Skip to content

mcp: fix nil params crash vulnerability (#186) #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 5, 2025
Merged

mcp: fix nil params crash vulnerability (#186) #214

merged 1 commit into from
Aug 5, 2025

Conversation

@davidleitw
Copy link
Contributor

@davidleitw davidleitw commented Jul 31, 2025

Handle nil RawMessage and explicit JSON "null" in unmarshalParams to prevent server crashes. When JSON-RPC requests are sent without parameters or with null parameters, ensure orZero receives a valid struct instead of nil.

Fixes #186 - DoS vulnerability where missing params caused server panic

Changes:

  • Add nullJSON constant for efficient null comparison
  • Handle nil RawMessage by creating empty parameter struct
  • Handle explicit "null" JSON using bytes.Equal
  • Integrate with upstream methodFlags system for proper param validation
  • Add comprehensive test coverage for nil parameter scenarios

Behavior:

  • Methods with missingParamsOK flag: gracefully handle nil/null params
  • Methods without flag: return proper error instead of crashing
  • Maintains backward compatibility with existing error handling

Security Impact:

  • Eliminates DoS attack vector via malformed JSON-RPC requests
  • Server continues running instead of crashing on bad input

jba
jba requested changes Jul 31, 2025
View reviewed changes
@davidleitw
Copy link
Contributor Author

davidleitw commented Jul 31, 2025
edited
Loading

@jba Thanks for the review! I've actually updated this PR based on the discussion in #186 - it now only contains test improvements and no longer includes the fix logic (since #210 already resolved the core issue). The code you're commenting on has been removed.

The PR now just adds complementary unit test coverage for the methodFlags system.

findleyr
findleyr previously approved these changes Aug 4, 2025
View reviewed changes
Copy link
Contributor

@findleyr findleyr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@findleyr
Copy link
Contributor

findleyr commented Aug 4, 2025

It looks like this PR does not format cleanly. Could you please run go fmt?

@davidleitw
Copy link
Contributor Author

davidleitw commented Aug 4, 2025

ok~ let me fix it

@davidleitw
Add comprehensive test coverage for nil params scenarios
0b8ec89 
Complements the methodFlags system from modelcontextprotocol#210 with additional unit tests:
- Tests nil RawMessage and explicit JSON null handling in unmarshalParams
- Tests edge cases with different JSON types (empty string, array, number, boolean)
- Validates proper error handling for required vs optional params with methodFlags
- Provides focused unit test coverage alongside existing conformance tests

The tests verify that the panic vulnerability from modelcontextprotocol#186 is properly handled
by the upstream methodFlags implementation.
@davidleitw davidleitw requested a review from findleyr August 4, 2025 16:01
@findleyr findleyr requested review from findleyr and jba and removed request for jba August 5, 2025 16:23
@jba jba merged commit be0bd77 into modelcontextprotocol:main Aug 5, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jba jba jba approved these changes

@findleyr findleyr Awaiting requested review from findleyr

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Able to crash a server from improper handling of nil params

3 participants

@davidleitw @findleyr @jba