Validate message endpoint in SSE client transport

- Backport #943

Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>

Author: Kehrlann

mcp-core/src/main/java/io/modelcontextprotocol/client/transport/DefaultSseMessageEndpointValidator.java

@@ -0,0 +1,58 @@
+/*
+ * Copyright 2026-2026 the original author or authors.
+ */
+package io.modelcontextprotocol.client.transport;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+
+import io.modelcontextprotocol.util.Assert;
+
+/**
+ * Default {@link SseMessageEndpointValidator} that validates the {@code message} endpoint
+ * advertised by an SSE server. Message endpoints must be a relative URI, without path
+ * traversal or authority.
+ *
+ * @author Daniel Garnier-Moiroux
+ */
+public final class DefaultSseMessageEndpointValidator implements SseMessageEndpointValidator {
+
+	@Override
+	public void validate(URI sseUri, String messageEndpoint) throws InvalidSseMessageEndpointException {
+		Assert.hasText(messageEndpoint, "messageEndpoint must not be empty");
+
+		URI endpointUri;
+		try {
+			endpointUri = new URI(messageEndpoint);
+		}
+		catch (URISyntaxException ex) {
+			throw new InvalidSseMessageEndpointException("messageEndpoint is not a valid URI: " + ex.getMessage(),
+					messageEndpoint);
+		}
+
+		if (endpointUri.isAbsolute()) {
+			// Exclude absolute URIs e.g. https://example.com/mcp
+			throw new InvalidSseMessageEndpointException("messageEndpoint must be a relative path, not an absolute URI",
+					messageEndpoint);
+		}
+
+		if (endpointUri.getRawAuthority() != null) {
+			// Exclude network paths e.g. //example.com/mcp
+			throw new InvalidSseMessageEndpointException(
+					"messageEndpoint must be a relative path and must not contain an authority", messageEndpoint);
+		}
+
+		// Exclude path-traversal
+		String decodedPath = endpointUri.getPath();
+		if (decodedPath != null) {
+			for (String segment : decodedPath.split("/", -1)) {
+				if (".".equals(segment) || "..".equals(segment)) {
+					throw new InvalidSseMessageEndpointException(
+							"messageEndpoint must not contain path-traversal segments", messageEndpoint);
+				}
+			}
+		}
+
+	}
+
+}

mcp-core/src/main/java/io/modelcontextprotocol/client/transport/HttpClientSseClientTransport.java

@@ -16,8 +16,6 @@
 import java.util.function.Consumer;
 import java.util.function.Function;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
 import io.modelcontextprotocol.client.transport.ResponseSubscribers.ResponseEvent;
 import io.modelcontextprotocol.client.transport.customizer.McpAsyncHttpClientRequestCustomizer;
 import io.modelcontextprotocol.client.transport.customizer.McpSyncHttpClientRequestCustomizer;
@@ -33,6 +31,8 @@
 import io.modelcontextprotocol.spec.ProtocolVersions;
 import io.modelcontextprotocol.util.Assert;
 import io.modelcontextprotocol.util.Utils;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import reactor.core.Disposable;
 import reactor.core.publisher.Flux;
 import reactor.core.publisher.Mono;
@@ -117,6 +117,11 @@ public class HttpClientSseClientTransport implements McpClientTransport {
 	 */
 	private final McpAsyncHttpClientRequestCustomizer httpRequestCustomizer;
 
+	/**
+	 * Validator for the message endpoint;
+	 */
+	private final SseMessageEndpointValidator messageEndpointValidator;
+
 	/**
 	 * Creates a new transport instance with custom HTTP client builder, object mapper,
 	 * and headers.
@@ -127,22 +132,26 @@ public class HttpClientSseClientTransport implements McpClientTransport {
 	 * @param jsonMapper the object mapper for JSON serialization/deserialization
 	 * @param httpRequestCustomizer customizer for the requestBuilder before executing
 	 * requests
+	 * @param messageEndpointValidator validator for the message endpoint
 	 * @throws IllegalArgumentException if objectMapper, clientBuilder, or headers is null
 	 */
 	HttpClientSseClientTransport(HttpClient httpClient, HttpRequest.Builder requestBuilder, String baseUri,
-			String sseEndpoint, McpJsonMapper jsonMapper, McpAsyncHttpClientRequestCustomizer httpRequestCustomizer) {
+			String sseEndpoint, McpJsonMapper jsonMapper, McpAsyncHttpClientRequestCustomizer httpRequestCustomizer,
+			SseMessageEndpointValidator messageEndpointValidator) {
 		Assert.notNull(jsonMapper, "jsonMapper must not be null");
 		Assert.hasText(baseUri, "baseUri must not be empty");
 		Assert.hasText(sseEndpoint, "sseEndpoint must not be empty");
 		Assert.notNull(httpClient, "httpClient must not be null");
 		Assert.notNull(requestBuilder, "requestBuilder must not be null");
 		Assert.notNull(httpRequestCustomizer, "httpRequestCustomizer must not be null");
+		Assert.notNull(messageEndpointValidator, "messageEndpointValidator must not be null");
 		this.baseUri = URI.create(baseUri);
 		this.sseEndpoint = sseEndpoint;
 		this.jsonMapper = jsonMapper;
 		this.httpClient = httpClient;
 		this.requestBuilder = requestBuilder;
 		this.httpRequestCustomizer = httpRequestCustomizer;
+		this.messageEndpointValidator = messageEndpointValidator;
 	}
 
