Skip to content

mcp: handle bad or missing params #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 31, 2025
Merged

mcp: handle bad or missing params #210

merged 1 commit into from
Jul 31, 2025

Conversation

@findleyr
Copy link
Contributor

@findleyr findleyr commented Jul 30, 2025

Audit all cases where params must not be null, and enforce this using methodInfo via a new methodFlags bitfield that parameterizes method requirements. Write extensive conformance tests catching all the (server-side) crashes that were possible.

We should go further and validate schema against the spec, but that is more indirect, more complicated, and potentially slower. For now we adopt this more explicit approach.

Still TODO in a subsequent CL: verify the client side of this with client conformance tests.

Additionally, improve some error messages that were redundant or leaked internal implementation details.

Fixes #195

@findleyr findleyr requested review from jba and samthanawalla July 30, 2025 23:00
@findleyr findleyr mentioned this pull request Jul 31, 2025
Closed
samthanawalla
samthanawalla previously approved these changes Jul 31, 2025
View reviewed changes
mcp/shared.go Outdated
if req.ID.IsValid() {
return methodInfo{}, fmt.Errorf("%w: unexpected id for %q", jsonrpc2.ErrInvalidRequest, req.Method)
}
} else if !req.ID.IsValid() {
Copy link
Contributor

@samthanawalla samthanawalla Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find the logic is harder to follow with this change. I think the 2 un-nested if statements was easier to read. (But up to you)

Copy link
Contributor Author

@findleyr findleyr Jul 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point; unnested.
(also fixed the id/ID inconsistency in these messages)

@findleyr
mcp: handle bad or missing params
55d5f0d 
Audit all cases where params must not be null, and enforce this using
methodInfo via a new methodFlags bitfield that parameterizes method
requirements. Write extensive conformance tests catching all the
(server-side) crashes that were possible.

We should go further and validate schema against the spec, but that is
more indirect, more complicated, and potentially slower. For now we
adopt this more explicit approach.

Still TODO in a subsequent CL: verify the client side of this with
client conformance tests.

Additionally, improve some error messages that were redundant or leaked
internal implementation details.

Fixes modelcontextprotocol#195
@findleyr findleyr requested a review from samthanawalla July 31, 2025 14:54
@findleyr findleyr merged commit b34ba21 into modelcontextprotocol:main Jul 31, 2025
3 checks passed
@findleyr findleyr mentioned this pull request Jul 31, 2025
Closed
davidleitw added a commit to davidleitw/go-sdk that referenced this pull request Jul 31, 2025
@davidleitw
Add comprehensive test coverage for nil params scenarios
be62a09 
Complements the methodFlags system from modelcontextprotocol#210 with additional unit tests:
- Tests nil RawMessage and explicit JSON null handling in unmarshalParams
- Tests edge cases with different JSON types (empty string, array, number, boolean)
- Validates proper error handling for required vs optional params with methodFlags
- Provides focused unit test coverage alongside existing conformance tests

The tests verify that the panic vulnerability from modelcontextprotocol#186 is properly handled
by the upstream methodFlags implementation.
@davidleitw davidleitw mentioned this pull request Jul 31, 2025
Merged
davidleitw added a commit to davidleitw/go-sdk that referenced this pull request Aug 4, 2025
@davidleitw
Add comprehensive test coverage for nil params scenarios
0b8ec89 
Complements the methodFlags system from modelcontextprotocol#210 with additional unit tests:
- Tests nil RawMessage and explicit JSON null handling in unmarshalParams
- Tests edge cases with different JSON types (empty string, array, number, boolean)
- Validates proper error handling for required vs optional params with methodFlags
- Provides focused unit test coverage alongside existing conformance tests

The tests verify that the panic vulnerability from modelcontextprotocol#186 is properly handled
by the upstream methodFlags implementation.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@samthanawalla samthanawalla samthanawalla approved these changes

@jba jba Awaiting requested review from jba

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

"initialize" panics without "params" field

2 participants

@findleyr @samthanawalla