Skip to content

fix(api): reject requests with NUL bytes in URL #869

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
majiayu000 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(api): reject requests with NUL bytes in URL #869

majiayu000 wants to merge 1 commit into from
+95 −2

Conversation

@majiayu000
Copy link

@majiayu000 majiayu000 commented Dec 28, 2025

Summary

  • Added NulByteValidationMiddleware to validate incoming requests
  • Returns 400 Bad Request when NUL bytes (%00) detected in URL path or query
  • Prevents PostgreSQL encoding errors from being exposed as 500 errors

Before

GET /v0.1/servers?cursor=%00
→ 500 Internal Server Error
→ "invalid byte sequence for encoding UTF8: 0x00"

After

GET /v0.1/servers?cursor=%00
→ 400 Bad Request
→ "Invalid request: query parameters contain null bytes"

Fixes #862

@majiayu000
fix(api): reject requests with NUL bytes in URL
c03013c 
Added NulByteValidationMiddleware to validate incoming requests and
return 400 Bad Request when NUL bytes are detected in the URL path
or query parameters. This prevents PostgreSQL encoding errors and
properly rejects malformed input.

Fixes modelcontextprotocol#862

Signed-off-by: majiayu000 <1835304752@qq.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Unhandled NUL Bytes in API Requests

1 participant

@majiayu000