feat: add allowed-origins flag #1984
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
Summary of ChangesHello @Yuan325, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request significantly improves the security posture of the Toolbox application by implementing a new Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces an important security enhancement by adding an --allowed-origins flag to control Cross-Origin Resource Sharing (CORS) policies. This allows for more secure deployments of Toolbox by restricting which origins can access the server. The implementation correctly adds the new flag, integrates the go-chi/cors middleware, and includes a helpful warning when the permissive default (*) is used. The documentation has also been updated across Docker, GKE, and Cloud Run deployment guides to reflect this change. I've identified a minor but critical issue in the documentation examples where smart quotes were used, which would cause copy-pasted commands to fail. My review includes suggestions to correct this.
Contributor
Yuan325
force-pushed
the
origin-header
branch
from
e57f3f9 to
fce2d46
Compare
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Contributor
Contributor
averikitsch
approved these changes
Nov 25, 2025
Co-authored-by: Averi Kitsch <[email protected]>
Contributor
Contributor
Contributor
|
🧨 Preview deployments removed. |
github-actions bot
pushed a commit
that referenced
this pull request
Nov 27, 2025
Support `allowed-origins` flag to allow secure deployment of Toolbox.
Current Toolbox is **insecure by default**, which allows all origin
(`*`). This PR also updated docs to notify user of the new
`allowed-origins` flag in the Cloud Run, kubernetes, and docker
deployment docs.
This PR was tested manually by mocking a browser access:
1. Created a HTML file with Javascript fetch named
`malicious-client.html`:
```
<!DOCTYPE html>
<html>
<head>
<title>Malicious CORS Test</title>
</head>
<body>
<h1>Attempting to access API at http://127.0.0.1:5000/mcp</h1>
<p>Check the **Chrome Developer Console** (F12 -> Console tab) for the result.</p>
<script>
fetch('http://127.0.0.1:5000/mcp', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
// The browser automatically adds the 'Origin' header based on where this HTML is served from (http://localhost:8000)
},
body: JSON.stringify({
"jsonrpc": "2.0",
"id": 1,
"method": "tools/list"
})
})
.then(response => {
console.log('Success (but check console for CORS enforcement details):', response);
return response.json();
})
.then(data => console.log('Data received (only if CORS passes):', data))
.catch(error => console.error('Fetch Error:', error));
</script>
</body>
</html>
```
2. Run `python3 -m http.server 8000`
3. Open `http://localhost:8000/malicious-client.html` in browser.
4. Tried without `--allowed-origins` flag -- success.
Tried with `--allowed-origins=http://localhost:8000` -- success.
Tried with `--allowed-origins=http://foo.com` -- unsuccessful.
---------
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Averi Kitsch <[email protected]> 862868f
github-actions bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
Nov 27, 2025
Support `allowed-origins` flag to allow secure deployment of Toolbox.
Current Toolbox is **insecure by default**, which allows all origin
(`*`). This PR also updated docs to notify user of the new
`allowed-origins` flag in the Cloud Run, kubernetes, and docker
deployment docs.
This PR was tested manually by mocking a browser access:
1. Created a HTML file with Javascript fetch named
`malicious-client.html`:
```
<!DOCTYPE html>
<html>
<head>
<title>Malicious CORS Test</title>
</head>
<body>
<h1>Attempting to access API at http://127.0.0.1:5000/mcp</h1>
<p>Check the **Chrome Developer Console** (F12 -> Console tab) for the result.</p>
<script>
fetch('http://127.0.0.1:5000/mcp', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
// The browser automatically adds the 'Origin' header based on where this HTML is served from (http://localhost:8000)
},
body: JSON.stringify({
"jsonrpc": "2.0",
"id": 1,
"method": "tools/list"
})
})
.then(response => {
console.log('Success (but check console for CORS enforcement details):', response);
return response.json();
})
.then(data => console.log('Data received (only if CORS passes):', data))
.catch(error => console.error('Fetch Error:', error));
</script>
</body>
</html>
```
2. Run `python3 -m http.server 8000`
3. Open `http://localhost:8000/malicious-client.html` in browser.
4. Tried without `--allowed-origins` flag -- success.
Tried with `--allowed-origins=http://localhost:8000` -- success.
