Skip to content

fix(api): reject requests with NUL bytes in URL #869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rdimitrov merged 2 commits into from
Jan 3, 2026
Merged

fix(api): reject requests with NUL bytes in URL #869

rdimitrov merged 2 commits into from
Jan 3, 2026
+95 −2

Conversation

@majiayu000
Copy link
Contributor

@majiayu000 majiayu000 commented Dec 28, 2025

Summary

  • Added NulByteValidationMiddleware to validate incoming requests
  • Returns 400 Bad Request when NUL bytes (%00) detected in URL path or query
  • Prevents PostgreSQL encoding errors from being exposed as 500 errors

Before

GET /v0.1/servers?cursor=%00
→ 500 Internal Server Error
→ "invalid byte sequence for encoding UTF8: 0x00"

After

GET /v0.1/servers?cursor=%00
→ 400 Bad Request
→ "Invalid request: query parameters contain null bytes"

Fixes #862

majiayu000 and others added 2 commits December 28, 2025 22:29
@majiayu000
fix(api): reject requests with NUL bytes in URL
c03013c 
Added NulByteValidationMiddleware to validate incoming requests and
return 400 Bad Request when NUL bytes are detected in the URL path
or query parameters. This prevents PostgreSQL encoding errors and
properly rejects malformed input.

Fixes modelcontextprotocol#862

Signed-off-by: majiayu000 <1835304752@qq.com>
@rdimitrov
Merge branch 'main' into fix/validate-nul-bytes
004dfaf
@rdimitrov
Copy link
Member

rdimitrov commented Jan 3, 2026

hey, thanks for your PR @majiayu000 👋

Note there was another PR - #866 which was opened by @Avish34 and we had a chat together and agreed the approach in this one is preferable out of the 2.

Cheers! 🍻

@rdimitrov rdimitrov merged commit ab6a5a6 into modelcontextprotocol:main Jan 3, 2026
3 checks passed
This was referenced Jan 3, 2026
Closed
Merged
rdimitrov added a commit that referenced this pull request Jan 13, 2026
@rdimitrov
Handle URL-encoded NUL bytes (%00) in URL path and query (#877)
ad207f2 
<!-- Provide a brief summary of your changes -->

## Motivation and Context
<!-- Why is this change needed? What problem does it solve? -->
Follow up on #869 

## How Has This Been Tested?
<!-- Have you tested this in a real application? Which scenarios were
tested? -->

## Breaking Changes
<!-- Will users need to update their code or configurations? -->

## Types of changes
<!-- What types of changes does your code introduce? Put an `x` in all
the boxes that apply: -->
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing
functionality to change)
- [ ] Documentation update

## Checklist
<!-- Go over all the following points, and put an `x` in all the boxes
that apply. -->
- [ ] I have read the [MCP
Documentation](https://modelcontextprotocol.io)
- [ ] My code follows the repository's style guidelines
- [ ] New and existing tests pass locally
- [ ] I have added appropriate error handling
- [ ] I have added or updated documentation as needed

## Additional context
<!-- Add any other context, implementation notes, or design decisions
-->

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unhandled NUL Bytes in API Requests

2 participants

@majiayu000 @rdimitrov