IBM
diff --git a/‎mcpgateway/config.py
Lines changed: 4 additions & 1 deletion b/‎mcpgateway/config.py
Lines changed: 4 additions & 1 deletion
diff --git a/‎mcpgateway/schemas.py
Lines changed: 285 additions & 5 deletions b/‎mcpgateway/schemas.py
Lines changed: 285 additions & 5 deletions
@@ -489,7 +489,10 @@ def validate_database(self) -> None:
                 db_dir.mkdir(parents=True)
 
     # Validation patterns for safe display (configurable)
-    validation_dangerous_html_pattern: str = r"<(script|iframe|object|embed|link|meta|base|form)\b|</*(script|iframe|object|embed|link|meta|base|form)>"
+    validation_dangerous_html_pattern: str = (
+        r"<(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)\b|</*(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)>"
+    )
+
     validation_dangerous_js_pattern: str = r"javascript:|vbscript:|on\w+\s*=|data:.*script"
     validation_allowed_url_schemes: List[str] = ["http://", "https://", "ws://", "wss://"]
 
 
@@ -28,7 +28,7 @@
 from typing import Any, Dict, List, Literal, Optional, Self, Union
 
 # Third-Party
-from pydantic import AnyHttpUrl, BaseModel, ConfigDict, Field, field_serializer, field_validator, model_validator, ValidationInfo
+from pydantic import AnyHttpUrl, BaseModel, ConfigDict, Field, field_serializer, field_validator, model_validator, ValidationInfo, ValidationError
 
 # First-Party
 from mcpgateway.config import settings
@@ -737,14 +737,145 @@ class ToolRead(BaseModelWithConfigDict):
 class ToolInvocation(BaseModelWithConfigDict):
     """Schema for tool invocation requests.
 
+    This schema validates tool invocation requests to ensure they follow MCP
+    (Model Context Protocol) naming conventions and prevent security vulnerabilities
+    such as XSS attacks or deeply nested payloads that could cause DoS.
+
     Captures:
-    - Tool name to invoke
-    - Arguments matching tool's input schema
+    - Tool name to invoke (validated for safety and MCP compliance)
+    - Arguments matching tool's input schema (validated for depth limits)
+
+    Validation Rules:
+    - Tool names must start with a letter and contain only letters, numbers,
+      underscores, and hyphens
+    - Tool names cannot contain HTML special characters (<, >, ", ', /)
+    - Arguments are validated to prevent excessively deep nesting (default max: 10 levels)
+
+    Attributes:
+        name (str): Name of the tool to invoke. Must follow MCP naming conventions.
+        arguments (Dict[str, Any]): Arguments to pass to the tool. Must match the
+                                   tool's input schema and not exceed depth limits.
+
+    Examples:
+        >>> # Valid tool invocation
+        >>> tool_inv = ToolInvocation(name="get_weather", arguments={"city": "London"})
+        >>> tool_inv.name
+        'get_weather'
+        >>> tool_inv.arguments
+        {'city': 'London'}
+
+        >>> # Valid tool name with underscores and numbers
+        >>> tool_inv = ToolInvocation(name="tool_v2_beta", arguments={})
+        >>> tool_inv.name
+        'tool_v2_beta'
+
+        >>> # Invalid: Tool name with special characters
+        >>> try:
+        ...     ToolInvocation(name="tool-name!", arguments={})
+        ... except ValidationError as e:
+        ...     print("Validation failed: Special characters not allowed")
+        Validation failed: Special characters not allowed
+
+        >>> # Invalid: XSS attempt in tool name
+        >>> try:
+        ...     ToolInvocation(name="<script>alert('XSS')</script>", arguments={})
+        ... except ValidationError as e:
+        ...     print("Validation failed: HTML tags not allowed")
+        Validation failed: HTML tags not allowed
+
+        >>> # Invalid: Tool name starting with number
+        >>> try:
+        ...     ToolInvocation(name="123_tool", arguments={})
+        ... except ValidationError as e:
+        ...     print("Validation failed: Must start with letter")
+        Validation failed: Must start with letter
+
+        >>> # Valid: Complex but not too deep arguments
+        >>> args = {"level1": {"level2": {"level3": {"data": "value"}}}}
+        >>> tool_inv = ToolInvocation(name="process_data", arguments=args)
+        >>> tool_inv.arguments["level1"]["level2"]["level3"]["data"]
+        'value'
+
+        >>> # Invalid: Arguments too deeply nested (>10 levels)
+        >>> deep_args = {"a": {"b": {"c": {"d": {"e": {"f": {"g": {"h": {"i": {"j": {"k": "too deep"}}}}}}}}}}}
+        >>> try:
+        ...     ToolInvocation(name="process_data", arguments=deep_args)
+        ... except ValidationError as e:
+        ...     print("Validation failed: Exceeds maximum depth")
+        Validation failed: Exceeds maximum depth
+
+        >>> # Edge case: Empty tool name
+        >>> try:
+        ...     ToolInvocation(name="", arguments={})
+        ... except ValidationError as e:
+        ...     print("Validation failed: Name cannot be empty")
+        Validation failed: Name cannot be empty
+
+        >>> # Valid: Tool name with hyphen (but not starting/ending)
+        >>> tool_inv = ToolInvocation(name="get_user_info", arguments={"id": 123})
+        >>> tool_inv.name
+        'get_user_info'
+
+        >>> # Arguments with various types
+        >>> args = {
+        ...     "string": "value",
+        ...     "number": 42,
+        ...     "boolean": True,
+        ...     "array": [1, 2, 3],
+        ...     "nested": {"key": "value"}
+        ... }
+        >>> tool_inv = ToolInvocation(name="complex_tool", arguments=args)
+        >>> tool_inv.arguments["number"]
+        42
     """
 
