): align all JWT secret defaults with docker-compose ([BUG]: JWT secret default mismatch after #3716 — E2E tests, docker-compose variants, and scripts still use old key #3889) — updates 70 files (docker-compose variants, E2E/load tests, scripts, Helm charts, docs) and adds the long key to validate_env.py weak secrets list
• chore: restore .secrets.baseline from main — file was dropped during rebase
• chore: apply linter and formatter fixes

Verification

• 14,968 unit tests pass, 0 failed
• 22/22 make test-mcp-cli E2E tests pass
• 8/8 previously-failing Playwright tests now pass (1 skipped, timeouts were flaky)
• Pipe validation E2E confirmed (pipe → 200, || → 422)
• Docker logs clean

[dima-zakharov]

The default key optimization is possible (extract key from .env) but should work as is as well.

[brian-hussey]

LGTM

[brian-hussey]

Merged with admin override for this issue.
Approvals were obtained, risk for linting issues is low, there is an external issue with some of checks execution.