genai-toolbox

The server incorporates robust security features such as OIDC-based authentication, CORS, and DNS rebinding attack prevention. However, a critical security consideration lies in the 'template parameters' available for SQL-based tools. While standard parameterized queries inherently prevent SQL injection, 'template parameters' are designed to allow direct modification of SQL statements, including identifiers, column names, and table names. The documentation explicitly notes this makes them 'more vulnerable to SQL injections'. Developers are advised to prefer standard parameters or, if using template parameters, to diligently implement `allowedValues`, `escape`, or `minValue`/`maxValue` for validation. Hardcoded secrets are discouraged by the use of environment variables for configuration, which should be managed securely (e.g., via Secret Manager in cloud deployments).