fix(http)!: sanitize non-2xx error output by Deeven-Seru · Pull Request #2654 · googleapis/mcp-toolbox

Deeven-Seru · 2026-03-06T07:59:46Z

Summary

sanitize non-2xx response errors by default (no upstream body)
add returnFullError opt-in for raw body in error
log truncated body at debug level when sanitized
add regression tests + docs

Breaking change

non-2xx errors now return sanitized messages unless returnFullError is enabled

Testing

go test ./internal/sources/http

Fixes #2617

gemini-code-assist · 2026-03-06T08:00:03Z

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the security posture of the HTTP source by sanitizing non-2xx response errors by default, preventing the accidental exposure of potentially sensitive information from upstream services. It introduces a new configuration option to allow explicit inclusion of response bodies in errors when detailed debugging is required, while also improving debuggability by logging truncated error bodies. These changes ensure more secure and controlled error reporting for HTTP requests.

Highlights

Security Enhancement: Non-2xx HTTP response errors are now sanitized by default, preventing sensitive upstream response bodies from being exposed in error messages.
Configurable Error Body Inclusion: A new includeResponseBodyInErrors option has been added, allowing users to explicitly opt-in to include raw upstream response bodies in error messages if needed.
Debug Logging for Truncated Bodies: When error bodies are sanitized, a truncated version of the body is now logged at the debug level for diagnostic purposes.
Testing and Documentation: Regression tests have been added to cover the new error handling behavior, and the documentation has been updated to reflect the new configuration option.

Changelog

docs/en/resources/sources/http.md
- Documented the new includeResponseBodyInErrors configuration option, including its default behavior and purpose.
internal/sources/http/http.go
- Implemented default sanitization of non-2xx HTTP response bodies in error messages.
- Added IncludeResponseBodyInErrors field to the Config struct to control error body inclusion.
- Introduced maxErrorBodyLogBytes constant and truncateForLog utility function for debug logging of truncated error bodies.
internal/sources/http/http_request_test.go
- Added TestRunRequestSanitizesErrorBodyByDefault to verify that error bodies are sanitized by default.
- Added TestRunRequestIncludesErrorBodyWhenEnabled to confirm that error bodies are included when the new option is enabled.
internal/sources/http/http_test.go
- Updated the TestParseFromYamlHttp test case to include the includeResponseBodyInErrors field in the expected configuration.

Activity

The author has indicated that testing was performed using go test ./internal/sources/http.
This pull request addresses and fixes issue security(http): non-2xx upstream response bodies are reflected in tool error output #2617.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request introduces a valuable security enhancement by sanitizing non-2xx error responses from the HTTP source by default, preventing the potential leakage of sensitive information in error messages. It includes an opt-in configuration to preserve the previous behavior, comprehensive regression tests, and corresponding documentation updates. However, a critical security concern has been identified: a new debug-level log statement writes the (truncated) response body to the logs regardless of the sanitization setting. This could lead to sensitive information leakage in logs, even when the IncludeResponseBodyInErrors configuration is disabled. Additionally, for better observability and machine-readability, it's preferable to use structured logging with key-value pairs instead of formatting everything into a single string, as the current implementation incorrectly uses fmt.Sprintf.

Deeven-Seru · 2026-03-06T08:07:15Z

/gemini review

gemini-code-assist

Code Review

This pull request introduces a valuable security enhancement by sanitizing non-2xx error responses from the HTTP source by default. The implementation is mostly solid, including configuration options, tests, and documentation. I have one main piece of feedback regarding a logic issue in the new debug logging, which I've detailed in a comment. I've also noted a minor formatting opportunity in the documentation.

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

Deeven-Seru · 2026-03-12T08:35:53Z

@gemini-code-assist just making sure includeResponseBodyInErrors is replaced with returnFullError

gemini-code-assist · 2026-03-12T08:36:06Z

Thanks for asking for clarification! Looking at the changes, includeResponseBodyInErrors is not replacing returnFullError. Instead, includeResponseBodyInErrors is a new configuration option that has been added.

The logic in internal/sources/http/http.go (lines 166-167 in the new version) now uses both fields:

returnFullError := s.Config.ReturnFullError || s.Config.IncludeResponseBodyInErrors
if returnFullError {
	// ... logic to include response body
}

This means that if either ReturnFullError (the existing field) or IncludeResponseBodyInErrors (the new field) is set to true, the full error body will be returned. The documentation in docs/en/resources/sources/http.md also reflects the addition of returnFullError as a new option, which corresponds to the IncludeResponseBodyInErrors field in the Go code. It seems there might be a slight naming inconsistency between the documentation (returnFullError) and the Go struct field (IncludeResponseBodyInErrors), but the intent is to add a new option for this functionality.