 	@Override
@@ -178,6 +187,8 @@ public static class Builder {
 
 		private Duration connectTimeout = Duration.ofSeconds(10);
 
+		private SseMessageEndpointValidator messageEndpointValidator = new DefaultSseMessageEndpointValidator();
+
 		/**
 		 * Creates a new builder instance.
 		 */
@@ -308,14 +319,27 @@ public Builder connectTimeout(Duration connectTimeout) {
 			return this;
 		}
 
+		/**
+		 * Sets the validator that ensure the message endpoint returned over the SSE
+		 * connection is valid.
+		 * @param messageEndpointValidator the validator
+		 * @return this builder
+		 */
+		public Builder messageEndpointValidator(SseMessageEndpointValidator messageEndpointValidator) {
+			Assert.notNull(messageEndpointValidator, "messageEndpointValidator must not be null");
+			this.messageEndpointValidator = messageEndpointValidator;
+			return this;
+		}
+
 		/**
 		 * Builds a new {@link HttpClientSseClientTransport} instance.
 		 * @return a new transport instance
 		 */
 		public HttpClientSseClientTransport build() {
 			HttpClient httpClient = this.clientBuilder.connectTimeout(this.connectTimeout).build();
 			return new HttpClientSseClientTransport(httpClient, requestBuilder, baseUri, sseEndpoint,
-					jsonMapper == null ? McpJsonDefaults.getMapper() : jsonMapper, httpRequestCustomizer);
+					jsonMapper == null ? McpJsonDefaults.getMapper() : jsonMapper, httpRequestCustomizer,
+					messageEndpointValidator);
 		}
 
 	}
@@ -353,6 +377,14 @@ public Mono<Void> connect(Function<Mono<JSONRPCMessage>, Mono<JSONRPCMessage>> h
 						try {
 							if (ENDPOINT_EVENT_TYPE.equals(responseEvent.sseEvent().event())) {
 								String messageEndpointUri = responseEvent.sseEvent().data();
+								try {
+									messageEndpointValidator.validate(uri, messageEndpointUri);
+								}
+								catch (InvalidSseMessageEndpointException e) {
+									sink.error(e);
+									this.messageEndpointSink.tryEmitError(e);
+									return Flux.error(e);
+								}
 								if (this.messageEndpointSink.tryEmitValue(messageEndpointUri).isSuccess()) {
 									sink.success();
 									return Flux.empty(); // No further processing needed

mcp-core/src/main/java/io/modelcontextprotocol/client/transport/InvalidSseMessageEndpointException.java

@@ -0,0 +1,26 @@
+/*
+ * Copyright 2026-2026 the original author or authors.
+ */
+
+package io.modelcontextprotocol.client.transport;
+
+/**
+ * Exception thrown when the {@code message} endpoint returned from the SSE connection is
+ * not valid.
+ *
+ * @author Daniel Garnier-Moiroux
+ */
+public class InvalidSseMessageEndpointException extends Exception {
+
+	private final String messageEndpoint;
+
+	public InvalidSseMessageEndpointException(String message, String messageEndpoint) {
+		super(message);
+		this.messageEndpoint = messageEndpoint;
+	}
+
+	public String getMessageEndpoint() {
+		return messageEndpoint;
+	}
+
+}

mcp-core/src/main/java/io/modelcontextprotocol/client/transport/SseMessageEndpointValidator.java

