Add input validation and path traversal protection to MCP API

shanerbaner82 · shanerbaner82 · commit 0649d0861e95 · 2026-01-31T17:17:27.000+05:30
- Add McpSearchRequest form request for search endpoint validation
- Add sanitization methods for platform, version, and path segments
- Protect against path traversal attacks in docs service
- Add security tests for validation and traversal protection
diff --git a/app/Http/Controllers/McpController.php b/app/Http/Controllers/McpController.php
@@ -2,6 +2,7 @@
 
 namespace App\Http\Controllers;
 
+use App\Http\Requests\McpSearchRequest;
 use App\Services\DocsSearchService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -113,18 +114,16 @@ public function health(): JsonResponse
 
     // REST API endpoints for simpler integrations
 
-    public function searchApi(Request $request): JsonResponse
+    public function searchApi(McpSearchRequest $request): JsonResponse
     {
-        $query = $request->input('q', '');
-        $platform = $request->input('platform');
-        $version = $request->input('version');
-        $limit = (int) $request->input('limit', 10);
-
-        if (empty($query)) {
-            return response()->json(['error' => 'Missing query parameter: q'], 400);
-        }
-
-        $results = $this->docsSearch->search($query, $platform, $version, $limit);
+        $validated = $request->validated();
+
+        $results = $this->docsSearch->search(
+            $validated['q'],
+            $validated['platform'] ?? null,
+            $validated['version'] ?? null,
+            $validated['limit'] ?? 10
+        );
 
         return response()->json(['results' => $results]);
     }
diff --git a/app/Http/Requests/McpSearchRequest.php b/app/Http/Requests/McpSearchRequest.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace App\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class McpSearchRequest extends FormRequest
+{
+    public function authorize(): bool
+    {
+        return true;
+    }
+
+    public function rules(): array
+    {
+        return [
+            'q' => ['required', 'string', 'max:500'],
+            'platform' => ['nullable', 'string', 'in:desktop,mobile'],
+            'version' => ['nullable', 'string', 'regex:/^[0-9]+$/'],
+            'limit' => ['nullable', 'integer', 'min:1', 'max:100'],
+        ];
+    }
+
+    public function messages(): array
+    {
+        return [
+            'platform.in' => 'Platform must be either desktop or mobile.',
+            'version.regex' => 'Version must be a numeric value.',
+            'limit.max' => 'Limit cannot exceed 100.',
+        ];
+    }
+}
diff --git a/app/Services/DocsSearchService.php b/app/Services/DocsSearchService.php
@@ -18,6 +18,15 @@ public function __construct()
 
     public function search(string $query, ?string $platform = null, ?string $version = null, int $limit = 10): array
     {
+        if ($platform !== null && ! $this->sanitizePlatform($platform)) {
+            return [];
+        }
+        if ($version !== null && ! $this->sanitizeVersion($version)) {
+            return [];
+        }
+
+        $limit = min(max(1, $limit), 100);
+
         $pages = $this->getAllPages($platform, $version);
         $queryTerms = $this->tokenize($query);
 
@@ -38,6 +47,15 @@ public function search(string $query, ?string $platform = null, ?string $version
 
     public function getPage(string $platform, string $version, string $section, string $slug): ?array
     {
+        $platform = $this->sanitizePlatform($platform);
+        $version = $this->sanitizeVersion($version);
+        $section = $this->sanitizePathSegment($section);
+        $slug = $this->sanitizePathSegment($slug);
+
+        if (! $platform || ! $version || ! $section || ! $slug) {
+            return null;
+        }
+
         $filePath = "{$this->docsPath}/{$platform}/{$version}/{$section}/{$slug}.md";
 
         if (! file_exists($filePath)) {
@@ -60,6 +78,10 @@ public function getPageByPath(string $path): ?array
 
     public function listApis(string $platform, string $version): array
     {
+        if (! $this->sanitizePlatform($platform) || ! $this->sanitizeVersion($version)) {
+            return [];
+        }
+
         return collect($this->getAllPages($platform, $version))
             ->filter(fn ($page) => $page['section'] === 'apis')
             ->sortBy('order')
@@ -69,6 +91,10 @@ public function listApis(string $platform, string $version): array
 
     public function getNavigation(string $platform, string $version): array
     {
+        if (! $this->sanitizePlatform($platform) || ! $this->sanitizeVersion($version)) {
+            return [];
+        }
+
         $pages = $this->getAllPages($platform, $version);
 
