hardening: tighten limits, immutability, and drive-letter detection

Bundled low-severity hardening:

- Lower DEFAULT_MAX_TEMPLATE_LENGTH from 1MB to 8KB. Real templates
  are under 200 bytes; the old limit allowed 0.75s parse times.
- Replace max_expressions with max_variables (default 256). A single
  {v0,v1,...,vN} expression packed arbitrarily many variables under
  one expression count, bypassing the limit.
- Store UriTemplate internals as tuples. The dataclass is frozen but
  list fields were mutable via t._parts.append(), violating the
  immutability contract.
- Coerce ResourceSecurity.exempt_params to frozenset in __post_init__
  so hash() works even when callers pass a regular set.
- Check drive letters against ASCII only. str.isalpha() is
  Unicode-aware, so is_absolute_path("Ω:foo") falsely returned True.

Author: maxisbey

src/mcp/server/mcpserver/resources/templates.py

@@ -54,6 +54,11 @@ def git_diff(range: str) -> str: ...
     exempt_params: Set[str] = field(default_factory=frozenset[str])
     """Parameter names to skip all checks for."""
 
+    def __post_init__(self) -> None:
+        # Coerce to frozenset so the dataclass stays hashable even if
+        # callers pass a regular set.
+        object.__setattr__(self, "exempt_params", frozenset(self.exempt_params))
+
     def validate(self, params: Mapping[str, str | list[str]]) -> str | None:
         """Check all parameter values against the configured policy.
 

src/mcp/shared/path_security.py

@@ -15,6 +15,7 @@ def read_doc(path: str) -> str:
         return safe_join("/data/docs", path).read_text()
 """
 
+import string
 from pathlib import Path
 
 __all__ = ["PathEscapeError", "contains_path_traversal", "is_absolute_path", "safe_join"]
@@ -99,8 +100,9 @@ def is_absolute_path(value: str) -> bool:
         return False
     if value[0] in ("/", "\\"):
         return True
-    # Windows drive letter: C:, C:\, C:/
-    if len(value) >= 2 and value[1] == ":" and value[0].isalpha():
+    # Windows drive letter: C:, C:\, C:/. ASCII-only so that values
+    # like "Ω:namespace" are not falsely rejected.
+    if len(value) >= 2 and value[1] == ":" and value[0] in string.ascii_letters:
         return True
     return False
 

src/mcp/shared/uri_template.py

@@ -45,8 +45,8 @@
 from urllib.parse import quote, unquote
 
 __all__ = [
-    "DEFAULT_MAX_EXPRESSIONS",
     "DEFAULT_MAX_TEMPLATE_LENGTH",
+    "DEFAULT_MAX_VARIABLES",
     "DEFAULT_MAX_URI_LENGTH",
     "InvalidUriTemplate",
     "Operator",
@@ -63,8 +63,8 @@
 # (Percent-encoded varchars are technically allowed but unseen in practice.)
 _VARNAME_RE = re.compile(r"^[A-Za-z0-9_]+(?:\.[A-Za-z0-9_]+)*$")
 
-DEFAULT_MAX_TEMPLATE_LENGTH = 1_000_000
-DEFAULT_MAX_EXPRESSIONS = 10_000
+DEFAULT_MAX_TEMPLATE_LENGTH = 8_192
+DEFAULT_MAX_VARIABLES = 256
 DEFAULT_MAX_URI_LENGTH = 65_536
 
 # RFC 3986 reserved characters, kept unencoded by {+var} and {#var}.
@@ -284,12 +284,12 @@ class UriTemplate:
     """
 
     template: str
-    _parts: list[_Part] = field(repr=False, compare=False)
-    _variables: list[Variable] = field(repr=False, compare=False)
-    _prefix: list[_Atom] = field(repr=False, compare=False)
+    _parts: tuple[_Part, ...] = field(repr=False, compare=False)
+    _variables: tuple[Variable, ...] = field(repr=False, compare=False)
+    _prefix: tuple[_Atom, ...] = field(repr=False, compare=False)
     _greedy: Variable | None = field(repr=False, compare=False)
-    _suffix: list[_Atom] = field(repr=False, compare=False)
-    _query_variables: list[Variable] = field(repr=False, compare=False)
+    _suffix: tuple[_Atom, ...] = field(repr=False, compare=False)
+    _query_variables: tuple[Variable, ...] = field(repr=False, compare=False)
 
