Invalid-transport-type (#572)

* fixes for Bug359

Signed-off-by: Satya <[email protected]>

* make flake8 fix

Signed-off-by: Satya <[email protected]>

---------

Signed-off-by: Satya <[email protected]>
Co-authored-by: Mihai Criveti <[email protected]>

Author: TS0713

mcpgateway/admin.py

@@ -2299,6 +2299,14 @@ async def admin_add_gateway(request: Request, db: Session = Depends(get_db), use
         # Convert KeyError to ValidationError-like response
         return JSONResponse(content={"message": f"Missing required field: {e}", "success": False}, status_code=422)
 
+    except ValueError as ex:
+        # --- Getting only the custom message from the ValueError ---
+        error_ctx = []
+        logger.info(f" ALL -> {ex.errors()}")
+        for err in ex.errors():
+            error_ctx.append(str(err["ctx"]["error"]))
+        return JSONResponse(content={"success": False, "message": "; ".join(error_ctx)}, status_code=422)
+
     try:
         await gateway_service.register_gateway(db, gateway)
         return JSONResponse(

mcpgateway/config.py

@@ -470,7 +470,8 @@ def validate_transport(self) -> None:
             ...     print('error')
             error
         """
-        valid_types = {"http", "ws", "sse", "all"}
+        # valid_types = {"http", "ws", "sse", "all"}
+        valid_types = {"sse", "streamablehttp", "all", "http"}
         if self.transport_type not in valid_types:
             raise ValueError(f"Invalid transport type. Must be one of: {valid_types}")
 
@@ -489,9 +490,7 @@ def validate_database(self) -> None:
                 db_dir.mkdir(parents=True)
 
     # Validation patterns for safe display (configurable)
-    validation_dangerous_html_pattern: str = (
-        r"<(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)\b|</*(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)>"
-    )
+    validation_dangerous_html_pattern: str = r"<(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)\b|</*(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)>"
 
     validation_dangerous_js_pattern: str = r"javascript:|vbscript:|on\w+\s*=|data:.*script"
     validation_allowed_url_schemes: List[str] = ["http://", "https://", "ws://", "wss://"]

mcpgateway/schemas.py

@@ -22,6 +22,7 @@
 # Standard
 import base64
 from datetime import datetime, timezone
+from enum import Enum
 import json
 import logging
 import re
@@ -1569,6 +1570,14 @@ class PromptInvocation(BaseModelWithConfigDict):
 # --- Gateway Schemas ---
 
 
+# --- Transport Type ---
+class TransportType(str, Enum):
+    SSE = "SSE"
+    HTTP = "HTTP"
+    STDIO = "STDIO"
+    STREAMABLEHTTP = "STREAMABLEHTTP"
+
+
 class GatewayCreate(BaseModel):
     """
     Schema for creating a new gateway.
@@ -1678,6 +1687,13 @@ def create_auth_value(cls, v, info):
 
         return auth_value
 
+    @field_validator("transport")
+    @classmethod
+    def validate_transport(cls, v: str) -> str:
+        if v not in [t.value for t in TransportType]:
+            raise ValueError(f"Invalid transport type: {v}. Must be one of: {', '.join([t.value for t in TransportType])}")
+        return v
+
     @staticmethod
     def _process_auth_fields(info: ValidationInfo) -> Optional[Dict[str, Any]]:
         """

mcpgateway/static/admin.js

@@ -4218,12 +4218,12 @@ async function handleResourceFormSubmit(e) {
         formData.append("is_inactive_checked", isInactiveCheckedBool);
 
         const response = await fetchWithTimeout(
-                `${window.ROOT_PATH}/admin/resources`,
-                {
-                    method: "POST",
-                    body: formData,
-                },
-            );
+            `${window.ROOT_PATH}/admin/resources`,
+            {
+                method: "POST",
+                body: formData,
+            },
+        );
 
