enhance: Add safety features to HTTP validation tools response (#345)

* enhance: Add safety features to HTTP validation tools response - Add TypeScript interface (MCPToolResponse) for type safety - Implement 1MB response size validation and truncation - Add warning logs for large validation responses - Prevent memory issues with size limits (matches STDIO behavior) This enhances PR #343's fix with defensive measures: - Size validation prevents DoS/memory exhaustion - Truncation ensures HTTP transport stability - Type safety improves code maintainability All changes are backward compatible and non-breaking. Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en * chore: Version bump to 2.20.4 with documentation - Bump version 2.20.3 → 2.20.4 - Add comprehensive CHANGELOG.md entry for v2.20.4 - Document CI test infrastructure issues in docs/CI_TEST_INFRASTRUCTURE.md - Explain MSW/external PR integration test failures - Reference PR #343 and enhancement safety features Code review: 9/10 (code-reviewer agent approved) Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en
2026-02-10 07:13:07 +00:00 · 2025-10-21 20:25:48 +02:00
parent ef1cf747a3
commit 32264da107
4 changed files with 280 additions and 8 deletions
--- a/src/http-server.ts
+++ b/src/http-server.ts
@@ -23,6 +23,17 @@ import {

 dotenv.config();

+/**
+ * MCP tool response format with optional structured content
+ */
+interface MCPToolResponse {
+  content: Array<{
+    type: 'text';
+    text: string;
+  }>;
+  structuredContent?: unknown;
+}
+
 let expressServer: any;
 let authToken: string | null = null;

@@ -401,25 +412,43 @@ export async function startFixedHTTPServer() {
              // Delegate to the MCP server
              const toolName = jsonRpcRequest.params?.name;
              const toolArgs = jsonRpcRequest.params?.arguments || {};
-              
+
              try {
                const result = await mcpServer.executeTool(toolName, toolArgs);
-                
+
+                // Convert result to JSON text for content field
+                let responseText = JSON.stringify(result, null, 2);
+
                // Build MCP-compliant response with structuredContent for validation tools
-                const mcpResult: any = {
+                const mcpResult: MCPToolResponse = {
                  content: [
                    {
                      type: 'text',
-                      text: JSON.stringify(result, null, 2)
+                      text: responseText
                    }
                  ]
                };
-                
+
                // Add structuredContent for validation tools (they have outputSchema)
+                // Apply 1MB safety limit to prevent memory issues (matches STDIO server behavior)
                if (toolName.startsWith('validate_')) {
-                  mcpResult.structuredContent = result;
+                  const resultSize = responseText.length;
+
+                  if (resultSize > 1000000) {
+                    // Response is too large - truncate and warn
+                    logger.warn(
+                      `Validation tool ${toolName} response is very large (${resultSize} chars). ` +
+                      `Truncating for HTTP transport safety.`
+                    );
+                    mcpResult.content[0].text = responseText.substring(0, 999000) +
+                      '\n\n[Response truncated due to size limits]';
+                    // Don't include structuredContent for truncated responses
+                  } else {
+                    // Normal case - include structured content for MCP protocol compliance
+                    mcpResult.structuredContent = result;
+                  }
                }
-                
+
                response = {
                  jsonrpc: '2.0',
                  result: mcpResult,