     @staticmethod
     def is_template(value: str) -> bool:
@@ -319,17 +319,19 @@ def parse(
         template: str,
         *,
         max_length: int = DEFAULT_MAX_TEMPLATE_LENGTH,
-        max_expressions: int = DEFAULT_MAX_EXPRESSIONS,
+        max_variables: int = DEFAULT_MAX_VARIABLES,
     ) -> UriTemplate:
         """Parse a URI template string.
 
         Args:
             template: An RFC 6570 URI template.
             max_length: Maximum permitted length of the template string.
                 Guards against resource exhaustion.
-            max_expressions: Maximum number of ``{...}`` expressions
-                permitted. Guards against pathological inputs that could
-                produce expensive regexes.
+            max_variables: Maximum number of variables permitted across
+                all expressions. Counting variables rather than
+                ``{...}`` expressions closes the gap where a single
+                ``{v0,v1,...,vN}`` expression packs arbitrarily many
+                variables under one expression count.
 
         Raises:
             InvalidUriTemplate: If the template is malformed, exceeds the
@@ -341,7 +343,7 @@ def parse(
                 template=template,
             )
 
-        parts, variables = _parse(template, max_expressions=max_expressions)
+        parts, variables = _parse(template, max_variables=max_variables)
 
         # Trailing {?...}/{&...} expressions are matched leniently via
         # parse_qs rather than the scan: order-agnostic, partial, ignores
@@ -352,12 +354,12 @@ def parse(
 
         return cls(
             template=template,
-            _parts=parts,
-            _variables=variables,
-            _prefix=prefix,
+            _parts=tuple(parts),
+            _variables=tuple(variables),
+            _prefix=tuple(prefix),
             _greedy=greedy,
-            _suffix=suffix,
-            _query_variables=query_vars,
+            _suffix=tuple(suffix),
+            _query_variables=tuple(query_vars),
         )
 
     @property
@@ -680,7 +682,7 @@ def _split_query_tail(parts: list[_Part]) -> tuple[list[_Part], list[Variable]]:
     return parts[:split], query_vars
 
 
-def _parse(template: str, *, max_expressions: int) -> tuple[list[_Part], list[Variable]]:
+def _parse(template: str, *, max_variables: int) -> tuple[list[_Part], list[Variable]]:
     """Split a template into an ordered sequence of literals and expressions.
 
     Walks the string, alternating between collecting literal runs and
@@ -694,7 +696,6 @@ def _parse(template: str, *, max_expressions: int) -> tuple[list[_Part], list[Va
     """
     parts: list[_Part] = []
     variables: list[Variable] = []
-    expression_count = 0
     i = 0
     n = len(template)
 
@@ -719,18 +720,17 @@ def _parse(template: str, *, max_expressions: int) -> tuple[list[_Part], list[Va
                 position=brace,
             )
 
-        expression_count += 1
-        if expression_count > max_expressions:
-            raise InvalidUriTemplate(
-                f"Template exceeds maximum of {max_expressions} expressions",
-                template=template,
-            )
-
         # Delegate body (between braces, exclusive) to the expression parser.
         expr = _parse_expression(template, template[brace + 1 : end], brace)
         parts.append(expr)
         variables.extend(expr.variables)
 
+        if len(variables) > max_variables:
+            raise InvalidUriTemplate(
+                f"Template exceeds maximum of {max_variables} variables",
+                template=template,
+            )
+
         # Advance past the closing brace.
         i = end + 1
 