         const result = await response.json();
         if (!result.success) {
@@ -4233,20 +4233,20 @@ async function handleResourceFormSubmit(e) {
                 ? `${window.ROOT_PATH}/admin?include_inactive=true#resources`
                 : `${window.ROOT_PATH}/admin#resources`;
             window.location.href = redirectUrl;
-            }
-        } catch (error) {
-            console.error("Error:", error);
-            if (status) {
-                status.textContent = error.message || "An error occurred!";
-                status.classList.add("error-status");
-            }
-            showErrorMessage(error.message);
-        } finally {
-            // location.reload();
-            if (loading) {
-                loading.style.display = "none";
-            }
         }
+    } catch (error) {
+        console.error("Error:", error);
+        if (status) {
+            status.textContent = error.message || "An error occurred!";
+            status.classList.add("error-status");
+        }
+        showErrorMessage(error.message);
+    } finally {
+        // location.reload();
+        if (loading) {
+            loading.style.display = "none";
+        }
+    }
 }
 
 async function handleServerFormSubmit(e) {

mcpgateway/validators.py

@@ -52,9 +52,7 @@ class SecurityValidator:
     """Configurable validation with MCP-compliant limits"""
 
     # Configurable patterns (from settings)
-    DANGEROUS_HTML_PATTERN = (
-        settings.validation_dangerous_html_pattern
-    )  # Default: '<(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)\b|</*(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)>'
+    DANGEROUS_HTML_PATTERN = settings.validation_dangerous_html_pattern  # Default: '<(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)\b|</*(script|iframe|object|embed|link|meta|base|form|img|svg|video|audio|source|track|area|map|canvas|applet|frame|frameset|html|head|body|style)>'
     DANGEROUS_JS_PATTERN = settings.validation_dangerous_js_pattern  # Default: javascript:|vbscript:|on\w+\s*=|data:.*script
     ALLOWED_URL_SCHEMES = settings.validation_allowed_url_schemes  # Default: ["http://", "https://", "ws://", "wss://"]
 

tests/security/test_rpc_input_validation.py

@@ -166,12 +166,12 @@ def test_rpc_xss_injection(self):
 
         results = []
         for i, payload in enumerate(self.XSS_PAYLOADS):
-            logger.debug(f"Testing XSS payload #{i+1}: {payload[:50]}...")
+            logger.debug(f"Testing XSS payload #{i + 1}: {payload[:50]}...")
             try:
                 RPCRequest(jsonrpc="2.0", method=payload, id=1)
-                results.append(f"❌ XSS #{i+1} was NOT rejected (security issue!): {payload[:30]}...")
+                results.append(f"❌ XSS #{i + 1} was NOT rejected (security issue!): {payload[:30]}...")
             except ValidationError as e:
-                results.append(f"✅ XSS #{i+1} correctly rejected: {payload[:30]}... -> {str(e).split(chr(10))[0]}")
+                results.append(f"✅ XSS #{i + 1} correctly rejected: {payload[:30]}... -> {str(e).split(chr(10))[0]}")
 
         # Print all results
         for result in results:
@@ -183,12 +183,12 @@ def test_rpc_sql_injection(self):
 
         results = []
         for i, payload in enumerate(self.SQL_INJECTION_PAYLOADS):
-            logger.debug(f"Testing SQL injection #{i+1}: {payload}")
+            logger.debug(f"Testing SQL injection #{i + 1}: {payload}")
             try:
                 RPCRequest(jsonrpc="2.0", method=payload, id=1)
-                results.append(f"❌ SQL injection #{i+1} was NOT rejected (security issue!): {payload}")
+                results.append(f"❌ SQL injection #{i + 1} was NOT rejected (security issue!): {payload}")
             except ValidationError as e:
-                results.append(f"✅ SQL injection #{i+1} correctly rejected: {payload} -> {str(e).split(chr(10))[0]}")
+                results.append(f"✅ SQL injection #{i + 1} correctly rejected: {payload} -> {str(e).split(chr(10))[0]}")
 
