Validate origin header #771
Conversation
- Fixes #695 - Does not implement Host header validation yet Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
Kehrlann
requested review from
chemicL and
tzolov
and removed request for
chemicL
Signed-off-by: Daniel Garnier-Moiroux <git@garnier.wf>
Kehrlann
force-pushed
the
dgarnier/validate-origin-header
branch
from
e5624d4 to
68ed795
Compare
|
|
||
| @Test | ||
| void differentSchemeWithWildcard() { | ||
| var headers = originHeader("https://localhost:3000"); |
There was a problem hiding this comment.
shouldn't the port be 8080 to ensure that it fails because of the schema?
There was a problem hiding this comment.
It's using the the wildcard validator, so the port does not matter:
private final DefaultServerTransportSecurityValidator wildcardValidator =
DefaultServerTransportSecurityValidator
.builder()
.allowedOrigin("http://localhost:*")
.build();
|
|
||
| } | ||
|
|
||
| throw INVALID_ORIGIN; |
There was a problem hiding this comment.
Due to the exception being a static, the stack trace is inaccurate with regards to where it is raised. I understand the optimization, however it might make it harder to investigate where the issue happened. Perhaps we can create an instance each time it's raised?
| * @param allowedOrigins List of allowed origin patterns. Supports exact matches | ||
| * (e.g., "http://example.com:8080") and wildcard ports (e.g., "http://example.com:*") | ||
| */ | ||
| public DefaultServerTransportSecurityValidator(List<String> allowedOrigins) { |
There was a problem hiding this comment.
There are two ways to create the validator - either via a constructor or via the builder. I'd vouch for a single version. The builder makes sense with no inheritance, but since users are encouraged to customize by inheriting from this class, perhaps we can skip the builder?
| try { | ||
| Map<String, List<String>> headers = extractHeaders(request); | ||
| this.securityValidator.validateHeaders(headers); | ||
| } | ||
| catch (ServerTransportSecurityException e) { | ||
| response.sendError(e.getStatusCode(), e.getMessage()); | ||
| return; | ||
| } | ||
|
|
There was a problem hiding this comment.
This bit is duplicated in doGet, we can create a helper method for it perhaps?
| try { | ||
| Map<String, List<String>> headers = extractHeaders(request); | ||
| this.securityValidator.validateHeaders(headers); | ||
| } | ||
| catch (ServerTransportSecurityException e) { | ||
| response.sendError(e.getStatusCode(), e.getMessage()); | ||
| return; | ||
| } |
There was a problem hiding this comment.
This code is duplicated across three implementations, perhaps we can have a centralized static utility for it?
| * @param request The HTTP servlet request | ||
| * @return A map of header names to their values | ||
| */ | ||
| private Map<String, List<String>> extractHeaders(HttpServletRequest request) { |
There was a problem hiding this comment.
This private method is also duplicated across implementations, another candidate for sharing.
| try { | ||
| Map<String, List<String>> headers = extractHeaders(request); | ||
| this.securityValidator.validateHeaders(headers); | ||
| } | ||
| catch (ServerTransportSecurityException e) { | ||
| response.sendError(e.getStatusCode(), e.getMessage()); | ||
| return; | ||
| } |
| try { | ||
| Map<String, List<String>> headers = extractHeaders(request); | ||
| this.securityValidator.validateHeaders(headers); | ||
| } | ||
| catch (ServerTransportSecurityException e) { | ||
| response.sendError(e.getStatusCode(), e.getMessage()); | ||
| return; | ||
| } |
There was a problem hiding this comment.
Another duplicate that can reuse a shared util.
| * @param request The HTTP servlet request | ||
| * @return A map of header names to their values | ||
| */ | ||
| private Map<String, List<String>> extractHeaders(HttpServletRequest request) { |
| * All transport types we want to test. We use a {@link MethodSource} rather than a | ||
| * {@link org.junit.jupiter.params.provider.ValueSource} to provide a readable name. | ||
| */ | ||
| static Stream<Arguments> transports() { |
| try { | ||
| Map<String, List<String>> headers = request.headers().asHttpHeaders(); | ||
| this.securityValidator.validateHeaders(headers); | ||
| } | ||
| catch (ServerTransportSecurityException e) { | ||
| return ServerResponse.status(e.getStatusCode()).bodyValue(e.getMessage()); | ||
| } |
There was a problem hiding this comment.
This can be unified perhaps too.
3 participants
Fixes #695 . Updates conformance tests.
Contents
Add Origin header validation for HTTP-based MCP server transports so servers can restrict which origins can connect (e.g. browser or cross-origin clients).
Introduces new
ServerTransportSecurityValidatorinterface, to validate transport-level security. Default behavior stays permissive: transports useServerTransportSecurityValidator.NOOPunless a validator is set via the builder.The provided implementation is
DefaultServerTransportSecurityValidatorand only validates the Origin header, for now.New APIs: example usage
Points of interest
Integration tests use the new JUnit 6
@ParameterizedClassAPI, which is another way of implementation "abstract base classes" for tests.