fix(api): apply query and header mappings on tool invocation (#1405) (#3369)

* fix(api): apply query and header mappings on tool invocation (#1405)

When a tool has query_mapping or header_mapping configured, apply those
mappings during REST tool invocation so that argument fields are correctly
translated into query parameters and HTTP headers.

Closes #1405

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(test): add unit tests for apply_mapping_into_target and fix regressions

- Add 9 unit tests for the apply_mapping_into_target utility covering
  key renaming, target merging, overwrite semantics, None/empty mapping
  handling, unmapped key exclusion, and input immutability
- Fix 2 TestRustMcpExecutionPlan tests broken by missing query_mapping
  and header_mapping attributes on mock tool SimpleNamespace objects
- Add assertions verifying query_mapping and header_mapping are included
  in _build_tool_cache_payload output
- Remove spurious query_mapping/header_mapping from gateway mock (gateways
  do not have these fields)
- Apply Black formatting to apply_mapping_into_target

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix(api): harden query/header mapping with security validation, type guards, and tests

Tighten Dict[str, Any] to Dict[str, str] for query_mapping and header_mapping
in schemas, DB model, and Pydantic validation. Add schema-level size constraints
(max 50 entries, 128 char keys/values) on ToolCreate and ToolUpdate.

At invocation time, validate header mapping targets against sensitive header
patterns (Authorization, Proxy-Authorization, X-API-Key, etc.) and RFC 7230
header name syntax to prevent auth header overwrite and CRLF injection. Add
isinstance guards with dict-content validation matching the tool_oauth_config
pattern, and wrap mapping call sites in try/except for clear error messages
when mappings are corrupt.

Includes debug-level logging for unmapped keys, improved docstrings and inline
comments, mock_tool fixture defaults, and test coverage for GET method,
empty-dict mappings, URL-template param availability in headers, sensitive
header rejection, CRLF injection rejection, and content validation.

Closes #1405

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>

---------

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Jonathan Springer <jps@s390x.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: 4 people

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-12T14:33:23Z",
+  "generated_at": "2026-04-13T06:27:05Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -384,39 +384,39 @@
         "hashed_secret": "d3ac7a4ef1a838b4134f2f6e7f3c0d249d74b674",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6141,
+        "line_number": 6145,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "5932862bcd24dd27d0dc0407ec94fe9d6ea24aeb",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6638,
+        "line_number": 6642,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "c77c805e32f173e4321ee9187de9c29cb3804513",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6650,
+        "line_number": 6654,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "8fe3df8a68ddd0d4ab2214186cbb8e38ccd0e06a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6722,
+        "line_number": 6726,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "93ac8946882128457cd9e283b30ca851945e6690",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 7793,
+        "line_number": 7797,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -5962,47 +5962,47 @@
         "hashed_secret": "c377074d6473f35a91001981355da793dc808ffd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 4111,
+        "line_number": 4197,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "6367c48dd193d56ea7b0baad25b19455e529f5ee",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5224,
+        "line_number": 5310,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5388,
+        "line_number": 5474,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f42a3fabe1e9bed059d727f47eb752e3aa61b977",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5445,
+        "line_number": 5531,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "b85788b459aa4d67e1070930dae6d0827756aadb",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5483,
+        "line_number": 5569,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "52dcc83ec1e54426ad58a64854d1eb8d5f5d9685",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5484,
+        "line_number": 5570,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -9682,87 +9682,87 @@
         "hashed_secret": "d63b39580934e062f89aae63426d2f2c77c3e258",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 504,
+        "line_number": 509,
         "type": "Base64 High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "586a55a9b8b97f0cd88e24ce8279ebc955949688",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 505,
+        "line_number": 510,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "00cafd126182e8a9e7c01bb2f0dfd00496be724f",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 521,
+        "line_number": 526,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7b1552c7c7ffb8bd70b5666e5997c8e017630aab",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1936,
+        "line_number": 1941,
         "type": "Base64 High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "9fb7fe1217aed442b04c0f5e43b5d5a7d3287097",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2872,
+        "line_number": 2877,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "72cb70dbbafe97e5ea13ad88acd65d08389439b0",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3500,
+        "line_number": 3505,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ee977806d7286510da8b9a7492ba58e2484c0ecc",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 5793,
+        "line_number": 6259,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2e7745f43b0ef0e2c2faf61d6c6a28be2965750",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 6285,
+        "line_number": 6751,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "4a249743d4d2241bd2ae085b4fe654d089488295",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 7632,
+        "line_number": 8098,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "0c8d051d3c7eada5d31b53d9936fce6bcc232ae2",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 7770,
+        "line_number": 8240,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "f2b14f68eb995facb3a1c35287b778d5bd785511",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 8146,
+        "line_number": 8616,
         "type": "Secret Keyword",
         "verified_result": null
       }

