mcp: fix nil params crash vulnerability (#186)

davidleitw · davidleitw · commit 227e0c707af9 · 2025-08-01T00:53:16.000+08:00
Handle nil RawMessage and explicit JSON "null" in unmarshalParams to prevent
server crashes. When JSON-RPC requests are sent without parameters or with
null parameters, ensure orZero receives a valid struct instead of nil.

- Add nullJSON constant for efficient null comparison
- Handle nil RawMessage by creating empty parameter struct
- Handle explicit "null" JSON using bytes.Equal
- Add comprehensive test coverage for nil parameter scenarios
diff --git a/mcp/shared.go b/mcp/shared.go
@@ -10,6 +10,7 @@
 package mcp
 
 import (
+	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
@@ -33,6 +34,9 @@ var supportedProtocolVersions = []string{
 	"2024-11-05",
 }
 
+// Precomputed null JSON for efficient comparison (issue #186 fix)
+var nullJSON = []byte("null")
+
 // A MethodHandler handles MCP messages.
 // For methods, exactly one of the return values must be nil.
 // For notifications, both must be nil.
@@ -217,21 +221,34 @@ func newMethodInfo[S Session, P paramsPtr[T], R Result, T any](d typedMethodHand
 		flags: flags,
 		unmarshalParams: func(m json.RawMessage) (Params, error) {
 			var p P
-			if m != nil {
-				if err := json.Unmarshal(m, &p); err != nil {
-					return nil, fmt.Errorf("unmarshaling %q into a %T: %w", m, p, err)
+
+			// Handle nil RawMessage (params missing entirely)
+			if m == nil {
+				if flags&missingParamsOK == 0 {
+					return nil, fmt.Errorf("%w: missing required \"params\"", jsonrpc2.ErrInvalidRequest)
+				}
+				return orZero[Params](new(T)), nil
+			}
+
+			// Handle explicit JSON "null" (params set to null)
+			if bytes.Equal(m, nullJSON) {
+				if flags&missingParamsOK == 0 {
+					return nil, fmt.Errorf("%w: missing required \"params\"", jsonrpc2.ErrInvalidRequest)
 				}
+				return orZero[Params](new(T)), nil
 			}
-			// We must check missingParamsOK here, in addition to checkRequest, to
-			// catch the edge cases where "params" is set to JSON null.
-			// See also https://go.dev/issue/33835.
-			//
-			// We need to ensure that p is non-null to guard against crashes, as our
-			// internal code or externally provided handlers may assume that params
-			// is non-null.
+
+			// Normal JSON unmarshaling
+			if err := json.Unmarshal(m, &p); err != nil {
+				return nil, fmt.Errorf("unmarshaling %q into a %T: %w", m, p, err)
+			}
+
+			// Final check after unmarshaling - this guards against crashes when p is nil
+			// due to Go's JSON unmarshaling behavior with interface types
 			if flags&missingParamsOK == 0 && p == nil {
 				return nil, fmt.Errorf("%w: missing required \"params\"", jsonrpc2.ErrInvalidRequest)
 			}
+
 			return orZero[Params](p), nil
 		},
 		handleMethod: MethodHandler[S](func(ctx context.Context, session S, _ string, params Params) (Result, error) {
diff --git a/mcp/shared_test.go b/mcp/shared_test.go
@@ -7,6 +7,7 @@ package mcp
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"strings"
 	"testing"
 )
@@ -88,3 +89,138 @@ func TestToolValidate(t *testing.T) {
 		})
 	}
 }
+
+// TestNilParamsHandling tests that nil parameters don't cause panic in unmarshalParams.
+// This addresses a vulnerability where missing or null parameters could crash the server.
+func TestNilParamsHandling(t *testing.T) {
+	// Define test types for clarity
+	type TestArgs struct {
+		Name  string `json:"name"`
+		Value int    `json:"value"`
+	}
+	type TestParams = *CallToolParamsFor[TestArgs]
+	type TestResult = *CallToolResultFor[string]
+
+	// Simple test handler
+	testHandler := func(ctx context.Context, ss *ServerSession, params TestParams) (TestResult, error) {
+		result := "processed: " + params.Arguments.Name