Yuan325

Hi @Deeven-Seru Thank you for your contributions! I left some comments. Will review once resolved :)

Yuan325 · 2026-03-20T23:24:04Z

@Deeven-Seru When you say legacy flag do you meant legacy flag from the http library? Since this is a newly introduced flag in Toolbox there are no legacy fields, and I'd think that we can just support one of the other. Correct me if I'm wrong, but it seems like based on previous discussion, we've decided to use the returnFullError field? It'll be great if you can remove the IncludeResponseBodyInErrors flag.

Deeven-Seru · 2026-03-21T04:08:12Z

@Yuan325 Thanks for the clarification — you’re right. Since this flag is new to Toolbox (not inherited from the HTTP lib), I missed that point there’s no legacy field to preserve. I removed includeResponseBodyInErrors and kept only returnFullError, and updated the docs accordingly :)

Yuan325

final minor changes~ thank you! Would appreciate if you can also update the PR description.

Marking this as breaking change since this will now return a different error format.

github-actions · 2026-03-24T21:39:54Z

🔎 Preview at https://googleapis.github.io/genai-toolbox/previews/PR-2654/

Yuan325 · 2026-03-24T21:50:41Z

Hi @Deeven-Seru can you please also update the http integration test? Since the output is altered, the integration is currently failing~

Deeven-Seru · 2026-03-25T04:25:59Z

hi @Yuan325 I fixed the failing HTTP integration test by updating the expected error string for the “wrong params” case in tests/http/http_integration_test.go to match the new sanitized error format (unexpected status code: 400 (Bad Request) instead of including the upstream body.

Yuan325 · 2026-03-25T22:40:49Z

/gcbrun

github-actions · 2026-03-25T22:45:33Z

🔎 Preview at https://googleapis.github.io/genai-toolbox/previews/PR-2654/

Yuan325 · 2026-03-25T22:47:47Z

@Deeven-Seru Thank you again ! :) This will be included in our next release.

Yuan325 · 2026-03-25T23:08:38Z

/gcbrun

github-actions · 2026-03-25T23:13:20Z

🔎 Preview at https://googleapis.github.io/genai-toolbox/previews/PR-2654/

## Summary - sanitize non-2xx response errors by default (no upstream body) - add returnFullError opt-in for raw body in error - log truncated body at debug level when sanitized - add regression tests + docs ## Breaking change - non-2xx errors now return sanitized messages unless returnFullError is enabled ## Testing - go test ./internal/sources/http Fixes #2617 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> 5bef954

## Summary - sanitize non-2xx response errors by default (no upstream body) - add returnFullError opt-in for raw body in error - log truncated body at debug level when sanitized - add regression tests + docs ## Breaking change - non-2xx errors now return sanitized messages unless returnFullError is enabled ## Testing - go test ./internal/sources/http Fixes googleapis#2617 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> 5bef954

## Summary - sanitize non-2xx response errors by default (no upstream body) - add returnFullError opt-in for raw body in error - log truncated body at debug level when sanitized - add regression tests + docs ## Breaking change - non-2xx errors now return sanitized messages unless returnFullError is enabled ## Testing - go test ./internal/sources/http Fixes #2617 --------- Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>

Deeven-Seru · 2026-03-26T04:50:38Z

@Deeven-Seru Thank you again ! :) This will be included in our next release.

