fix: reject null bytes in ResourceSecurity.validate by default

maxisbey · maxisbey · commit 8fb3d6f296c5 · 2026-03-27T15:39:53.000Z
A %00 in a URI decodes to \x00, which defeats the traversal check's
string comparison ("..\x00" != "..") and can cause truncation in
handlers that pass values to C extensions or subprocess.

safe_join already rejects null bytes; this closes the defense-in-depth
gap so ResourceSecurity catches them before the handler runs. The
check runs first so it also covers the traversal-bypass case.
diff --git a/src/mcp/server/mcpserver/resources/templates.py b/src/mcp/server/mcpserver/resources/templates.py
@@ -46,6 +46,11 @@ def git_diff(range: str) -> str: ...
     reject_absolute_paths: bool = True
     """Reject values that look like absolute filesystem paths."""
 
+    reject_null_bytes: bool = True
+    """Reject values containing NUL (``\\x00``). Null bytes defeat string
+    comparisons (``"..\\x00" != ".."``) and can cause truncation in C
+    extensions or subprocess calls."""
+
     exempt_params: Set[str] = field(default_factory=frozenset[str])
     """Parameter names to skip all checks for."""
 
@@ -64,6 +69,8 @@ def validate(self, params: Mapping[str, str | list[str]]) -> bool:
                 continue
             values = value if isinstance(value, list) else [value]
             for v in values:
+                if self.reject_null_bytes and "\0" in v:
+                    return False
                 if self.reject_path_traversal and contains_path_traversal(v):
                     return False
                 if self.reject_absolute_paths and is_absolute_path(v):
diff --git a/tests/server/mcpserver/resources/test_resource_template.py b/tests/server/mcpserver/resources/test_resource_template.py
@@ -67,6 +67,21 @@ def test_matches_disabled_policy_allows_traversal():
     assert t.matches("file://docs/..") == {"name": ".."}
 
 
+def test_matches_rejects_null_byte_by_default():
+    # %00 decodes to \x00 which defeats string comparisons
+    # ("..\x00" != "..") and can truncate in C extensions.
+    t = _make("file://docs/{name}")
+    assert t.matches("file://docs/key%00.txt") is None
+    # Null byte also defeats the traversal check's component comparison
+    assert t.matches("file://docs/..%00%2Fsecret") is None
+
+
+def test_matches_null_byte_check_can_be_disabled():
+    policy = ResourceSecurity(reject_null_bytes=False)
+    t = _make("file://docs/{name}", security=policy)
+    assert t.matches("file://docs/key%00.txt") == {"name": "key\x00.txt"}
+
+
 def test_matches_explode_checks_each_segment():
     t = _make("api{/parts*}")
     assert t.matches("api/a/b/c") == {"parts": ["a", "b", "c"]}
