423RedundantConditionalExpression (#653)

* Redundant Conditional Expression in Content Validation

Signed-off-by: NAYANAR <[email protected]>

* update

Signed-off-by: NAYANAR <[email protected]>

* Remove FEATURES_DOCS_ENABLED and set DEV_MODE=false

Signed-off-by: Mihai Criveti <[email protected]>

---------

Signed-off-by: NAYANAR <[email protected]>
Signed-off-by: Mihai Criveti <[email protected]>
Co-authored-by: NAYANAR <[email protected]>
Co-authored-by: Mihai Criveti <[email protected]>

Author: 3 people

.env.example

@@ -100,6 +100,7 @@ TOKEN_EXPIRY=10080
 # Require all JWT tokens to have expiration claims (true or false)
 REQUIRE_TOKEN_EXPIRATION=false
 
+
 # Used to derive an AES encryption key for secure auth storage
 # Must be a non-empty string (e.g. passphrase or random secret)
 AUTH_ENCRYPTION_SECRET=my-test-salt

mcpgateway/main.py

@@ -1413,6 +1413,9 @@ async def create_resource(
         raise HTTPException(status_code=409, detail=str(e))
     except ResourceError as e:
         raise HTTPException(status_code=400, detail=str(e))
+    except ValidationError as e:
+        # Handle validation errors from Pydantic
+        return JSONResponse(content=ErrorFormatter.format_validation_error(e), status_code=422)
 
 
 @resource_router.get("/{uri:path}")

mcpgateway/schemas.py

@@ -999,15 +999,13 @@ def validate_content(cls, v: Optional[Union[str, bytes]]) -> Optional[Union[str,
 
         if isinstance(v, bytes):
             try:
-                v_str = v.decode("utf-8")
-
-                if re.search(SecurityValidator.DANGEROUS_HTML_PATTERN, v_str if isinstance(v, bytes) else v, re.IGNORECASE):
-                    raise ValueError("Content contains HTML tags that may cause display issues")
+                text = v.decode("utf-8")
             except UnicodeDecodeError:
                 raise ValueError("Content must be UTF-8 decodable")
         else:
-            if re.search(SecurityValidator.DANGEROUS_HTML_PATTERN, v if isinstance(v, bytes) else v, re.IGNORECASE):
-                raise ValueError("Content contains HTML tags that may cause display issues")
+            text = v
+        if re.search(SecurityValidator.DANGEROUS_HTML_PATTERN, text, re.IGNORECASE):
+            raise ValueError("Content contains HTML tags that may cause display issues")
 
         return v
 
@@ -1094,15 +1092,13 @@ def validate_content(cls, v: Optional[Union[str, bytes]]) -> Optional[Union[str,
 
         if isinstance(v, bytes):
             try:
-                v_str = v.decode("utf-8")
-
-                if re.search(SecurityValidator.DANGEROUS_HTML_PATTERN, v_str if isinstance(v, bytes) else v, re.IGNORECASE):
-                    raise ValueError("Content contains HTML tags that may cause display issues")
+                text = v.decode("utf-8")
             except UnicodeDecodeError:
                 raise ValueError("Content must be UTF-8 decodable")
         else:
-            if re.search(SecurityValidator.DANGEROUS_HTML_PATTERN, v if isinstance(v, bytes) else v, re.IGNORECASE):
-                raise ValueError("Content contains HTML tags that may cause display issues")
+            text = v
+        if re.search(SecurityValidator.DANGEROUS_HTML_PATTERN, text, re.IGNORECASE):
+            raise ValueError("Content contains HTML tags that may cause display issues")
 
         return v
 

tests/unit/mcpgateway/test_schemas.py

@@ -52,6 +52,7 @@
     AdminToolCreate,
     EventMessage,
     ListFilters,
+    ResourceCreate,
     ServerCreate,
     ServerMetrics,
     ServerRead,
@@ -841,3 +842,36 @@ def test_list_filters(self):
         # Test default value
         default_filters = ListFilters()
         assert default_filters.include_inactive is False
+
+
+DANGEROUS_HTML = "<script>alert('xss')</script>"
+SAFE_STRING = "Hello, this is safe."
+SAFE_BYTES = b"Some binary safe content"
+DANGEROUS_HTML_BYTES = DANGEROUS_HTML.encode("utf-8")
+NON_UTF8_BYTES = b"\x80\x81\x82"
+
+
+# Tests for ResourceCreate
+def test_resource_create_with_safe_string():
+    r = ResourceCreate(uri="some-uri", name="test.txt", content=SAFE_STRING)
+    assert isinstance(r.content, str)
+
+
+def test_resource_create_with_dangerous_html_string():
+    with pytest.raises(ValueError, match="Content contains HTML tags"):
+        ResourceCreate(uri="some-uri", name="dangerous.html", content=DANGEROUS_HTML)
+
+
+def test_resource_create_with_safe_bytes():
+    r = ResourceCreate(uri="some-uri", name="test.bin", content=SAFE_BYTES)
+    assert isinstance(r.content, bytes)
+
+
+def test_resource_create_with_dangerous_html_bytes():
+    with pytest.raises(ValueError, match="Content contains HTML tags"):
+        ResourceCreate(uri="some-uri", name="dangerous.html", content=DANGEROUS_HTML_BYTES)
+
+
+def test_resource_create_with_non_utf8_bytes():
+    with pytest.raises(ValueError, match="Content must be UTF-8 decodable"):
+        ResourceCreate(uri="some-uri", name="nonutf8.bin", content=NON_UTF8_BYTES)