thanks for reviewing the pr @Yuan325 I've learned a lot ...! 😄

🤖 I have created a release *beep* *boop* --- ## [0.31.0](v0.30.0...v0.31.0) (2026-03-26) ### ⚠ BREAKING CHANGES * release upgraded docsite ([#2831](#2831)) * **http:** sanitize non-2xx error output ([#2654](#2654)) * add a new `enable-api` flag ([#2846](#2846)) * remove deprecations and update tools-file flag ([#2806](#2806)) ### Features * Add a new `enable-api` flag ([#2846](#2846)) ([7a070da](7a070da)) * **auth:** Add generic `authService` type for MCP ([#2619](#2619)) ([f6678f8](f6678f8)) * **auth:** Add Protected Resource Metadata endpoint ([#2698](#2698)) ([b53dcf2](b53dcf2)) * **auth:** Support manual PRM override ([#2717](#2717)) ([283e4e3](283e4e3)) * **dataplex:** Add support for lookup context tool. ([#2744](#2744)) ([facb69d](facb69d)) * Remove deprecations and update tools-file flag ([#2806](#2806)) ([ab64c95](ab64c95)) ### Bug Fixes * **ci:** Remove search index generation from preview deployment workflow ([#2859](#2859)) ([f8891b8](f8891b8)) * **docs:** Skip empty folders in pagination & reduce PR comment noise ([#2853](#2853)) ([9ebd93a](9ebd93a)) * **http:** Sanitize non-2xx error output ([#2654](#2654)) ([5bef954](5bef954)) * **skills:** Fix integer parameter parsing through agent skills ([#2847](#2847)) ([4564efe](4564efe)) ### Documentation * Release upgraded docsite ([#2831](#2831)) ([5b25ce0](5b25ce0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.31.0](v0.30.0...v0.31.0) (2026-03-26) ### ⚠ BREAKING CHANGES * release upgraded docsite ([#2831](#2831)) * **http:** sanitize non-2xx error output ([#2654](#2654)) * add a new `enable-api` flag ([#2846](#2846)) * remove deprecations and update tools-file flag ([#2806](#2806)) ### Features * Add a new `enable-api` flag ([#2846](#2846)) ([7a070da](7a070da)) * **auth:** Add generic `authService` type for MCP ([#2619](#2619)) ([f6678f8](f6678f8)) * **auth:** Add Protected Resource Metadata endpoint ([#2698](#2698)) ([b53dcf2](b53dcf2)) * **auth:** Support manual PRM override ([#2717](#2717)) ([283e4e3](283e4e3)) * **dataplex:** Add support for lookup context tool. ([#2744](#2744)) ([facb69d](facb69d)) * Remove deprecations and update tools-file flag ([#2806](#2806)) ([ab64c95](ab64c95)) ### Bug Fixes * **ci:** Remove search index generation from preview deployment workflow ([#2859](#2859)) ([f8891b8](f8891b8)) * **docs:** Skip empty folders in pagination & reduce PR comment noise ([#2853](#2853)) ([9ebd93a](9ebd93a)) * **http:** Sanitize non-2xx error output ([#2654](#2654)) ([5bef954](5bef954)) * **skills:** Fix integer parameter parsing through agent skills ([#2847](#2847)) ([4564efe](4564efe)) ### Documentation * Release upgraded docsite ([#2831](#2831)) ([5b25ce0](5b25ce0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> c6b811c

🤖 I have created a release *beep* *boop* --- ## [0.31.0](googleapis/mcp-toolbox@v0.30.0...v0.31.0) (2026-03-26) ### ⚠ BREAKING CHANGES * release upgraded docsite ([googleapis#2831](googleapis#2831)) * **http:** sanitize non-2xx error output ([googleapis#2654](googleapis#2654)) * add a new `enable-api` flag ([googleapis#2846](googleapis#2846)) * remove deprecations and update tools-file flag ([googleapis#2806](googleapis#2806)) ### Features * Add a new `enable-api` flag ([googleapis#2846](googleapis#2846)) ([7a070da](googleapis@7a070da)) * **auth:** Add generic `authService` type for MCP ([googleapis#2619](googleapis#2619)) ([f6678f8](googleapis@f6678f8)) * **auth:** Add Protected Resource Metadata endpoint ([googleapis#2698](googleapis#2698)) ([b53dcf2](googleapis@b53dcf2)) * **auth:** Support manual PRM override ([googleapis#2717](googleapis#2717)) ([283e4e3](googleapis@283e4e3)) * **dataplex:** Add support for lookup context tool. ([googleapis#2744](googleapis#2744)) ([facb69d](googleapis@facb69d)) * Remove deprecations and update tools-file flag ([googleapis#2806](googleapis#2806)) ([ab64c95](googleapis@ab64c95)) ### Bug Fixes * **ci:** Remove search index generation from preview deployment workflow ([googleapis#2859](googleapis#2859)) ([f8891b8](googleapis@f8891b8)) * **docs:** Skip empty folders in pagination & reduce PR comment noise ([googleapis#2853](googleapis#2853)) ([9ebd93a](googleapis@9ebd93a)) * **http:** Sanitize non-2xx error output ([googleapis#2654](googleapis#2654)) ([5bef954](googleapis@5bef954)) * **skills:** Fix integer parameter parsing through agent skills ([googleapis#2847](googleapis#2847)) ([4564efe](googleapis@4564efe)) ### Documentation * Release upgraded docsite ([googleapis#2831](googleapis#2831)) ([5b25ce0](googleapis@5b25ce0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Yuan Teoh <45984206+Yuan325@users.noreply.github.com> c6b811c

