fix: improve allowed host validation to handle ports correctly

>>
>> - Added proper host and port parsing without using urlparse
>> - Normalized incoming host by removing protocol and path
>> - Updated allowed host matching logic with clear rules:
>>
>>   1. host (example.com)
>>      - allows requests from the host with or without ports
>>
>>   2. host:* (example.com:*)
>>      - explicitly allows any port for that host
>>
>>   3. host:port (example.com:443)
>>      - allows only the exact specified port
>>
>> - Prevented incorrect matches when specific ports are configured
>> - Improved transport security host validation consistency
>> - Keeps logic compatible with proxy environments (e.g. Heroku)
>>
>> This fixes cases where:
>> - hosts without ports were incorrectly rejected
>> - port-specific allowed hosts did not enforce strict matching

Author: parth-merkle

src/mcp/server/transport_security.py

@@ -47,20 +47,55 @@ def _validate_host(self, host: str | None) -> bool:  # pragma: no cover
             return False
 
         # Check exact match first
+        print(host)
         if host in self.settings.allowed_hosts:
             return True
-
-        # Check wildcard port patterns
+        
         for allowed in self.settings.allowed_hosts:
+
+            # normalize incoming host
+            host_without_https = (
+                host.replace("https://", "")
+                    .replace("http://", "")
+                    .split("/")[0]
+                    .strip()
+            )
+    
+            # split request host + port
+            if ":" in host_without_https:
+                request_host, request_port = host_without_https.split(":", 1)
+            else:
+                request_host = host_without_https
+                request_port = None
+    
+            # ---------- CASE 1: wildcard port (example.com:*) ----------
             if allowed.endswith(":*"):
-                # Extract base host from pattern
                 base_host = allowed[:-2]
-                # Check if the actual host starts with base host and has a port
-                if host.startswith(base_host + ":"):
+                print(base_host)
+    
+                if request_host == base_host:
                     return True
-
+    
+            # ---------- CASE 2: specific port (example.com:443) ----------
+            elif ":" in allowed:
+                allowed_host, allowed_port = allowed.split(":", 1)
+    
+                if (
+                    request_host == allowed_host
+                    and request_port == allowed_port
+                ):
+                    return True
+    
+            # ---------- CASE 3: host only (allow any port) ----------
+            else:
+                if request_host == allowed:
+                    return True
+    
+                logger.warning(f"Invalid Host header: {host}")
+                return False
+            
         logger.warning(f"Invalid Host header: {host}")
-        return False
+        return False    
 
     def _validate_origin(self, origin: str | None) -> bool:  # pragma: no cover
         """Validate the Origin header against allowed values."""