+		return &CallToolResultFor[string]{StructuredContent: result}, nil
+	}
+
+	methodInfo := newMethodInfo(testHandler, missingParamsOK)
+
+	// Helper function to test that unmarshalParams doesn't panic
+	mustNotPanic := func(t *testing.T, rawMsg json.RawMessage) Params {
+		t.Helper()
+
+		defer func() {
+			if r := recover(); r != nil {
+				t.Fatalf("unmarshalParams panicked: %v", r)
+			}
+		}()
+
+		params, err := methodInfo.unmarshalParams(rawMsg)
+		if err != nil {
+			t.Fatalf("unmarshalParams failed: %v", err)
+		}
+		if params == nil {
+			t.Fatal("unmarshalParams returned nil")
+		}
+
+		// Verify the result can be used safely
+		typedParams := params.(TestParams)
+		_ = typedParams.Name
+		_ = typedParams.Arguments.Name
+		_ = typedParams.Arguments.Value
+
+		return params
+	}
+
+	// Test different nil parameter scenarios
+	t.Run("missing_params", func(t *testing.T) {
+		mustNotPanic(t, nil)
+	})
+
+	t.Run("explicit_null", func(t *testing.T) {
+		mustNotPanic(t, json.RawMessage(`null`))
+	})
+
+	t.Run("empty_object", func(t *testing.T) {
+		mustNotPanic(t, json.RawMessage(`{}`))
+	})
+
+	t.Run("valid_params", func(t *testing.T) {
+		rawMsg := json.RawMessage(`{"name":"test","arguments":{"name":"hello","value":42}}`)
+		params := mustNotPanic(t, rawMsg)
+
+		// For valid params, also verify the values are parsed correctly
+		typedParams := params.(TestParams)
+		if typedParams.Name != "test" {
+			t.Errorf("Expected name 'test', got %q", typedParams.Name)
+		}
+		if typedParams.Arguments.Name != "hello" {
+			t.Errorf("Expected argument name 'hello', got %q", typedParams.Arguments.Name)
+		}
+		if typedParams.Arguments.Value != 42 {
+			t.Errorf("Expected argument value 42, got %d", typedParams.Arguments.Value)
+		}
+	})
+}
+
+// TestNilParamsEdgeCases tests edge cases to ensure we don't over-fix
+func TestNilParamsEdgeCases(t *testing.T) {
+	type TestArgs struct {
+		Name  string `json:"name"`
+		Value int    `json:"value"`
+	}
+	type TestParams = *CallToolParamsFor[TestArgs]
+
+	testHandler := func(ctx context.Context, ss *ServerSession, params TestParams) (*CallToolResultFor[string], error) {
+		return &CallToolResultFor[string]{StructuredContent: "test"}, nil
+	}
+
+	methodInfo := newMethodInfo(testHandler, missingParamsOK)
+
+	// These should fail normally, not be treated as nil params
+	invalidCases := []json.RawMessage{
+		json.RawMessage(""),        // empty string - should error
+		json.RawMessage("[]"),      // array - should error
+		json.RawMessage(`"null"`),  // string "null" - should error
+		json.RawMessage("0"),       // number - should error
+		json.RawMessage("false"),   // boolean - should error
+	}
+
+	for i, rawMsg := range invalidCases {
+		t.Run(fmt.Sprintf("invalid_case_%d", i), func(t *testing.T) {
+			params, err := methodInfo.unmarshalParams(rawMsg)
+			if err == nil && params == nil {
+				t.Error("Should not return nil params without error")
+			}
+		})
+	}
+
+	// Test that methods without missingParamsOK flag properly reject nil params
+	t.Run("reject_when_params_required", func(t *testing.T) {
+		methodInfoStrict := newMethodInfo(testHandler, 0) // No missingParamsOK flag
+
+		testCases := []struct {
+			name   string
+			params json.RawMessage
+		}{
+			{"nil_params", nil},
+			{"null_params", json.RawMessage(`null`)},
+		}
+
+		for _, tc := range testCases {
+			t.Run(tc.name, func(t *testing.T) {
+				_, err := methodInfoStrict.unmarshalParams(tc.params)
+				if err == nil {
+					t.Error("Expected error for required params, got nil")
+				}
+				if !strings.Contains(err.Error(), "missing required \"params\"") {
+					t.Errorf("Expected 'missing required params' error, got: %v", err)
+				}
+			})
+		}
+	})
+}
