Conversation
Phase 2 of Unified Agent Auth feature: - Add relay_proxy tool: Proxy HTTP requests through authenticated integrations - Add relay_connections tool: List available providers and connection status - Add relay_can_access tool: Check agent access permissions for providers These tools enable agents to make authenticated API calls to external services (GitHub, Slack, Linear, etc.) via the relay-cloud proxy endpoint. Ref: unified-agent-auth-spec.md Co-authored-by: Cursor <cursoragent@cursor.com>
| const parsedParams = params ? JSON.parse(params) : undefined; | ||
| const parsedHeaders = headers ? JSON.parse(headers) : undefined; | ||
|
|
||
| const result = await client.client.post(`/api/proxy/${provider}`, { |
There was a problem hiding this comment.
🔴 Path traversal via unencoded provider parameter in URL construction
The provider parameter is interpolated directly into URL paths without encodeURIComponent(), enabling path traversal attacks.
Root Cause and Impact
All three integration tools construct URLs by directly interpolating the user-supplied provider string:
- Line 48:
`/api/proxy/${provider}` - Line 100:
`/api/proxy/${provider}/access${queryParams}`
The new URL(path, baseUrl) constructor in packages/sdk/src/client.ts:51 resolves .. segments, so a provider value like ../../v1/agents causes the request to be sent to https://api.agentrelay.dev/v1/agents instead of the intended proxy endpoint.
This breaks the established pattern in the codebase where all user-supplied path segments use encodeURIComponent() (see packages/sdk/src/agent.ts which consistently applies it to every dynamic path segment).
Impact: An agent (or LLM providing tool inputs) could craft a provider value to make authenticated requests to arbitrary API endpoints on the relay server, bypassing the intended proxy routing. For example, provider = "../../v1/workspace" would hit the workspace info endpoint with the agent's credentials.
Prompt for agents
In packages/mcp/src/tools/integrations.ts, wrap the `provider` parameter with `encodeURIComponent()` in all three URL constructions:
1. Line 48: Change `/api/proxy/${provider}` to `/api/proxy/${encodeURIComponent(provider)}`
2. Line 100: Change `/api/proxy/${provider}/access${queryParams}` to `/api/proxy/${encodeURIComponent(provider)}/access${queryParams}`
This matches the established pattern used throughout packages/sdk/src/agent.ts where all dynamic path segments are encoded.
Was this helpful? React with 👍 or 👎 to provide feedback.
Summary
MCP tools for Unified Agent Auth system.
Tools Added:
relay_proxy- Proxy authenticated API calls through integrationsrelay_connections- List available provider connectionsrelay_can_access- Check agent access to provider/scopeAPI Alignment
Tools call relay-cloud endpoints:
/api/proxy/{provider}- proxy requests/api/proxy/providers- list providers/api/proxy/{provider}/access- check accessTest Plan
relay_proxysuccessfully proxies requests to connected providersrelay_connectionsreturns list of available providersrelay_can_accesscorrectly reports access permissionsMade with Cursor