     name: str = Field(..., description="Name of tool to invoke")
     arguments: Dict[str, Any] = Field(default_factory=dict, description="Arguments matching tool's input schema")
 
+    @field_validator("name")
+    @classmethod
+    def validate_name(cls, v: str) -> str:
+        """Ensure tool names follow MCP naming conventions.
+
+        Validates that the tool name:
+        - Is not empty
+        - Starts with a letter (not a number or special character)
+        - Contains only letters, numbers, underscores, and hyphens
+        - Does not contain HTML special characters that could cause XSS
+        - Does not exceed maximum length (255 characters)
+
+        Args:
+            v (str): Tool name to validate
+
+        Returns:
+            str: The validated tool name if it passes all checks
+
+        Raises:
+            ValueError: If the tool name violates any validation rules
+        """
+        return SecurityValidator.validate_tool_name(v)
+
+    @field_validator("arguments")
+    @classmethod
+    def validate_arguments(cls, v: Dict[str, Any]) -> Dict[str, Any]:
+        """Validate arguments structure depth to prevent DoS attacks.
+
+        Ensures that the arguments dictionary doesn't have excessive nesting
+        that could cause performance issues or stack overflow. The default
+        maximum depth is 10 levels.
+
+        Args:
+            v (dict): Arguments dictionary to validate
+
+        Returns:
+            dict: The validated arguments if within depth limits
+
+        Raises:
+            ValueError: If the arguments exceed the maximum allowed depth
+        """
+        SecurityValidator.validate_json_depth(v)
+        return v
+
 
 class ToolResult(BaseModelWithConfigDict):
     """Schema for tool invocation results.
@@ -1000,14 +1131,163 @@ class ResourceRead(BaseModelWithConfigDict):
 class ResourceSubscription(BaseModelWithConfigDict):
     """Schema for resource subscriptions.
 
