validation

package
v0.0.0-...-9a8f605 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 9, 2026 License: AGPL-3.0 Imports: 5 Imported by: 0

Documentation

Overview

Package validation provides MCP message validation logic.

Package validation provides MCP message validation logic. It validates JSON-RPC structure and MCP-specific requirements to reject malformed messages early in the proxy chain.

Index

Constants

View Source 
const (
	// MaxStringLength is the maximum length of any string value (1MB).
	// Strings longer than this are truncated to prevent memory exhaustion.
	MaxStringLength = 1048576

	// MaxToolNameLength is the maximum length of a tool name.
	MaxToolNameLength = 255
)

Size limits for sanitization.

View Source 
const (
	// ErrCodeParseError indicates invalid JSON was received.
	ErrCodeParseError = -32700

	// ErrCodeInvalidRequest indicates the JSON is not a valid Request object.
	ErrCodeInvalidRequest = -32600

	// ErrCodeMethodNotFound indicates the method does not exist or is not available.
	ErrCodeMethodNotFound = -32601

	// ErrCodeInvalidParams indicates invalid method parameters.
	ErrCodeInvalidParams = -32602

	// ErrCodeInternalError indicates an internal JSON-RPC error.
	ErrCodeInternalError = -32603
)

JSON-RPC 2.0 standard error codes. These are defined in the JSON-RPC 2.0 specification: https://www.jsonrpc.org/specification#error_object

Variables

View Source 
var ValidMCPMethods = map[string]bool{

	"initialize":                true,
	"initialized":               true,
	"notifications/initialized": true,
	"ping":                      true,

	"tools/list": true,
	"tools/call": true,

	"resources/list": true,
	"resources/read": true,

	"prompts/list": true,
	"prompts/get":  true,

	"completion/complete": true,

	"logging/setLevel": true,

	"notifications/cancelled":              true,
	"notifications/progress":               true,
	"notifications/message":                true,
	"notifications/resources/updated":      true,
	"notifications/resources/list_changed": true,
	"notifications/tools/list_changed":     true,
	"notifications/prompts/list_changed":   true,

	"sampling/createMessage": true,

	"roots/list":                       true,
	"notifications/roots/list_changed": true,
}

ValidMCPMethods contains all valid MCP 2025-11-25 method names. This is a whitelist of methods that are allowed through the proxy. Unknown methods are rejected with ErrCodeMethodNotFound.

Reference: https://modelcontextprotocol.io/specification/2025-11-25

Functions

func IsValidMCPMethod 

func IsValidMCPMethod(method string) bool

IsValidMCPMethod returns true if the method is a valid MCP method. MCP method names are case-sensitive.

Types

type MessageValidator 

type MessageValidator struct{}

MessageValidator validates MCP messages for JSON-RPC compliance and MCP-specific requirements.

func NewMessageValidator 

func NewMessageValidator() *MessageValidator

NewMessageValidator creates a new MessageValidator.

func (*MessageValidator) Validate 

func (v *MessageValidator) Validate(msg *mcp.Message) error

Validate checks if the message is a valid JSON-RPC/MCP message. Returns nil if valid, or a *ValidationError if invalid.

Validation rules: - Message must have a non-nil Decoded field (parse error if nil) - Requests must have non-nil ID and non-empty Method - Request Method must be a valid MCP method - Notifications (Request with nil ID) must have non-empty Method - Responses must have ID and either Result or Error (not both, not neither)

type Sanitizer 

type Sanitizer struct {
}

Sanitizer provides input sanitization for tool call arguments. It validates tool names and recursively sanitizes string values to prevent injection attacks and policy bypass attempts.

func NewSanitizer 

func NewSanitizer() *Sanitizer

NewSanitizer creates a new Sanitizer instance.

func (*Sanitizer) SanitizeToolCall 

func (s *Sanitizer) SanitizeToolCall(params map[string]interface{}) (map[string]interface{}, error)

SanitizeToolCall sanitizes tool call parameters. It validates the tool name and sanitizes all argument values.

Expected params structure: 

{
  "name": "tool_name",
  "arguments": { ... }
}

Returns sanitized params with validated name and sanitized arguments.

func (*Sanitizer) SanitizeValue 

func (s *Sanitizer) SanitizeValue(v interface{}) (interface{}, error)

SanitizeValue recursively sanitizes a value. For strings, it removes null bytes and truncates at MaxStringLength. For maps and slices, it recurses into each element. For other types (numbers, booleans, nil), it returns them unchanged.

func (*Sanitizer) ValidateToolName 

func (s *Sanitizer) ValidateToolName(name string) error

ValidateToolName validates a tool name against injection patterns. It returns a ValidationError if the name is invalid.

Valid tool names:

  • Start with a letter
  • Contain only alphanumeric characters, underscores, and hyphens
  • Are at most MaxToolNameLength characters
  • Do not contain path traversal sequences

type ValidationError 

type ValidationError struct {
	// Code is the JSON-RPC error code.
	Code int

	// Message is a safe, client-facing error message.
	// This MUST NOT contain internal details like file paths or stack traces.
	Message string
}

ValidationError represents a validation failure with a JSON-RPC error code. The Message field contains a safe message for the client (no internal details).

func NewValidationError 

func NewValidationError(code int, message string) *ValidationError

NewValidationError creates a new ValidationError with the given code and message.

func (*ValidationError) Error 

func (e *ValidationError) Error() string

Error implements the error interface.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.