Tried with `--allowed-origins=http://foo.com` -- unsuccessful.
---------
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Averi Kitsch <[email protected]> 862868f
github-actions bot
pushed a commit
to Jaleel-zhu/genai-toolbox
that referenced
this pull request
Nov 27, 2025
Support `allowed-origins` flag to allow secure deployment of Toolbox.
Current Toolbox is **insecure by default**, which allows all origin
(`*`). This PR also updated docs to notify user of the new
`allowed-origins` flag in the Cloud Run, kubernetes, and docker
deployment docs.
This PR was tested manually by mocking a browser access:
1. Created a HTML file with Javascript fetch named
`malicious-client.html`:
```
<!DOCTYPE html>
<html>
<head>
<title>Malicious CORS Test</title>
</head>
<body>
<h1>Attempting to access API at http://127.0.0.1:5000/mcp</h1>
<p>Check the **Chrome Developer Console** (F12 -> Console tab) for the result.</p>
<script>
fetch('http://127.0.0.1:5000/mcp', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
// The browser automatically adds the 'Origin' header based on where this HTML is served from (http://localhost:8000)
},
body: JSON.stringify({
"jsonrpc": "2.0",
"id": 1,
"method": "tools/list"
})
})
.then(response => {
console.log('Success (but check console for CORS enforcement details):', response);
return response.json();
})
.then(data => console.log('Data received (only if CORS passes):', data))
.catch(error => console.error('Fetch Error:', error));
</script>
</body>
</html>
```
2. Run `python3 -m http.server 8000`
3. Open `http://localhost:8000/malicious-client.html` in browser.
4. Tried without `--allowed-origins` flag -- success.
Tried with `--allowed-origins=http://localhost:8000` -- success.
Tried with `--allowed-origins=http://foo.com` -- unsuccessful.
---------
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: Averi Kitsch <[email protected]> 862868f
duwenxin99
added a commit
that referenced
this pull request
Dec 5, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([#1984](#1984)) ([862868f](862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([#1976](#1976)) ([9f76026](9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([#2056](#2056)) ([0e7fbf4](0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([#1845](#1845)) ([5e43630](5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](17a9792)) * Support alternate accessToken header name ([#1968](#1968)) ([18017d6](18017d6)) * Support for annotations ([#2007](#2007)) ([ac21335](ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([#1943](#1943)) ([7a9cc63](7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([#1722](#1722)) ([8752e05](8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([#1919](#1919)) ([f4b1f0a](f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([#1934](#1934)) ([5ad7c61](5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([#1923](#1923)) ([a0f44d3](a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([#2045](#2045)) ([fb7aae9](fb7aae9)) * Correct FAQ to mention HTTP tools ([#2036](#2036)) ([7b44237](7b44237)) * Format BigQuery numeric output as decimal strings ([#2084](#2084)) ([155bff8](155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([#2049](#2049)) ([565460c](565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([#2046](#2046)) ([a03984c](a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([#2028](#2028)) ([730ac6d](730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([#2099](#2099)) ([744214e](744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]>
github-actions bot
pushed a commit
that referenced
this pull request
Dec 5, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([#1984](#1984)) ([862868f](862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([#1976](#1976)) ([9f76026](9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([#2056](#2056)) ([0e7fbf4](0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([#1845](#1845)) ([5e43630](5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](17a9792)) * Support alternate accessToken header name ([#1968](#1968)) ([18017d6](18017d6)) * Support for annotations ([#2007](#2007)) ([ac21335](ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([#1943](#1943)) ([7a9cc63](7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([#1722](#1722)) ([8752e05](8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([#1919](#1919)) ([f4b1f0a](f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([#1934](#1934)) ([5ad7c61](5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([#1923](#1923)) ([a0f44d3](a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([#2045](#2045)) ([fb7aae9](fb7aae9)) * Correct FAQ to mention HTTP tools ([#2036](#2036)) ([7b44237](7b44237)) * Format BigQuery numeric output as decimal strings ([#2084](#2084)) ([155bff8](155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([#2049](#2049)) ([565460c](565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([#2046](#2046)) ([a03984c](a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([#2028](#2028)) ([730ac6d](730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([#2099](#2099)) ([744214e](744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]> cb4529c