+    This schema validates resource subscription requests to ensure URIs are safe
+    and subscriber IDs follow proper formatting rules. It prevents various
+    injection attacks and ensures data consistency.
+
     Tracks:
-    - Resource URI being subscribed to
-    - Unique subscriber identifier
+    - Resource URI being subscribed to (validated for safety)
+    - Unique subscriber identifier (validated for proper format)
+
+    Validation Rules:
+    - URIs cannot contain HTML special characters (<, >, ", ', backslash)
+    - URIs cannot contain directory traversal sequences (..)
+    - URIs must contain only safe characters (alphanumeric, _, -, :, /, ?, =, &, %)
+    - Subscriber IDs must contain only alphanumeric characters, underscores, hyphens, and dots
+    - Both fields have maximum length limits (255 characters)
+
+    Attributes:
+        uri (str): URI of the resource to subscribe to. Must be a safe, valid URI.
+        subscriber_id (str): Unique identifier for the subscriber. Must follow
+                            identifier naming conventions.
+
+    Examples:
+        >>> # Valid subscription
+        >>> sub = ResourceSubscription(uri="/api/v1/users/123", subscriber_id="client_001")
+        >>> sub.uri
+        '/api/v1/users/123'
+        >>> sub.subscriber_id
+        'client_001'
+
+        >>> # Valid URI with query parameters
+        >>> sub = ResourceSubscription(uri="/data?type=json&limit=10", subscriber_id="app.service.1")
+        >>> sub.uri
+        '/data?type=json&limit=10'
+
+        >>> # Valid subscriber ID with dots (common for service names)
+        >>> sub = ResourceSubscription(uri="/events", subscriber_id="com.example.service")
+        >>> sub.subscriber_id
+        'com.example.service'
+
+        >>> # Invalid: XSS attempt in URI
+        >>> try:
+        ...     ResourceSubscription(uri="<script>alert('XSS')</script>", subscriber_id="sub1")
+        ... except ValidationError as e:
+        ...     print("Validation failed: HTML characters not allowed")
+        Validation failed: HTML characters not allowed
+
+        >>> # Invalid: Directory traversal in URI
+        >>> try:
+        ...     ResourceSubscription(uri="/api/../../../etc/passwd", subscriber_id="sub1")
+        ... except ValidationError as e:
+        ...     print("Validation failed: Directory traversal detected")
+        Validation failed: Directory traversal detected
+
+        >>> # Invalid: SQL injection attempt in URI
+        >>> try:
+        ...     ResourceSubscription(uri="/users'; DROP TABLE users;--", subscriber_id="sub1")
+        ... except ValidationError as e:
+        ...     print("Validation failed: Invalid characters in URI")
+        Validation failed: Invalid characters in URI
+
+        >>> # Invalid: Special characters in subscriber ID
+        >>> try:
+        ...     ResourceSubscription(uri="/api/data", subscriber_id="sub@123!")
+        ... except ValidationError as e:
+        ...     print("Validation failed: Invalid subscriber ID format")
+        Validation failed: Invalid subscriber ID format
+
+        >>> # Invalid: Empty URI
+        >>> try:
+        ...     ResourceSubscription(uri="", subscriber_id="sub1")
+        ... except ValidationError as e:
+        ...     print("Validation failed: URI cannot be empty")
+        Validation failed: URI cannot be empty
+
+        >>> # Invalid: Empty subscriber ID
+        >>> try:
+        ...     ResourceSubscription(uri="/api/data", subscriber_id="")
+        ... except ValidationError as e:
+        ...     print("Validation failed: Subscriber ID cannot be empty")
+        Validation failed: Subscriber ID cannot be empty
+
+        >>> # Valid: Complex but safe URI
+        >>> sub = ResourceSubscription(
+        ...     uri="/api/v2/resources/category:items/filter?status=active&limit=50",
+        ...     subscriber_id="monitor-service-01"
+        ... )
+        >>> sub.uri
+        '/api/v2/resources/category:items/filter?status=active&limit=50'
+
+        >>> # Edge case: Maximum length validation (simulated)
+        >>> long_uri = "/" + "a" * 254  # Just under limit
+        >>> sub = ResourceSubscription(uri=long_uri, subscriber_id="sub1")
+        >>> len(sub.uri)
+        255
+
+        >>> # Invalid: Quotes in URI (could break out of attributes)
+        >>> try:
+        ...     ResourceSubscription(uri='/api/data"onclick="alert(1)', subscriber_id="sub1")
+        ... except ValidationError as e:
+        ...     print("Validation failed: Quotes not allowed in URI")
+        Validation failed: Quotes not allowed in URI
     """
 
     uri: str = Field(..., description="URI of resource to subscribe to")
     subscriber_id: str = Field(..., description="Unique subscriber identifier")
 
+    @field_validator("uri")
+    @classmethod
+    def validate_uri(cls, v: str) -> str:
+        """Validate URI format for safety and correctness.
+
+        Ensures the URI:
+        - Is not empty
+        - Does not contain HTML special characters that could cause XSS
+        - Does not contain directory traversal sequences (..)
+        - Contains only allowed characters for URIs
+        - Does not exceed maximum length (255 characters)
+
+        This prevents various injection attacks including XSS, path traversal,
+        and other URI-based vulnerabilities.
+
+        Args:
+            v (str): URI to validate
+
+        Returns:
+            str: The validated URI if it passes all security checks
+
+        Raises:
+            ValueError: If the URI contains dangerous patterns or invalid characters
+        """
+        return SecurityValidator.validate_uri(v, "Resource URI")
+
+    @field_validator("subscriber_id")
+    @classmethod
+    def validate_subscriber_id(cls, v: str) -> str:
+        """Validate subscriber ID format.
+
+        Ensures the subscriber ID:
+        - Is not empty
+        - Contains only alphanumeric characters, underscores, hyphens, and dots
+        - Does not contain HTML special characters
+        - Follows standard identifier naming conventions
+        - Does not exceed maximum length (255 characters)
+
+        This ensures consistency and prevents injection attacks through
+        subscriber identifiers.
+
+        Args:
+            v (str): Subscriber ID to validate
+
+        Returns:
+            str: The validated subscriber ID if it passes all checks
+
+        Raises:
+            ValueError: If the subscriber ID violates naming conventions
+        """
+        return SecurityValidator.validate_identifier(v, "Subscriber ID")
+
 
 class ResourceNotification(BaseModelWithConfigDict):
     """Schema for resource update notifications.