@@ -903,7 +903,7 @@ def _partition_greedy(atoms: list[_Atom], template: str) -> tuple[list[_Atom], V
     return atoms[:greedy_idx], greedy.var, atoms[greedy_idx + 1 :]
 
 
-def _scan_suffix(atoms: list[_Atom], uri: str, end: int) -> tuple[dict[str, str | list[str]], int] | None:
+def _scan_suffix(atoms: Sequence[_Atom], uri: str, end: int) -> tuple[dict[str, str | list[str]], int] | None:
     """Scan atoms right-to-left from ``end``, returning captures and start position.
 
     Each bounded variable takes the minimum span that lets its
@@ -973,7 +973,9 @@ def _scan_suffix(atoms: list[_Atom], uri: str, end: int) -> tuple[dict[str, str
     return result, pos
 
 
-def _scan_prefix(atoms: list[_Atom], uri: str, start: int, limit: int) -> tuple[dict[str, str | list[str]], int] | None:
+def _scan_prefix(
+    atoms: Sequence[_Atom], uri: str, start: int, limit: int
+) -> tuple[dict[str, str | list[str]], int] | None:
     """Scan atoms left-to-right from ``start``, not exceeding ``limit``.
 
     Each bounded variable takes the minimum span that lets its

tests/server/mcpserver/resources/test_resource_template.py

@@ -89,6 +89,14 @@ def test_matches_null_byte_check_can_be_disabled():
     assert t.matches("file://docs/key%00.txt") == {"name": "key\x00.txt"}
 
 
+def test_resource_security_hashable_with_regular_set():
+    # Frozen dataclass auto-generates __hash__ from all fields, so a
+    # mutable set would make the instance unhashable. __post_init__
+    # coerces to frozenset.
+    policy = ResourceSecurity(exempt_params={"a", "b"})
+    assert hash(policy) == hash(ResourceSecurity(exempt_params=frozenset({"a", "b"})))
+
+
 def test_security_rejection_does_not_fall_through_to_next_template():
     # A strict template's security rejection must halt iteration, not
     # fall through to a later permissive template. Previously matches()

tests/shared/test_path_security.py

@@ -73,6 +73,9 @@ def test_contains_path_traversal(value: str, expected: bool):
         ("1:foo", False),
         # Colon not in position 1
         ("ab:c", False),
+        # Non-ASCII letter is not a drive letter
+        ("Ω:namespace", False),
+        ("é:foo", False),
     ],
 )
 def test_is_absolute_path(value: str, expected: bool):

tests/shared/test_uri_template.py

@@ -281,14 +281,23 @@ def test_parse_rejects_oversized_template():
         UriTemplate.parse("x" * 101, max_length=100)
 
 
-def test_parse_rejects_too_many_expressions():
-    with pytest.raises(InvalidUriTemplate, match="maximum of"):
-        UriTemplate.parse("{a}" * 11, max_expressions=10)
+def test_parse_rejects_too_many_variables():
+    template = "".join(f"{{v{i}}}" for i in range(11))
+    with pytest.raises(InvalidUriTemplate, match="maximum of 10 variables"):
+        UriTemplate.parse(template, max_variables=10)
+
+
+def test_parse_counts_variables_not_expressions():
+    # A single {v0,v1,...} expression packs many variables under one
+    # brace pair. Counting expressions would miss this.
+    template = "{" + ",".join(f"v{i}" for i in range(11)) + "}"
+    with pytest.raises(InvalidUriTemplate, match="maximum of 10 variables"):
+        UriTemplate.parse(template, max_variables=10)
 
 
 def test_parse_custom_limits_allow_larger():
     template = "".join(f"{{v{i}}}" for i in range(20))
-    tmpl = UriTemplate.parse(template, max_expressions=20)
+    tmpl = UriTemplate.parse(template, max_variables=20)
     assert len(tmpl.variables) == 20