         $sections = [];
@@ -125,7 +151,14 @@ public function getLatestVersions(): array
 
     protected function getAllPages(?string $platform = null, ?string $version = null): array
     {
-        $cacheKey = "mcp_docs_pages_{$platform}_{$version}";
+        if ($platform !== null && ! $this->sanitizePlatform($platform)) {
+            return [];
+        }
+        if ($version !== null && ! $this->sanitizeVersion($version)) {
+            return [];
+        }
+
+        $cacheKey = 'mcp_docs_pages_'.($platform ?? 'all').'_'.($version ?? 'all');
 
         if (config('app.env') !== 'local') {
             $cached = Cache::get($cacheKey);
@@ -283,4 +316,37 @@ protected function extractSnippet(string $content, array $queryTerms, int $lengt
 
         return Str::limit(preg_replace('/\s+/', ' ', $content), $length);
     }
+
+    protected function sanitizePlatform(?string $platform): ?string
+    {
+        if ($platform === null) {
+            return null;
+        }
+
+        $allowed = ['desktop', 'mobile'];
+
+        return in_array($platform, $allowed, true) ? $platform : null;
+    }
+
+    protected function sanitizeVersion(?string $version): ?string
+    {
+        if ($version === null) {
+            return null;
+        }
+
+        return preg_match('/^[0-9]+$/', $version) ? $version : null;
+    }
+
+    protected function sanitizePathSegment(?string $segment): ?string
+    {
+        if ($segment === null || $segment === '') {
+            return null;
+        }
+
+        if (str_contains($segment, '..') || str_contains($segment, '/') || str_contains($segment, '\\')) {
+            return null;
+        }
+
+        return preg_match('/^[a-zA-Z0-9_-]+$/', $segment) ? $segment : null;
+    }
 }
diff --git a/tests/Feature/McpSecurityTest.php b/tests/Feature/McpSecurityTest.php
@@ -0,0 +1,71 @@
+<?php
+
+namespace Tests\Feature;
+
+use Tests\TestCase;
+
+class McpSecurityTest extends TestCase
+{
+    public function test_search_rejects_path_traversal_in_platform(): void
+    {
+        $response = $this->getJson('/api/mcp/search?q=test&platform=..');
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors(['platform']);
+    }
+
+    public function test_search_rejects_path_traversal_in_version(): void
+    {
+        $response = $this->getJson('/api/mcp/search?q=test&version=..');
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors(['version']);
+    }
+
+    public function test_search_rejects_excessive_limit(): void
+    {
+        $response = $this->getJson('/api/mcp/search?q=test&limit=1200');
+
+        $response->assertStatus(422);
+        $response->assertJsonValidationErrors(['limit']);
+    }
+
+    public function test_search_accepts_valid_parameters(): void
+    {
+        $response = $this->getJson('/api/mcp/search?q=camera&platform=mobile&version=2&limit=10');
+
+        $response->assertStatus(200);
+        $response->assertJsonStructure(['results']);
+    }
+
+    public function test_search_allows_null_platform_and_version(): void
+    {
+        $response = $this->getJson('/api/mcp/search?q=camera');
+
+        $response->assertStatus(200);
+        $response->assertJsonStructure(['results']);
+    }
+
+    public function test_page_api_rejects_path_traversal(): void
+    {
+        $response = $this->getJson('/api/mcp/page/../../../etc/passwd');
+
+        $response->assertStatus(404);
+    }
+
+    public function test_apis_endpoint_rejects_invalid_platform(): void
+    {
+        $response = $this->getJson('/api/mcp/apis/../1');
+
+        $response->assertStatus(200);
+        $response->assertJson(['apis' => []]);
+    }
+
+    public function test_navigation_endpoint_rejects_invalid_version(): void
+    {
+        $response = $this->getJson('/api/mcp/navigation/mobile/..');
+
+        $response->assertStatus(200);
+        $response->assertJson(['navigation' => []]);
+    }
+}
