Improved Origin Validation Security

tendant · tendant · commit c7740fd67fbe · 2025-05-11T22:23:09.000-07:00
diff --git a/server/streamable_http.go b/server/streamable_http.go
@@ -232,6 +232,14 @@ func WithOriginAllowlist(allowlist []string) StreamableHTTPOption {
 	})
 }
 
+// WithAllowAllOrigins configures the server to accept requests from any origin
+func WithAllowAllOrigins() StreamableHTTPOption {
+	return streamableHTTPOption(func(s *StreamableHTTPServer) {
+		// Use a special marker to indicate "allow all"
+		s.originAllowlist = []string{"*"}
+	})
+}
+
 // StreamableHTTPServer is the concrete implementation of a server that supports
 // the MCP Streamable HTTP transport specification.
 type StreamableHTTPServer struct {
@@ -1009,21 +1017,20 @@ func (s *StreamableHTTPServer) isValidOrigin(origin string) bool {
 		return false // Invalid URLs should always be rejected
 	}
 
-	// If no allowlist is configured, allow all valid origins
-	if len(s.originAllowlist) == 0 {
-		// Always allow localhost and 127.0.0.1
-		if originURL.Hostname() == "localhost" || originURL.Hostname() == "127.0.0.1" {
-			return true
-		}
+	// Always allow localhost and 127.0.0.1 for development
+	if originURL.Hostname() == "localhost" || originURL.Hostname() == "127.0.0.1" {
 		return true
 	}
 
-	// Always allow localhost and 127.0.0.1
-	if originURL.Hostname() == "localhost" || originURL.Hostname() == "127.0.0.1" {
-		return true
+	// If no allowlist is configured, only allow localhost/127.0.0.1 (already checked above)
+	if len(s.originAllowlist) == 0 {
+		return false
 	}
 
 	// Check against the allowlist
+	if len(s.originAllowlist) == 1 && s.originAllowlist[0] == "*" {
+		return true // Explicitly configured to allow all origins
+	}
 	for _, allowed := range s.originAllowlist {
 		// Check for wildcard subdomain pattern
 		if strings.HasPrefix(allowed, "*.") {
diff --git a/server/streamable_http_origin_validation_test.go b/server/streamable_http_origin_validation_test.go
@@ -20,7 +20,7 @@ func TestOriginValidation(t *testing.T) {
 		{"Localhost allowed", "http://localhost:3000", []string{}, true},
 		{"127.0.0.1 allowed", "http://127.0.0.1:8080", []string{}, true},
 		{"Multiple allowlist entries", "https://api.example.com", []string{"https://app.example.com", "https://api.example.com"}, true},
-		{"Empty allowlist", "https://example.com", []string{}, true}, // Should allow all when no allowlist is configured
+		{"Empty allowlist", "https://example.com", []string{}, false}, // Should only allow localhost/127.0.0.1 when no allowlist is configured
 		{"Invalid URL", "://invalid-url", []string{}, false},
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func TestOriginValidation(t *testing.T) {`
`20`	`20`	`{"Localhost allowed", "http://localhost:3000", []string{}, true},`
`21`	`21`	`{"127.0.0.1 allowed", "http://127.0.0.1:8080", []string{}, true},`
`22`	`22`	`{"Multiple allowlist entries", "https://api.example.com", []string{"https://app.example.com", "https://api.example.com"}, true},`
`23`		`- {"Empty allowlist", "https://example.com", []string{}, true}, // Should allow all when no allowlist is configured`
	`23`	`+ {"Empty allowlist", "https://example.com", []string{}, false}, // Should only allow localhost/127.0.0.1 when no allowlist is configured`
`24`	`24`	`{"Invalid URL", "://invalid-url", []string{}, false},`
`25`	`25`	`}`
`26`	`26`