         # Print all results
         for result in results:
@@ -200,12 +200,12 @@ def test_rpc_command_injection(self):
 
         results = []
         for i, payload in enumerate(self.COMMAND_INJECTION_PAYLOADS):
-            logger.debug(f"Testing command injection #{i+1}: {payload}")
+            logger.debug(f"Testing command injection #{i + 1}: {payload}")
             try:
                 RPCRequest(jsonrpc="2.0", method=payload, id=1)
-                results.append(f"❌ Command injection #{i+1} was NOT rejected (security issue!): {payload}")
+                results.append(f"❌ Command injection #{i + 1} was NOT rejected (security issue!): {payload}")
             except ValidationError as e:
-                results.append(f"✅ Command injection #{i+1} correctly rejected: {payload} -> {str(e).split(chr(10))[0]}")
+                results.append(f"✅ Command injection #{i + 1} correctly rejected: {payload} -> {str(e).split(chr(10))[0]}")
 
         # Print all results
         for result in results:
@@ -217,12 +217,12 @@ def test_rpc_path_traversal(self):
 
         results = []
         for i, payload in enumerate(self.PATH_TRAVERSAL_PAYLOADS):
-            logger.debug(f"Testing path traversal #{i+1}: {payload}")
+            logger.debug(f"Testing path traversal #{i + 1}: {payload}")
             try:
                 RPCRequest(jsonrpc="2.0", method=payload, id=1)
-                results.append(f"❌ Path traversal #{i+1} was NOT rejected (security issue!): {payload[:30]}...")
+                results.append(f"❌ Path traversal #{i + 1} was NOT rejected (security issue!): {payload[:30]}...")
             except ValidationError as e:
-                results.append(f"✅ Path traversal #{i+1} correctly rejected: {payload[:30]}... -> {str(e).split(chr(10))[0]}")
+                results.append(f"✅ Path traversal #{i + 1} correctly rejected: {payload[:30]}... -> {str(e).split(chr(10))[0]}")
 
         # Print all results
         for result in results:
@@ -308,12 +308,12 @@ def test_rpc_unicode_attacks(self):
 
         results = []
         for i, payload in enumerate(self.UNICODE_PAYLOADS):
-            logger.debug(f"Testing Unicode attack #{i+1}: {repr(payload[:30])}...")
+            logger.debug(f"Testing Unicode attack #{i + 1}: {repr(payload[:30])}...")
             try:
                 RPCRequest(jsonrpc="2.0", method=payload, id=1)
-                results.append(f"❌ Unicode attack #{i+1} was NOT rejected (security issue!)")
+                results.append(f"❌ Unicode attack #{i + 1} was NOT rejected (security issue!)")
             except ValidationError:
-                results.append(f"✅ Unicode attack #{i+1} correctly rejected")
+                results.append(f"✅ Unicode attack #{i + 1} correctly rejected")
 
         # Print all results
         for result in results:
@@ -325,12 +325,12 @@ def test_rpc_crlf_injection(self):
 
         results = []
         for i, payload in enumerate(self.CRLF_INJECTION_PAYLOADS):
-            logger.debug(f"Testing CRLF injection #{i+1}: {repr(payload[:30])}...")
+            logger.debug(f"Testing CRLF injection #{i + 1}: {repr(payload[:30])}...")
             try:
                 RPCRequest(jsonrpc="2.0", method=payload, id=1)
-                results.append(f"❌ CRLF injection #{i+1} was NOT rejected (security issue!)")
+                results.append(f"❌ CRLF injection #{i + 1} was NOT rejected (security issue!)")
             except ValidationError:
-                results.append(f"✅ CRLF injection #{i+1} correctly rejected")
+                results.append(f"✅ CRLF injection #{i + 1} correctly rejected")
 
         # Print all results
         for result in results:
@@ -470,8 +470,8 @@ def test_rpc_params_validation(self):
             deep_params = {"level1": {}}
             current = deep_params["level1"]
             for i in range(20):
-                current[f"level{i+2}"] = {}
-                current = current[f"level{i+2}"]
+                current[f"level{i + 2}"] = {}
+                current = current[f"level{i + 2}"]
 
             try:
                 RPCRequest(jsonrpc="2.0", method="valid_method", params=deep_params)