fix(aws-api-mcp-server): origin header parsing (#1851)

arnewouters · web-flow · commit 52e202249155 · 2025-11-28T16:00:41.000Z
* Fix origin header parsing

* Update CHANGELOG
diff --git a/src/aws-api-mcp-server/CHANGELOG.md b/src/aws-api-mcp-server/CHANGELOG.md
@@ -9,8 +9,24 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- Origin header parsing (#1851)
+
+## [1.1.7] - 2025-11-20
+
+### Added
+
+- Allow disabling local file system access (#1774)
+
+### Fixed
+
 - Deprecation warnings for passing transport settings when creating the server (#1772)
 
+## [1.1.6] - 2025-11-19
+
+### Changed
+
+- Bump FastMCP to 2.13.1
+
 ## [1.1.5] - 2025-11-13
 
 ### Changed
diff --git a/src/aws-api-mcp-server/awslabs/aws_api_mcp_server/middleware/http_header_validation_middleware.py b/src/aws-api-mcp-server/awslabs/aws_api_mcp_server/middleware/http_header_validation_middleware.py
@@ -17,6 +17,7 @@
 from fastmcp.server.dependencies import get_http_headers
 from fastmcp.server.middleware import Middleware, MiddlewareContext
 from loguru import logger
+from urllib.parse import urlparse
 
 
 class HTTPHeaderValidationMiddleware(Middleware):
@@ -41,7 +42,10 @@ async def on_request(
                 raise ClientError(error_msg)
 
         if origin := headers.get('origin'):
-            origin = origin.split(':')[0]  # Strip port if present
+            # Strip port if present
+            parsed_origin = urlparse(origin)
+            origin = f'{parsed_origin.scheme}://{parsed_origin.hostname}'
+
             allowed_origins = ALLOWED_ORIGINS.split(',')
 
             if '*' not in allowed_origins and origin not in allowed_origins:
diff --git a/src/aws-api-mcp-server/tests/middleware/test_http_header_validation_middleware.py b/src/aws-api-mcp-server/tests/middleware/test_http_header_validation_middleware.py
@@ -9,12 +9,12 @@
 @pytest.mark.parametrize(
     'origin_value,allowed_origins',
     [
-        ('example.com', 'example.com'),  # Exact match
-        ('example.com:3000', 'example.com'),  # With port
-        ('example.com', 'example.com,other.com'),  # Multiple allowed origins
-        ('other.com', 'example.com,other.com'),  # Second in list
-        ('example.com', '*'),  # Wildcard
-        ('any-domain.com', '*'),  # Wildcard allows any
+        ('http://example.com', 'http://example.com'),  # Exact match
+        ('https://example.com:3000', 'https://example.com'),  # With port
+        ('http://example.com', 'http://example.com,http://other.com'),  # Multiple allowed origins
+        ('http://other.com', 'http://example.com,http://other.com'),  # Second in list
+        ('https://example.com', '*'),  # Wildcard
+        ('http://any-domain.com', '*'),  # Wildcard allows any
     ],
 )
 @patch('awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.get_http_headers')
@@ -43,9 +43,9 @@ async def test_origin_header_validation_passes(
 @pytest.mark.parametrize(
     'origin_value,allowed_origins',
     [
-        ('forbidden.com', 'example.com'),  # Not in allowed list
-        ('forbidden.com', 'example.com,other.com'),  # Not in multiple allowed
-        ('sub.example.com', 'example.com'),  # Subdomain not matched
+        ('http://forbidden.com', 'http://example.com'),  # Not in allowed list
+        ('http://forbidden.com', 'http://example.com,http://other.com'),  # Not in multiple allowed
+        ('http://sub.example.com', 'http://example.com'),  # Subdomain not matched
     ],
 )
 @patch('awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.get_http_headers')
@@ -148,7 +148,7 @@ async def test_both_headers_validated_independently(mock_get_headers: MagicMock)
     """Test that both host and origin headers are validated independently."""
     # Both headers present
     mock_get_headers.return_value = {
-        'origin': 'example.com',
+        'origin': 'http://example.com',
         'host': 'example.com',
     }
 
