Blame: tests/issues/test_malformed_input.py - modelcontextprotocol/python-sdk

modelcontextprotocol / python-sdk UNCLAIMED

The official Python SDK for Model Context Protocol servers and clients

22500 0 0 Python

Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Claude Debug`
			`"""Test for HackerOne vulnerability report #3156202 - malformed input DOS."""`

			`import anyio`
			`import pytest`

			`from mcp.server.models import InitializationOptions`
			`from mcp.server.session import ServerSession`
			`from mcp.shared.message import SessionMessage`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`from mcp.types import INVALID_PARAMS, JSONRPCError, JSONRPCMessage, JSONRPCRequest, ServerCapabilities`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00

			`@pytest.mark.anyio`
			`async def test_malformed_initialize_request_does_not_crash_server():`
chore: add D212 lint rule to enforce Google-style docstrings (#1892) 2026-01-16 16:10:52 +00:00			`"""Test that malformed initialize requests return proper error responses`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`instead of crashing the server (HackerOne #3156202).`
			`"""`
			`# Create in-memory streams for testing`
			`read_send_stream, read_receive_stream = anyio.create_memory_object_stream[SessionMessage \| Exception](10)`
			`write_send_stream, write_receive_stream = anyio.create_memory_object_stream[SessionMessage](10)`

			`try:`
			`# Create a malformed initialize request (missing required params field)`
			`malformed_request = JSONRPCRequest(`
			`jsonrpc="2.0",`
			`id="f20fe86132ed4cd197f89a7134de5685",`
			`method="initialize",`
			`# params=None # Missing required params field`
			`)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Wrap in session message`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`request_message = SessionMessage(message=malformed_request)`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00
			`# Start a server session`
			`async with ServerSession(`
			`read_stream=read_receive_stream,`
			`write_stream=write_send_stream,`
			`init_options=InitializationOptions(`
			`server_name="test_server",`
			`server_version="1.0.0",`
			`capabilities=ServerCapabilities(),`
			`),`
			`):`
			`# Send the malformed request`
			`await read_send_stream.send(request_message)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Give the session time to process the request`
			`await anyio.sleep(0.1)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Check that we received an error response instead of a crash`
			`try:`
			`response_message = write_receive_stream.receive_nowait()`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`response = response_message.message`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Verify it's a proper JSON-RPC error response`
			`assert isinstance(response, JSONRPCError)`
			`assert response.jsonrpc == "2.0"`
			`assert response.id == "f20fe86132ed4cd197f89a7134de5685"`
			`assert response.error.code == INVALID_PARAMS`
			`assert "Invalid request parameters" in response.error.message`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Verify the session is still alive and can handle more requests`
			`# Send another malformed request to confirm server stability`
			`another_malformed_request = JSONRPCRequest(`
			`jsonrpc="2.0",`
			`id="test_id_2",`
			`method="tools/call",`
			`# params=None # Missing required params`
			`)`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`another_request_message = SessionMessage(message=another_malformed_request)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`await read_send_stream.send(another_request_message)`
			`await anyio.sleep(0.1)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Should get another error response, not a crash`
			`second_response_message = write_receive_stream.receive_nowait()`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`second_response = second_response_message.message`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`assert isinstance(second_response, JSONRPCError)`
			`assert second_response.id == "test_id_2"`
			`assert second_response.error.code == INVALID_PARAMS`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`except anyio.WouldBlock: # pragma: no cover`
			`pytest.fail("No response received - server likely crashed")`
ci: add strict-no-cover to detect unnecessary coverage pragmas (#1897) 2026-01-23 20:00:20 +00:00			`finally: # pragma: lax no cover`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Close all streams to ensure proper cleanup`
			`await read_send_stream.aclose()`
			`await write_send_stream.aclose()`
			`await read_receive_stream.aclose()`
			`await write_receive_stream.aclose()`


			`@pytest.mark.anyio`
			`async def test_multiple_concurrent_malformed_requests():`
chore: add D212 lint rule to enforce Google-style docstrings (#1892) 2026-01-16 16:10:52 +00:00			`"""Test that multiple concurrent malformed requests don't crash the server."""`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Create in-memory streams for testing`
			`read_send_stream, read_receive_stream = anyio.create_memory_object_stream[SessionMessage \| Exception](100)`
			`write_send_stream, write_receive_stream = anyio.create_memory_object_stream[SessionMessage](100)`

			`try:`
			`# Start a server session`
			`async with ServerSession(`
			`read_stream=read_receive_stream,`
			`write_stream=write_send_stream,`
			`init_options=InitializationOptions(`
			`server_name="test_server",`
			`server_version="1.0.0",`
			`capabilities=ServerCapabilities(),`
			`),`
			`):`
			`# Send multiple malformed requests concurrently`
Add pyright strict mode on the whole project (#1254) 2025-08-11 19:56:37 +02:00			`malformed_requests: list[SessionMessage] = []`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`for i in range(10):`
			`malformed_request = JSONRPCRequest(`
			`jsonrpc="2.0",`
			`id=f"malformed_{i}",`
			`method="initialize",`
			`# params=None # Missing required params`
			`)`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`request_message = SessionMessage(message=malformed_request)`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`malformed_requests.append(request_message)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Send all requests`
			`for request in malformed_requests:`
			`await read_send_stream.send(request)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Give time to process`
			`await anyio.sleep(0.2)`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Verify we get error responses for all requests`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`error_responses: list[JSONRPCMessage] = []`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`try:`
			`while True:`
			`response_message = write_receive_stream.receive_nowait()`
Drop `RootModel` from `JSONRPCMessage` (#1908) 2026-01-19 14:04:15 +01:00			`error_responses.append(response_message.message)`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`except anyio.WouldBlock:`
			`pass # No more messages`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Should have received 10 error responses`
			`assert len(error_responses) == 10`
Use 120 characters instead of 88 (#856) 2025-06-11 02:45:50 -07:00
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`for i, response in enumerate(error_responses):`
			`assert isinstance(response, JSONRPCError)`
			`assert response.id == f"malformed_{i}"`
			`assert response.error.code == INVALID_PARAMS`
ci: add strict-no-cover to detect unnecessary coverage pragmas (#1897) 2026-01-23 20:00:20 +00:00			`finally: # pragma: lax no cover`
Fix uncaught exception in MCP server (#822) 2025-06-09 17:03:15 -07:00			`# Close all streams to ensure proper cleanup`
			`await read_send_stream.aclose()`
			`await write_send_stream.aclose()`
			`await read_receive_stream.aclose()`
			`await write_receive_stream.aclose()`