test: add coverage for URL query param forwarding in form-encoded and multipart REST requests

madhav165 · madhav165 · commit b996272313f8 · 2026-04-17T11:07:58.000+05:30
Verify that URL-embedded query parameters (e.g. ?token=abc) are passed
via httpx params= for both application/x-www-form-urlencoded and
multipart/form-data branches, keeping them on the query string rather
than merging into the request body.

Signed-off-by: Madhav Kandukuri &lt;madhav165@gmail.com&gt;
diff --git a/tests/unit/mcpgateway/services/test_tool_service.py b/tests/unit/mcpgateway/services/test_tool_service.py
@@ -2284,6 +2284,80 @@ async def test_invoke_tool_rest_post_form_nested_values(self, tool_service, mock
             assert data["nothing"] == ""
             assert json.loads(data["nested"]) == {"key": "val"}
 
+    @pytest.mark.asyncio
+    async def test_invoke_tool_rest_post_form_urlencoded_with_url_query_params(self, tool_service, mock_tool, mock_global_config_obj, test_db):
+        """Form-urlencoded POST with URL query params should forward them via params= (query string), not in the form body."""
+        mock_tool.integration_type = "REST"
+        mock_tool.request_type = "POST"
+        mock_tool.jsonpath_filter = ""
+        mock_tool.auth_value = None
+        mock_tool.url = "http://example.com/api/submit?token=abc123&version=v2"
+        mock_tool.headers = {"Content-Type": "application/x-www-form-urlencoded"}
+
+        setup_db_execute_mock(test_db, mock_tool, mock_global_config_obj)
+
+        mock_response = AsyncMock()
+        mock_response.raise_for_status = Mock()
+        mock_response.status_code = 200
+        mock_response.json = Mock(return_value={"ok": True})
+        tool_service._http_client.request.return_value = mock_response
+
+        mock_metrics_buffer = Mock()
+        mock_metrics_buffer.record_tool_metric = Mock()
+        with (
+            patch("mcpgateway.services.tool_service.metrics_buffer", mock_metrics_buffer),
+            patch("mcpgateway.services.tool_service.decode_auth", return_value={}),
+            patch("mcpgateway.services.tool_service.extract_using_jq", return_value={"ok": True}),
+        ):
+            await tool_service.invoke_tool(test_db, "test_tool", {"name": "test"}, request_headers=None)
+
+            call_kwargs = tool_service._http_client.request.call_args
+            # Body should only contain the user-supplied payload (form-encoded)
+            assert call_kwargs.kwargs.get("data") == {"name": "test"}
+            # URL query params should be forwarded via params= (on the query string)
+            assert call_kwargs.kwargs.get("params") == {"token": "abc123", "version": "v2"}
+            # URL should have query string stripped
+            assert call_kwargs.args[1] == "http://example.com/api/submit"
+
+    @pytest.mark.asyncio
+    async def test_invoke_tool_rest_post_multipart_with_url_query_params(self, tool_service, mock_tool, mock_global_config_obj, test_db):
+        """Multipart POST with URL query params should forward them via params= (query string), not in the multipart body."""
+        mock_tool.integration_type = "REST"
+        mock_tool.request_type = "POST"
+        mock_tool.jsonpath_filter = ""
+        mock_tool.auth_value = None
+        mock_tool.url = "http://example.com/api/upload?token=secret"
+        mock_tool.headers = {"Content-Type": "multipart/form-data", "X-Custom": "keep-me"}
+
+        setup_db_execute_mock(test_db, mock_tool, mock_global_config_obj)
+
+        mock_response = AsyncMock()
+        mock_response.raise_for_status = Mock()
+        mock_response.status_code = 200
+        mock_response.json = Mock(return_value={"uploaded": True})
+        tool_service._http_client.request.return_value = mock_response
+
+        mock_metrics_buffer = Mock()
+        mock_metrics_buffer.record_tool_metric = Mock()
+        with (
+            patch("mcpgateway.services.tool_service.metrics_buffer", mock_metrics_buffer),
+            patch("mcpgateway.services.tool_service.decode_auth", return_value={}),
+            patch("mcpgateway.services.tool_service.extract_using_jq", return_value={"uploaded": True}),
+        ):
+            await tool_service.invoke_tool(test_db, "test_tool", {"file_name": "doc.pdf"}, request_headers=None)
+
+            call_kwargs = tool_service._http_client.request.call_args
+            # Body should only contain user-supplied payload (multipart files=)
+            assert call_kwargs.kwargs.get("files") == {"file_name": (None, "doc.pdf")}
+            # URL query params should be forwarded via params=
+            assert call_kwargs.kwargs.get("params") == {"token": "secret"}
+            # URL should have query string stripped
+            assert call_kwargs.args[1] == "http://example.com/api/upload"
+            # Content-Type stripped, but other headers preserved
+            sent_headers = call_kwargs.kwargs.get("headers", {})
+            assert "Content-Type" not in sent_headers
+            assert sent_headers.get("X-Custom") == "keep-me"
+
     @pytest.mark.asyncio
     async def test_invoke_tool_rest_decrypts_encrypted_custom_headers(self, tool_service, mock_tool, mock_global_config_obj, test_db):
         """REST invocation should send decrypted values for encrypted custom headers."""
