fix: sanitize Perplexity API error messages#103
Open
sebastiondev wants to merge 2 commits intoperplexityai:mainfrom
Open
fix: sanitize Perplexity API error messages#103sebastiondev wants to merge 2 commits intoperplexityai:mainfrom
sebastiondev wants to merge 2 commits intoperplexityai:mainfrom
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR prevents verbose upstream Perplexity API failure details from being returned to MCP clients.
Vulnerability: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
Severity: Medium
Affected code:
src/server.ts, primarilymakeApiRequest,performChatCompletion, andperformSearch.Data flow: a remote MCP client invokes a tool, the server calls the Perplexity API, an upstream HTTP/network/JSON parsing error occurs, and the thrown
Errormessage is propagated by the MCP SDK back to the client inresult.content[].text. Before this change, that message could include raw upstream response bodies or raw exception text.Fix
The client-facing errors now return stable, generic messages such as:
Perplexity API error: <status> <statusText>Network error while calling Perplexity APIFailed to parse JSON response from Perplexity APIFailed to parse JSON response from Perplexity Search APIThe detailed upstream body or exception text is still written to the existing server-side logger for operators, but it is no longer included in thrown errors that can be serialized back to MCP clients. This keeps diagnostics available without exposing provider internals, account details, traces, or other sensitive error content to remote callers.
Security analysis
This is exploitable because the HTTP transport can be exposed remotely, binds to
0.0.0.0in the public start mode, and can allow broad origins. A remote MCP client can trigger upstream failures, for example with invalid credentials, malformed upstream responses, API errors, or network/parse failures. Since thrown tool errors are returned to clients by the SDK, raw upstream response bodies and exception messages become client-visible.The fix mitigates that by separating operational detail from client-facing error text. Clients still receive enough information to understand that the API request failed, while sensitive details stay in server-side logs.
Before submitting, we attempted to disprove this by checking whether existing transport controls, access controls, or framework behavior prevented exposure. They do not: the MCP SDK returns thrown tool errors to the caller, and the server can be run as an unauthenticated public HTTP service, so the raw error text was reachable without equivalent privileged access.
Tests
Tested with:
npm testResult: all tests passed (
3test files,80tests).Additional regression coverage was added to verify that upstream response bodies, JSON parse exception details, and network exception details are not present in client-facing thrown errors.
cc @lewiswigmore