github-actions bot
pushed a commit
to renovate-bot/googleapis-_-genai-toolbox
that referenced
this pull request
Dec 5, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](googleapis/genai-toolbox@v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([googleapis#1984](googleapis#1984)) ([862868f](googleapis@862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([googleapis#1976](googleapis#1976)) ([9f76026](googleapis@9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([googleapis#2056](googleapis#2056)) ([0e7fbf4](googleapis@0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([googleapis#1845](googleapis#1845)) ([5e43630](googleapis@5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](googleapis@1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](googleapis@17a9792)) * Support alternate accessToken header name ([googleapis#1968](googleapis#1968)) ([18017d6](googleapis@18017d6)) * Support for annotations ([googleapis#2007](googleapis#2007)) ([ac21335](googleapis@ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([googleapis#1943](googleapis#1943)) ([7a9cc63](googleapis@7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([googleapis#1722](googleapis#1722)) ([8752e05](googleapis@8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([googleapis#1919](googleapis#1919)) ([f4b1f0a](googleapis@f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([googleapis#1934](googleapis#1934)) ([5ad7c61](googleapis@5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([googleapis#1923](googleapis#1923)) ([a0f44d3](googleapis@a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([googleapis#2045](googleapis#2045)) ([fb7aae9](googleapis@fb7aae9)) * Correct FAQ to mention HTTP tools ([googleapis#2036](googleapis#2036)) ([7b44237](googleapis@7b44237)) * Format BigQuery numeric output as decimal strings ([googleapis#2084](googleapis#2084)) ([155bff8](googleapis@155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([googleapis#2049](googleapis#2049)) ([565460c](googleapis@565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([googleapis#2046](googleapis#2046)) ([a03984c](googleapis@a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([googleapis#2028](googleapis#2028)) ([730ac6d](googleapis@730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([googleapis#2099](googleapis#2099)) ([744214e](googleapis@744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]> cb4529c
github-actions bot
pushed a commit
to Jaleel-zhu/genai-toolbox
that referenced
this pull request
Dec 5, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](googleapis/genai-toolbox@v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([googleapis#1984](googleapis#1984)) ([862868f](googleapis@862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([googleapis#1976](googleapis#1976)) ([9f76026](googleapis@9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([googleapis#2056](googleapis#2056)) ([0e7fbf4](googleapis@0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([googleapis#1845](googleapis#1845)) ([5e43630](googleapis@5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](googleapis@1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](googleapis@17a9792)) * Support alternate accessToken header name ([googleapis#1968](googleapis#1968)) ([18017d6](googleapis@18017d6)) * Support for annotations ([googleapis#2007](googleapis#2007)) ([ac21335](googleapis@ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([googleapis#1943](googleapis#1943)) ([7a9cc63](googleapis@7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([googleapis#1722](googleapis#1722)) ([8752e05](googleapis@8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([googleapis#1919](googleapis#1919)) ([f4b1f0a](googleapis@f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([googleapis#1934](googleapis#1934)) ([5ad7c61](googleapis@5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([googleapis#1923](googleapis#1923)) ([a0f44d3](googleapis@a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([googleapis#2045](googleapis#2045)) ([fb7aae9](googleapis@fb7aae9)) * Correct FAQ to mention HTTP tools ([googleapis#2036](googleapis#2036)) ([7b44237](googleapis@7b44237)) * Format BigQuery numeric output as decimal strings ([googleapis#2084](googleapis#2084)) ([155bff8](googleapis@155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([googleapis#2049](googleapis#2049)) ([565460c](googleapis@565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([googleapis#2046](googleapis#2046)) ([a03984c](googleapis@a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([googleapis#2028](googleapis#2028)) ([730ac6d](googleapis@730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([googleapis#2099](googleapis#2099)) ([744214e](googleapis@744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]> cb4529c