@@ -0,0 +1,27 @@
+/*
+ * Copyright 2026-2026 the original author or authors.
+ */
+
+package io.modelcontextprotocol.client.transport;
+
+import java.net.URI;
+
+/**
+ * Validate the that message endpoint in the SSE transport is valid. Throws
+ * {@link InvalidSseMessageEndpointException} when then endpoint is not valid.
+ *
+ * @author Daniel Garnier-Moiroux
+ */
+@FunctionalInterface
+public interface SseMessageEndpointValidator {
+
+	/**
+	 * Validate the message endpoint coming from an SSE connection. Throws if not valid.
+	 * @param sseUri the URI used to establish the SSE connection
+	 * @param messageEndpoint the message endpoint from the SSE connection
+	 * @throws InvalidSseMessageEndpointException error thrown if the message endpoint is
+	 * not valid.
+	 */
+	void validate(URI sseUri, String messageEndpoint) throws InvalidSseMessageEndpointException;
+
+}

mcp-core/src/test/java/io/modelcontextprotocol/client/transport/DefaultSseMessageEndpointValidatorTests.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2026-2026 the original author or authors.
+ */
+package io.modelcontextprotocol.client.transport;
+
+import java.net.URI;
+
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.NullSource;
+import org.junit.jupiter.params.provider.ValueSource;
+
+import static org.assertj.core.api.Assertions.assertThatCode;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.assertj.core.api.InstanceOfAssertFactories.type;
+
+/**
+ * Tests for {@link DefaultSseMessageEndpointValidator}.
+ *
+ * @author Daniel Garnier-Moiroux
+ */
+class DefaultSseMessageEndpointValidatorTests {
+
+	private static final URI SSE_URI = URI.create("https://mcp.example.com/sse");
+
+	private final DefaultSseMessageEndpointValidator validator = new DefaultSseMessageEndpointValidator();
+
+	@ParameterizedTest
+	@ValueSource(strings = { "/messages", "messages?session=abc", "/" })
+	void valid(String endpoint) {
+		assertThatCode(() -> validator.validate(SSE_URI, endpoint)).doesNotThrowAnyException();
+	}
+
+	@ParameterizedTest
+	@ValueSource(strings = { "", " ", "\t" })
+	@NullSource
+	void invalidEmpty(String endpoint) {
+		assertThatThrownBy(() -> validator.validate(SSE_URI, endpoint)).isInstanceOf(IllegalArgumentException.class)
+			.hasMessageContaining("messageEndpoint must not be empty");
+	}
+
+	@ParameterizedTest
+	@ValueSource(strings = { "/foo/../bar", "/foo/./bar", "../bar", "./bar", "/foo/%2E%2E/bar", "/foo/%2e/bar" })
+	void invalidPathTraversal(String endpoint) {
+		assertThatThrownBy(() -> validator.validate(SSE_URI, endpoint)).hasMessageContaining("path-traversal")
+			.asInstanceOf(type(InvalidSseMessageEndpointException.class))
+			.extracting(InvalidSseMessageEndpointException::getMessageEndpoint)
+			.isEqualTo(endpoint);
+	}
+
+	@ParameterizedTest
+	@ValueSource(strings = { "https://mcp.example.com/messages", "https://127.0.0.1/messages",
+			"https://mcp.example.com:8443/messages", "http://localhost:1234/messages", "file:///etc/passwd",
+			"gopher://mcp.example.com/_test" })
+	void invalidAbsoluteUris(String endpoint) {
+		// Even an absolute URI on the same origin must be rejected: the contract
+		// is that the messageEndpoint is a path-only relative reference.
+		assertThatThrownBy(() -> validator.validate(SSE_URI, endpoint)).hasMessageContaining("must be a relative path")
+			.asInstanceOf(type(InvalidSseMessageEndpointException.class))
+			.extracting(InvalidSseMessageEndpointException::getMessageEndpoint)
+			.isEqualTo(endpoint);
+
+	}
+
+	@ParameterizedTest
+	@ValueSource(strings = { "//example/messages", "//user:secret@example/messages" })
+	void invalidNetworkReference(String endpoint) {
+		// `//host/...` introduces an authority and is therefore not a pure path.
+		assertThatThrownBy(() -> validator.validate(SSE_URI, endpoint))
+			.hasMessageContaining("must not contain an authority")
+			.asInstanceOf(type(InvalidSseMessageEndpointException.class))
+			.extracting(InvalidSseMessageEndpointException::getMessageEndpoint)
+			.isEqualTo(endpoint);
+	}
+
+}