mcpgateway/db.py

@@ -3231,8 +3231,8 @@ class Tool(Base):
     # Passthrough REST fields
     base_url: Mapped[Optional[str]] = mapped_column(String, nullable=True)
     path_template: Mapped[Optional[str]] = mapped_column(String, nullable=True)
-    query_mapping: Mapped[Optional[Dict[str, Any]]] = mapped_column(JSON, nullable=True)
-    header_mapping: Mapped[Optional[Dict[str, Any]]] = mapped_column(JSON, nullable=True)
+    query_mapping: Mapped[Optional[Dict[str, str]]] = mapped_column(JSON, nullable=True)
+    header_mapping: Mapped[Optional[Dict[str, str]]] = mapped_column(JSON, nullable=True)
     timeout_ms: Mapped[Optional[int]] = mapped_column(Integer, nullable=True, default=None)
     expose_passthrough: Mapped[bool] = mapped_column(Boolean, default=True)
     allowlist: Mapped[Optional[List[str]]] = mapped_column(JSON, nullable=True)

mcpgateway/schemas.py

@@ -58,6 +58,68 @@
 
 _VALID_VISIBILITY = {"private", "team", "public"}
 
+_MAX_MAPPING_ENTRIES = 50
+_MAX_MAPPING_KEY_LENGTH = 128
+
+_VALID_HTTP_HEADER_NAME = re.compile(r"^[!#$%&'*+\-.0-9A-Z^_`a-z|~]+$")
+_BLOCKED_HEADER_MAPPING_TARGETS = frozenset(
+    name.lower()
+    for name in (
+        "authorization",
+        "proxy-authorization",
+        "cookie",
+        "set-cookie",
+        "host",
+        "transfer-encoding",
+        "content-length",
+        "connection",
+        "upgrade",
+    )
+)
+_SENSITIVE_HEADER_MAPPING_PATTERNS = (
+    re.compile(r"^x-api-key$", re.IGNORECASE),
+    re.compile(r"^api-key$", re.IGNORECASE),
+    re.compile(r"^apikey$", re.IGNORECASE),
+    re.compile(r"^x-(?:auth|api|access|refresh|client|bearer|session|security)[-_]?(?:token|secret|key)$", re.IGNORECASE),
+    re.compile(r"^(?:auth|api|access|refresh|client|bearer|session|security)[-_]?(?:token|secret|key)$", re.IGNORECASE),
+)
+
+
+def _validate_mapping_size(v: dict | None) -> dict | None:
+    """Validate that a mapping dict does not exceed size limits.
+
+    Shared by ToolCreate and ToolUpdate field validators.
+    """
+    if v is None:
+        return v
+    if len(v) > _MAX_MAPPING_ENTRIES:
+        raise ValueError(f"Mapping must not contain more than {_MAX_MAPPING_ENTRIES} entries")
+    for k, val in v.items():
+        if len(k) > _MAX_MAPPING_KEY_LENGTH:
+            raise ValueError(f"Mapping key exceeds {_MAX_MAPPING_KEY_LENGTH} characters: '{k[:32]}...'")
+        if len(val) > _MAX_MAPPING_KEY_LENGTH:
+            raise ValueError(f"Mapping value exceeds {_MAX_MAPPING_KEY_LENGTH} characters: '{val[:32]}...'")
+    return v
+
+
+def _validate_header_mapping_targets(v: dict | None) -> dict | None:
+    """Validate that header_mapping target names are safe and well-formed.
+
+    Rejects sensitive headers (Authorization, Cookie, Host, etc.) and
+    names that violate RFC 7230 token syntax. Applied at registration time;
+    tool_service applies the same checks at invocation as defense-in-depth.
+    """
+    if v is None:
+        return v
+    for target in v.values():
+        if target.strip().lower() in _BLOCKED_HEADER_MAPPING_TARGETS:
+            raise ValueError(f"header_mapping targets blocked header {repr(target[:64])}")
+        if any(p.match(target) for p in _SENSITIVE_HEADER_MAPPING_PATTERNS):
+            raise ValueError(f"header_mapping targets sensitive header {repr(target[:64])}")
+        if not _VALID_HTTP_HEADER_NAME.match(target):
+            raise ValueError(f"header_mapping contains invalid header name {repr(target[:64])}")
+    return v
+
 