Deeven-Seru requested a review from a team as a code owner March 6, 2026 07:59

blunderbuss-gcf Bot assigned Yuan325 Mar 6, 2026

gemini-code-assist Bot reviewed Mar 6, 2026

View reviewed changes

Comment thread internal/sources/http/http.go Outdated

Deeven-Seru force-pushed the fix-2617-http-error-sanitization branch 2 times, most recently from 3ed1126 to 6893847 Compare March 6, 2026 08:03

security(http): sanitize non-2xx error output

4d6c2e1

Deeven-Seru force-pushed the fix-2617-http-error-sanitization branch from 23f53a2 to 4d6c2e1 Compare March 6, 2026 08:08

gemini-code-assist Bot reviewed Mar 6, 2026

View reviewed changes

Comment thread internal/sources/http/http.go Outdated

Comment thread docs/en/resources/sources/http.md Outdated

Update internal/sources/http/http.go

6acf6da

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

kurtisvg reviewed Mar 6, 2026

View reviewed changes

Comment thread docs/en/resources/sources/http.md Outdated

kurtisvg changed the title ~~security(http): sanitize non-2xx error output~~ fix(http): sanitize non-2xx error output Mar 6, 2026

kurtisvg added the release candidate Use label to signal PR should be included in the next release. label Mar 6, 2026

chore(http): rename error body flag

f068f4c

Deeven-Seru added 2 commits March 12, 2026 14:10

Merge branch 'main' into fix-2617-http-error-sanitization

01ec0bb

Merge branch 'main' into fix-2617-http-error-sanitization

ae4af35

Yuan325 requested changes Mar 13, 2026

View reviewed changes

Comment thread internal/sources/http/http.go Outdated

Comment thread internal/sources/http/http.go Outdated

Deeven-Seru and others added 2 commits March 14, 2026 06:08

fix(http): use ctx logger + document error body flags

55fb288

Merge branch 'main' into fix-2617-http-error-sanitization

a60e624

Remove includeResponseBodyInErrors flag

ae9581d

Yuan325 requested changes Mar 23, 2026

View reviewed changes

Comment thread internal/sources/http/http.go Outdated

Comment thread internal/sources/http/http_request_test.go Outdated

Yuan325 changed the title ~~fix(http): sanitize non-2xx error output~~ fix(http)!: sanitize non-2xx error output Mar 23, 2026

Deeven-Seru and others added 3 commits March 24, 2026 03:52

test(http): move RunRequest tests

8aacf73

Fix formatting of Config struct fields in http.go

b3ed24a

test(http): qualify net/http in tests

a775322

test(http): update integration error expectation

257cf4c

Merge branch 'main' into fix-2617-http-error-sanitization

33e8fa5

Yuan325 enabled auto-merge (squash) March 25, 2026 22:47

Yuan325 disabled auto-merge March 25, 2026 22:48

Yuan325 enabled auto-merge (squash) March 25, 2026 22:48

Merge branch 'main' into fix-2617-http-error-sanitization

d5a6601

Yuan325 merged commit 5bef954 into googleapis:main Mar 25, 2026
15 of 16 checks passed

release-please Bot mentioned this pull request Mar 25, 2026

chore(main): release 0.31.0 #2814

Merged

BrewTestBot mentioned this pull request Mar 27, 2026

mcp-toolbox 0.31.0 Homebrew/homebrew-core#274467

Merged

Conversation

Deeven-Seru commented Mar 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Breaking change

Testing

Uh oh!

gemini-code-assist Bot commented Mar 6, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Deeven-Seru commented Mar 6, 2026

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Deeven-Seru commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

gemini-code-assist Bot commented Mar 12, 2026

Uh oh!

Yuan325 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Yuan325 commented Mar 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Deeven-Seru commented Mar 21, 2026

Uh oh!

Yuan325 left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

github-actions Bot commented Mar 24, 2026

Uh oh!

Yuan325 commented Mar 24, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Deeven-Seru commented Mar 25, 2026

Uh oh!

Yuan325 commented Mar 25, 2026

Uh oh!

github-actions Bot commented Mar 25, 2026

Uh oh!

Yuan325 commented Mar 25, 2026

Uh oh!

Yuan325 commented Mar 25, 2026

Uh oh!

github-actions Bot commented Mar 25, 2026

Uh oh!

Uh oh!

Deeven-Seru commented Mar 26, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Deeven-Seru commented Mar 6, 2026 •

edited

Loading

Deeven-Seru commented Mar 12, 2026 •

edited

Loading

Yuan325 commented Mar 20, 2026 •

edited

Loading

Yuan325 left a comment •

edited

Loading

Yuan325 commented Mar 24, 2026 •

edited

Loading