@@ -159,7 +159,7 @@ async def test_both_headers_validated_independently(mock_get_headers: MagicMock)
     with (
         patch(
             'awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.ALLOWED_ORIGINS',
-            'example.com',
+            'http://example.com',
         ),
         patch(
             'awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.ALLOWED_HOSTS',
@@ -178,7 +178,7 @@ async def test_host_fails_validation_when_both_present(mock_get_headers: MagicMo
     """Test that host validation fails even when origin is valid."""
     # Both headers present, origin valid but host invalid
     mock_get_headers.return_value = {
-        'origin': 'example.com',
+        'origin': 'http://example.com',
         'host': 'malicious.com',
     }
 
@@ -189,7 +189,7 @@ async def test_host_fails_validation_when_both_present(mock_get_headers: MagicMo
     with (
         patch(
             'awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.ALLOWED_ORIGINS',
-            'example.com',
+            'http://example.com',
         ),
         patch(
             'awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.ALLOWED_HOSTS',
@@ -208,7 +208,7 @@ async def test_origin_fails_validation_when_both_present(mock_get_headers: Magic
     """Test that origin validation fails even when host is valid."""
     # Both headers present, host valid but origin invalid
     mock_get_headers.return_value = {
-        'origin': 'malicious.com',
+        'origin': 'http://malicious.com',
         'host': 'example.com',
     }
 
@@ -219,7 +219,7 @@ async def test_origin_fails_validation_when_both_present(mock_get_headers: Magic
     with (
         patch(
             'awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.ALLOWED_ORIGINS',
-            'example.com',
+            'http://example.com',
         ),
         patch(
             'awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.ALLOWED_HOSTS',
@@ -248,23 +248,23 @@ async def test_no_origin_or_host_headers(mock_get_headers: MagicMock):
 
 
 @pytest.mark.parametrize(
-    'origin_with_port,expected_hostname',
+    'origin_with_port,expected_origin',
     [
-        ('example.com:3000', 'example.com'),
-        ('example.com:8080', 'example.com'),
-        ('localhost:5000', 'localhost'),
-        ('192.168.1.1:8000', '192.168.1.1'),
-        ('example.com', 'example.com'),
+        ('http://example.com:3000', 'http://example.com'),
+        ('https://example.com:8080', 'https://example.com'),
+        ('http://localhost:5000', 'http://localhost'),
+        ('http://192.168.1.1:8000', 'http://192.168.1.1'),
+        ('https://example.com', 'https://example.com'),
     ],
 )
 @patch('awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.get_http_headers')
 @pytest.mark.asyncio
 async def test_port_removal_from_origin(
     mock_get_headers: MagicMock,
     origin_with_port: str,
-    expected_hostname: str,
+    expected_origin: str,
 ):
-    """Test that port is correctly removed from origin/host before validation."""
+    """Test that port is correctly removed from origin before validation."""
     mock_get_headers.return_value = {'origin': origin_with_port}
 
     middleware = HTTPHeaderValidationMiddleware()
@@ -273,7 +273,7 @@ async def test_port_removal_from_origin(
 
     with patch(
         'awslabs.aws_api_mcp_server.middleware.http_header_validation_middleware.ALLOWED_ORIGINS',
-        expected_hostname,
+        expected_origin,
     ):
         result = await middleware.on_request(context, call_next)
         assert result == 'success'
@@ -284,7 +284,7 @@ async def test_port_removal_from_origin(
 @pytest.mark.asyncio
 async def test_empty_allowed_origins(mock_get_headers: MagicMock):
     """Test behavior when ALLOWED_ORIGINS is empty."""
-    mock_get_headers.return_value = {'origin': 'example.com'}
+    mock_get_headers.return_value = {'origin': 'http://example.com'}
 
     middleware = HTTPHeaderValidationMiddleware()
     context = MagicMock()