 def _coerce_visibility(v: Optional[str]) -> Optional[str]:
     """Normalize legacy visibility values in Read/response schemas.
@@ -415,8 +477,8 @@ class ToolCreate(BaseModel):
     # Passthrough REST fields
     base_url: Optional[str] = Field(None, description="Base URL for REST passthrough")
     path_template: Optional[str] = Field(None, description="Path template for REST passthrough")
-    query_mapping: Optional[Dict[str, Any]] = Field(None, description="Query mapping for REST passthrough")
-    header_mapping: Optional[Dict[str, Any]] = Field(None, description="Header mapping for REST passthrough")
+    query_mapping: Optional[Dict[str, str]] = Field(None, description="Query mapping for REST passthrough")
+    header_mapping: Optional[Dict[str, str]] = Field(None, description="Header mapping for REST passthrough")
     timeout_ms: Optional[int] = Field(default=None, description="Timeout in milliseconds for REST passthrough (20000 if integration_type='REST', else None)")
     expose_passthrough: Optional[bool] = Field(True, description="Expose passthrough endpoint for this tool")
     allowlist: Optional[List[str]] = Field(None, description="Allowed upstream hosts/schemes for passthrough")
@@ -944,6 +1006,18 @@ def validate_plugin_chain(cls, v):
                     raise ValueError(f"Unknown plugin: {plugin}")
         return v
 
+    @field_validator("query_mapping", "header_mapping")
+    @classmethod
+    def validate_mapping_size(cls, v: dict | None) -> dict | None:
+        """Validate that mapping dicts do not exceed size limits."""
+        return _validate_mapping_size(v)
+
+    @field_validator("header_mapping")
+    @classmethod
+    def validate_header_mapping_targets(cls, v: dict | None) -> dict | None:
+        """Reject header_mapping targets that are sensitive or malformed."""
+        return _validate_header_mapping_targets(v)
+
     @model_validator(mode="after")
     def handle_timeout_ms_defaults(self):
         """Handle timeout_ms defaults based on integration_type and expose_passthrough.
@@ -984,8 +1058,8 @@ class ToolUpdate(BaseModelWithConfigDict):
     # Passthrough REST fields
     base_url: Optional[str] = Field(None, description="Base URL for REST passthrough")
     path_template: Optional[str] = Field(None, description="Path template for REST passthrough")
-    query_mapping: Optional[Dict[str, Any]] = Field(None, description="Query mapping for REST passthrough")
-    header_mapping: Optional[Dict[str, Any]] = Field(None, description="Header mapping for REST passthrough")
+    query_mapping: Optional[Dict[str, str]] = Field(None, description="Query mapping for REST passthrough")
+    header_mapping: Optional[Dict[str, str]] = Field(None, description="Header mapping for REST passthrough")
     timeout_ms: Optional[int] = Field(default=None, description="Timeout in milliseconds for REST passthrough (20000 if integration_type='REST', else None)")
     expose_passthrough: Optional[bool] = Field(True, description="Expose passthrough endpoint for this tool")
     allowlist: Optional[List[str]] = Field(None, description="Allowed upstream hosts/schemes for passthrough")
@@ -1384,6 +1458,18 @@ def validate_plugin_chain(cls, v):
                     raise ValueError(f"Unknown plugin: {plugin}")
         return v
 
+    @field_validator("query_mapping", "header_mapping")
+    @classmethod
+    def validate_mapping_size(cls, v: dict | None) -> dict | None:
+        """Validate that mapping dicts do not exceed size limits."""
+        return _validate_mapping_size(v)
+
+    @field_validator("header_mapping")
+    @classmethod
+    def validate_header_mapping_targets(cls, v: dict | None) -> dict | None:
+        """Reject header_mapping targets that are sensitive or malformed."""
+        return _validate_header_mapping_targets(v)
+
 
 class ToolRead(BaseModelWithConfigDict):
     """Schema for reading tool information.
@@ -1451,8 +1537,8 @@ class ToolRead(BaseModelWithConfigDict):
     # Passthrough REST fields
     base_url: Optional[str] = Field(None, description="Base URL for REST passthrough")
     path_template: Optional[str] = Field(None, description="Path template for REST passthrough")
-    query_mapping: Optional[Dict[str, Any]] = Field(None, description="Query mapping for REST passthrough")
-    header_mapping: Optional[Dict[str, Any]] = Field(None, description="Header mapping for REST passthrough")
+    query_mapping: Optional[Dict[str, str]] = Field(None, description="Query mapping for REST passthrough")
+    header_mapping: Optional[Dict[str, str]] = Field(None, description="Header mapping for REST passthrough")
     timeout_ms: Optional[int] = Field(20000, description="Timeout in milliseconds for REST passthrough")
     expose_passthrough: Optional[bool] = Field(True, description="Expose passthrough endpoint for this tool")
     allowlist: Optional[List[str]] = Field(None, description="Allowed upstream hosts/schemes for passthrough")