Skip to content

Comments

oauthex: validate URL schemes in auth server metadata and DCR#712

Merged
findleyr merged 1 commit intomodelcontextprotocol:mainfrom
findleyr:oauth526
Dec 11, 2025
Merged

oauthex: validate URL schemes in auth server metadata and DCR#712
findleyr merged 1 commit intomodelcontextprotocol:mainfrom
findleyr:oauth526

Conversation

@findleyr
Copy link
Contributor

@findleyr findleyr commented Dec 10, 2025

Use URL scheme validation for remaining URL fields in auth datastructures (AuthServerMeta and ClientRegistrationMetadata), to prevent XSS attacks.

By comparison, the typescript SDK doesn't validate introspection_endpoint, and I don't know why. Otherwise the implementations align.

Fixes #526

markus-kusano
markus-kusano previously approved these changes Dec 11, 2025
View reviewed changes
@findleyr
oauthex: validate URL schemes in auth server metadata and DCR
bf0b981 
Use URL scheme validation for remaining URL fields in auth
datastructures (AuthServerMeta and ClientRegistrationMetadata), to
prevent XSS attacks.

By comparison, the typescript SDK doesn't validate
introspection_endpoint, and I don't know why. Otherwise the
implementations align.

Fixes modelcontextprotocol#526
@findleyr findleyr merged commit 307e32c into modelcontextprotocol:main Dec 11, 2025
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jba jba Awaiting requested review from jba

1 more reviewer

@markus-kusano markus-kusano markus-kusano approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

protect against attacks from MCP server URLs

2 participants

@findleyr @markus-kusano