github-actions bot
pushed a commit
to ishatilwani1301/genai-toolbox
that referenced
this pull request
Dec 5, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](googleapis/genai-toolbox@v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([googleapis#1984](googleapis#1984)) ([862868f](googleapis@862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([googleapis#1976](googleapis#1976)) ([9f76026](googleapis@9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([googleapis#2056](googleapis#2056)) ([0e7fbf4](googleapis@0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([googleapis#1845](googleapis#1845)) ([5e43630](googleapis@5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](googleapis@1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](googleapis@17a9792)) * Support alternate accessToken header name ([googleapis#1968](googleapis#1968)) ([18017d6](googleapis@18017d6)) * Support for annotations ([googleapis#2007](googleapis#2007)) ([ac21335](googleapis@ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([googleapis#1943](googleapis#1943)) ([7a9cc63](googleapis@7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([googleapis#1722](googleapis#1722)) ([8752e05](googleapis@8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([googleapis#1919](googleapis#1919)) ([f4b1f0a](googleapis@f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([googleapis#1934](googleapis#1934)) ([5ad7c61](googleapis@5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([googleapis#1923](googleapis#1923)) ([a0f44d3](googleapis@a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([googleapis#2045](googleapis#2045)) ([fb7aae9](googleapis@fb7aae9)) * Correct FAQ to mention HTTP tools ([googleapis#2036](googleapis#2036)) ([7b44237](googleapis@7b44237)) * Format BigQuery numeric output as decimal strings ([googleapis#2084](googleapis#2084)) ([155bff8](googleapis@155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([googleapis#2049](googleapis#2049)) ([565460c](googleapis@565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([googleapis#2046](googleapis#2046)) ([a03984c](googleapis@a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([googleapis#2028](googleapis#2028)) ([730ac6d](googleapis@730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([googleapis#2099](googleapis#2099)) ([744214e](googleapis@744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]> cb4529c
github-actions bot
pushed a commit
to CrazyForks/genai-toolbox
that referenced
this pull request
Dec 5, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](googleapis/genai-toolbox@v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([googleapis#1984](googleapis#1984)) ([862868f](googleapis@862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([googleapis#1976](googleapis#1976)) ([9f76026](googleapis@9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([googleapis#2056](googleapis#2056)) ([0e7fbf4](googleapis@0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([googleapis#1845](googleapis#1845)) ([5e43630](googleapis@5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](googleapis@1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](googleapis@17a9792)) * Support alternate accessToken header name ([googleapis#1968](googleapis#1968)) ([18017d6](googleapis@18017d6)) * Support for annotations ([googleapis#2007](googleapis#2007)) ([ac21335](googleapis@ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([googleapis#1943](googleapis#1943)) ([7a9cc63](googleapis@7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([googleapis#1722](googleapis#1722)) ([8752e05](googleapis@8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([googleapis#1919](googleapis#1919)) ([f4b1f0a](googleapis@f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([googleapis#1934](googleapis#1934)) ([5ad7c61](googleapis@5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([googleapis#1923](googleapis#1923)) ([a0f44d3](googleapis@a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([googleapis#2045](googleapis#2045)) ([fb7aae9](googleapis@fb7aae9)) * Correct FAQ to mention HTTP tools ([googleapis#2036](googleapis#2036)) ([7b44237](googleapis@7b44237)) * Format BigQuery numeric output as decimal strings ([googleapis#2084](googleapis#2084)) ([155bff8](googleapis@155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([googleapis#2049](googleapis#2049)) ([565460c](googleapis@565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([googleapis#2046](googleapis#2046)) ([a03984c](googleapis@a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([googleapis#2028](googleapis#2028)) ([730ac6d](googleapis@730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([googleapis#2099](googleapis#2099)) ([744214e](googleapis@744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]> cb4529c
github-actions bot
pushed a commit
to bhardwajRahul/genai-toolbox
that referenced
this pull request
