[Server] Reject malformed MCP session ID headers#384
Open
jstar0 wants to merge 1 commit into
Open
Conversation
jstar0
requested review from
CodeWithKyrian,
Nyholm,
chr-hertel and
soyuka
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #380.
Malformed or repeated
Mcp-Session-Idrequest headers currently reach UUID parsing insideStreamableHttpTransport, so client-supplied bad session metadata can surface as an internal server error.Changes
Mcp-Session-Idheaders with400 Bad Request.Mcp-Session-Idvalues with400 Bad Request.Verification
Focused regressions were also run for the malformed and duplicate session-id header cases.
Risk
This is limited to invalid Streamable HTTP session-id request metadata. Valid session ids continue to be parsed as UUIDs, missing session ids still flow through the existing request handling, and well-formed but stale session ids still return the existing not-found response.