Fix Flowise 709 Make Custom MCP stdio command allowlist operator-controlled#6578
Fix Flowise 709 Make Custom MCP stdio command allowlist operator-controlled#6578yau-wd wants to merge 1 commit into
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces the CUSTOM_MCP_ALLOWED_COMMANDS environment variable, allowing operators to configure an allow-list of permitted commands for Custom MCP stdio configurations, defaulting to none. It updates the validation logic in core.ts and adds comprehensive unit tests to verify the allow-list behavior. The review feedback suggests adding an explicit type check to ensure serverParams.command is a string before validation to prevent type confusion and bypasses.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
2 participants
FLOWISE-709