Skip to content

fix(http): validate the Mcp-Session-Id header#157

Open
SVilgelm wants to merge 1 commit into
rust-mcp-stack:mainfrom
SVilgelm:fix/validate-session-id-header
Open

fix(http): validate the Mcp-Session-Id header#157
SVilgelm wants to merge 1 commit into
rust-mcp-stack:mainfrom
SVilgelm:fix/validate-session-id-header

Conversation

@SVilgelm
Copy link
Copy Markdown
Contributor

@SVilgelm SVilgelm commented May 25, 2026

📌 Summary

The Mcp-Session-Id request header was taken at face value, with no length or charset check, so an attacker could send very large headers to force allocations and map lookups. The header is now validated (length and URL-safe charset) before use; invalid values are rejected with 400.

🔍 Related Issues

✨ Changes Made

  • Add parse_session_id_header with a 128-byte cap and URL-safe charset check, shared across POST/GET/DELETE.
  • Reject malformed session-id headers with 400 before any lookup.
  • Add unit tests and an integration test for oversized/malformed ids.

@SVilgelm
fix(http): validate the Mcp-Session-Id header
7b1ad56 
Reject session-id headers longer than 128 bytes or outside a URL-safe charset with 400 before any allocation or map lookup, instead of taking the header at face value.

Assisted-By: Claude Opus 4.7 <noreply@anthropic.com>
Signed-off-by: Sergey Vilgelm <sergey@vilgelm.com>
@SVilgelm SVilgelm mentioned this pull request May 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SVilgelm