From 8c2732a9f9dd3e67d782093cb545ac25b32dc0cb Mon Sep 17 00:00:00 2001
From: AntAISecurityLab <pub_forgreatagent@antgroup.com>
Date: Wed, 15 Apr 2026 11:18:37 +0800
Subject: [PATCH] fix(security): strip MCP auth on cross-origin redirect

Add event hook to httpx.AsyncClient in MCP HTTP transport that strips
Authorization headers when a redirect targets a different origin,
preventing credential leakage to third-party servers.
---
 tools/mcp_tool.py | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/tools/mcp_tool.py b/tools/mcp_tool.py
index 01377a8f2..0d5615b0f 100644
--- a/tools/mcp_tool.py
+++ b/tools/mcp_tool.py
@@ -1118,10 +1118,23 @@ class MCPServerTask:
             # matching the SDK's own create_mcp_http_client defaults.
             import httpx
 
+            _original_url = httpx.URL(url)
+
+            async def _strip_auth_on_cross_origin_redirect(response):
+                """Strip Authorization headers when redirected to a different origin."""
+                if response.is_redirect and response.next_request:
+                    target = response.next_request.url
+                    if (target.scheme, target.host, target.port) != (
+                        _original_url.scheme, _original_url.host, _original_url.port,
+                    ):
+                        response.next_request.headers.pop("authorization", None)
+                        response.next_request.headers.pop("Authorization", None)
+
             client_kwargs: dict = {
                 "follow_redirects": True,
                 "timeout": httpx.Timeout(float(connect_timeout), read=300.0),
                 "verify": ssl_verify,
+                "event_hooks": {"response": [_strip_auth_on_cross_origin_redirect]},
             }
             if headers:
                 client_kwargs["headers"] = headers