Dec 5, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](googleapis/genai-toolbox@v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([googleapis#1984](googleapis#1984)) ([862868f](googleapis@862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([googleapis#1976](googleapis#1976)) ([9f76026](googleapis@9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([googleapis#2056](googleapis#2056)) ([0e7fbf4](googleapis@0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([googleapis#1845](googleapis#1845)) ([5e43630](googleapis@5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](googleapis@1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](googleapis@17a9792)) * Support alternate accessToken header name ([googleapis#1968](googleapis#1968)) ([18017d6](googleapis@18017d6)) * Support for annotations ([googleapis#2007](googleapis#2007)) ([ac21335](googleapis@ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([googleapis#1943](googleapis#1943)) ([7a9cc63](googleapis@7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([googleapis#1722](googleapis#1722)) ([8752e05](googleapis@8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([googleapis#1919](googleapis#1919)) ([f4b1f0a](googleapis@f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([googleapis#1934](googleapis#1934)) ([5ad7c61](googleapis@5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([googleapis#1923](googleapis#1923)) ([a0f44d3](googleapis@a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([googleapis#2045](googleapis#2045)) ([fb7aae9](googleapis@fb7aae9)) * Correct FAQ to mention HTTP tools ([googleapis#2036](googleapis#2036)) ([7b44237](googleapis@7b44237)) * Format BigQuery numeric output as decimal strings ([googleapis#2084](googleapis#2084)) ([155bff8](googleapis@155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([googleapis#2049](googleapis#2049)) ([565460c](googleapis@565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([googleapis#2046](googleapis#2046)) ([a03984c](googleapis@a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([googleapis#2028](googleapis#2028)) ([730ac6d](googleapis@730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([googleapis#2099](googleapis#2099)) ([744214e](googleapis@744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]> cb4529c
rahulpinto19
pushed a commit
that referenced
this pull request
Dec 8, 2025
🤖 I have created a release *beep* *boop* --- ## [0.22.0](v0.21.0...v0.22.0) (2025-12-04) ### Features * Add allowed-origins flag ([#1984](#1984)) ([862868f](862868f)) * **tools/postgres:** Add list-query-stats and get-column-cardinality functions ([#1976](#1976)) ([9f76026](9f76026)) * **tools/spanner:** Add spanner list graphs to prebuiltconfigs ([#2056](#2056)) ([0e7fbf4](0e7fbf4)) * **prebuilt/cloud-sql:** Add clone instance tool for cloud sql ([#1845](#1845)) ([5e43630](5e43630)) * **serverless-spark:** Add create_pyspark_batch tool ([1bf0b51](1bf0b51)) * **serverless-spark:** Add create_spark_batch tool ([17a9792](17a9792)) * Support alternate accessToken header name ([#1968](#1968)) ([18017d6](18017d6)) * Support for annotations ([#2007](#2007)) ([ac21335](ac21335)) * **tool/mssql:** Set default host and port for MSSQL source ([#1943](#1943)) ([7a9cc63](7a9cc63)) * **tools/cloudsqlpg:** Add CloudSQL PostgreSQL pre-check tool ([#1722](#1722)) ([8752e05](8752e05)) * **tools/postgres-list-publication-tables:** Add new postgres-list-publication-tables tool ([#1919](#1919)) ([f4b1f0a](f4b1f0a)) * **tools/postgres-list-tablespaces:** Add new postgres-list-tablespaces tool ([#1934](#1934)) ([5ad7c61](5ad7c61)) * **tools/spanner-list-graph:** Tool impl + docs + tests ([#1923](#1923)) ([a0f44d3](a0f44d3)) ### Bug Fixes * Add import for firebirdsql ([#2045](#2045)) ([fb7aae9](fb7aae9)) * Correct FAQ to mention HTTP tools ([#2036](#2036)) ([7b44237](7b44237)) * Format BigQuery numeric output as decimal strings ([#2084](#2084)) ([155bff8](155bff8)) * Set default annotations for tools in code if annotation not provided in yaml ([#2049](#2049)) ([565460c](565460c)) * **tools/alloydb-postgres-list-tables:** Exclude google_ml schema from list_tables ([#2046](#2046)) ([a03984c](a03984c)) * **tools/alloydbcreateuser:** Remove duplication of project praram ([#2028](#2028)) ([730ac6d](730ac6d)) * **tools/mongodb:** Remove `required` tag from the `canonical` field ([#2099](#2099)) ([744214e](744214e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com> Co-authored-by: Wenxin Du <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Support
allowed-originsflag to allow secure deployment of Toolbox. Current Toolbox is insecure by default, which allows all origin (*). This PR also updated docs to notify user of the newallowed-originsflag in the Cloud Run, kubernetes, and docker deployment docs.This PR was tested manually by mocking a browser access:
malicious-client.html:python3 -m http.server 8000http://localhost:8000/malicious-client.htmlin browser.--allowed-originsflag -- success.Tried with
--allowed-origins=http://localhost:8000-- success.Tried with
--allowed-origins=http://foo.com-- unsuccessful.