feat: enforce secret overrides only from headers

Author: gagik

src/common/config/configOverrides.ts

@@ -34,13 +34,27 @@ export function applyConfigOverrides({
     const overridesFromHeaders = extractConfigOverrides("header", request.headers);
     const overridesFromQuery = extractConfigOverrides("query", request.query);
 
-    // Merge overrides, with query params taking precedence
-    const allOverrides = { ...overridesFromHeaders, ...overridesFromQuery };
+    // Apply header overrides first
+    for (const [key, overrideValue] of Object.entries(overridesFromHeaders)) {
+        assertValidConfigKey(key);
+        const meta = getConfigMeta(key);
+        const behavior = meta?.overrideBehavior || "not-allowed";
+        const baseValue = baseConfig[key as keyof UserConfig];
+        const newValue = applyOverride(key, baseValue, overrideValue, behavior);
+        (result as Record<keyof UserConfig, unknown>)[key] = newValue;
+    }
 
-    // Apply each override according to its behavior
-    for (const [key, overrideValue] of Object.entries(allOverrides)) {
+    // Apply query overrides (with precedence), but block secret fields
+    for (const [key, overrideValue] of Object.entries(overridesFromQuery)) {
         assertValidConfigKey(key);
-        const behavior = getConfigMeta(key)?.overrideBehavior || "not-allowed";
+        const meta = getConfigMeta(key);
+
+        // Prevent overriding secret fields via query params
+        if (meta?.isSecret) {
+            throw new Error(`Config key ${key} can only be overriden with headers.`);
+        }
+
+        const behavior = meta?.overrideBehavior || "not-allowed";
         const baseValue = baseConfig[key as keyof UserConfig];
         const newValue = applyOverride(key, baseValue, overrideValue, behavior);
         (result as Record<keyof UserConfig, unknown>)[key] = newValue;

tests/integration/transports/configOverrides.test.ts

@@ -69,7 +69,7 @@ describe("Config Overrides via HTTP", () => {
             }
         });
 
-        it("should override readOnly config via header (false to true)", async () => {
+        it("should override readOnly config with header (false to true)", async () => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,
@@ -95,7 +95,7 @@ describe("Config Overrides via HTTP", () => {
             expect(readTools.length).toBe(1);
         });
 
-        it("should override connectionString via header", async () => {
+        it("should override connectionString with header", async () => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,
@@ -114,7 +114,7 @@ describe("Config Overrides via HTTP", () => {
     });
 
     describe("merge behavior", () => {
-        it("should merge disabledTools via header", async () => {
+        it("should merge disabledTools with header", async () => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,
@@ -178,7 +178,7 @@ describe("Config Overrides via HTTP", () => {
                 headerName: "x-mongodb-mcp-max-documents-per-query",
                 headerValue: "1000",
             },
-        ])("should reject $configKey override", async ({ configKey, headerName, headerValue }) => {
+        ])("should reject $configKey with header", async ({ configKey, headerName, headerValue }) => {
             await startRunner({
                 ...defaultTestConfig,
                 httpPort: 0,

tests/unit/common/config/configOverrides.test.ts

@@ -227,6 +227,29 @@ describe("configOverrides", () => {
             });
         });
 
+        describe("secret fields", () => {
+            it("should allow overriding secret fields with headers if they have override behavior", () => {
+                const request: RequestContext = {
+                    headers: {
+                        "x-mongodb-mcp-connection-string": "mongodb://newhost:27017/",
+                    },
+                };
+                const result = applyConfigOverrides({ baseConfig: baseConfig as UserConfig, request });
+                expect(result.connectionString).toBe("mongodb://newhost:27017/");
+            });
+
+            it("should not allow overriding secret fields via query params", () => {
+                const request: RequestContext = {
+                    query: {
+                        mongodbMcpConnectionString: "mongodb://malicious.com/",
+                    },
+                };
+                expect(() => applyConfigOverrides({ baseConfig: baseConfig as UserConfig, request })).toThrow(
+                    "Config key connectionString can only be overriden with headers"
+                );
+            });
+        });
+
         describe("custom overrides", () => {
             it("should have certain config keys to be conditionally overridden", () => {
                 expect(