MCP-SAN: MCP Server Input Sanitization

[josealekhine]

The MCP server handlers (internal/mcp/server/handle_*.go) accept
client-supplied input over JSON-RPC and use it with minimal validation.
The validation package has SanitizeFilename and ValidateBoundary
but nothing for content or argument sanitization. entry.Validate only
checks field presence, not content safety.

• Sanitize session IDs before using in file paths #added:2026-03-21-103412

• MCP-SAN.1: Add input length limits to all string arguments #priority:high #added:2026-03-15

  • Define max lengths in internal/config/mcp/cfg/ (e.g., MaxContentLen,
    MaxNameLen, MaxQueryLen, MaxCallerLen)
  • Apply length checks early in handleToolsCall, handlePromptsGet,
    handleResourcesRead, handleResourcesSubscribe
  • Cap toolRecall limit to a reasonable upper bound (e.g., 100)
  • Return ErrCodeInvalidArg with a clear message when exceeded

• MCP-SAN.2: Validate entryType against allowlist before use #priority:high #added:2026-03-15

  • In toolAdd and toolWatchUpdate, check entryType exists in
    entryCfg.ToCtxFile map before proceeding — return error if not
  • This prevents writing entries with undefined type mappings

• MCP-SAN.3: Sanitize content written to .context/ files #priority:high #added:2026-03-15

  • Content fields (content, context, rationale, consequences,
    lesson, application) are written directly to Markdown files
  • Strip or escape Markdown structure characters that could corrupt
    parsing: entry headers (## [YYYY-), task checkboxes (- [ ],
    - [x]), constitution rule format (- [ ] **Never)
  • Add a SanitizeEntryContent function in internal/validation
  • Apply in toolAdd, toolWatchUpdate, and buildEntryPrompt

• MCP-SAN.4: Sanitize reflected input in error/success messages #added:2026-03-15

  • params.Name reflected in unknown-prompt/unknown-tool errors
    (handle_prompt.go:66, handle_tool.go:120)
  • params.URI reflected in unknown-resource error
    (handle_resource.go:104)
  • caller reflected in session-started message
    (handle_tool.go:804)
  • Truncate or strip control characters before including in responses

• MCP-SAN.5: Add tests for all sanitization paths #added:2026-03-15

  • Test that oversized inputs are rejected
  • Test that invalid entryType values are rejected
  • Test that Markdown injection in content fields is neutralized
  • Test that reflected strings are truncated/safe
  • Test that toolRecall limit is capped

[josealekhine]

@CoderMungan don't fret; I'll trim down this list :D .

[josealekhine]

@CoderMungan since this is a cross-cutting concern, I'd suggest an internal/sanitize package

It is:

• Self-documenting: sanitize.Content(s), sanitize.Path(s), sanitize.Truncate(s, max) read naturally
• Distinct from internal/validation/ (validate = reject bad input, sanitize = transform input to be safe)
• Consistent with Go stdlib naming style (verb packages: compress, encode, sort)

The existing SanitizeFilename in internal/validation/ could migrate there too, keeping validation focused on structural checks (ValidateBoundary, entry.Validate).

[CoderMungan]

I’ll look into this issue as soon as possible 🚀