Skip to content

Commit 5476129

Browse files
committed
refactor: use _normalize_scope_path in MCPPathRewriteMiddleware
Replace inline root_path stripping with existing _normalize_scope_path() which provides full-segment boundary checks and root_path="/" safety. Closes #4215 Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
1 parent 72a5fd8 commit 5476129

File tree

1 file changed

+3
-8
lines changed

1 file changed

+3
-8
lines changed

mcpgateway/main.py

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -1434,9 +1434,7 @@ def jsonpath_modifier(data: Any, jsonpath: str = "$[*]", mappings: Optional[Dict
14341434
# Log jsonpath_modifier invocation with structured data (only if debug enabled)
14351435
if logger.isEnabledFor(logging.DEBUG):
14361436
data_length = len(data) if isinstance(data, list) else None
1437-
logger.debug(
1438-
f"jsonpath_modifier: path='{SecurityValidator.sanitize_log_message(jsonpath)}', has_mappings={mappings is not None}, " f"data_type={type(data).__name__}, data_length={data_length}"
1439-
)
1437+
logger.debug(f"jsonpath_modifier: path='{SecurityValidator.sanitize_log_message(jsonpath)}', has_mappings={mappings is not None}, data_type={type(data).__name__}, data_length={data_length}")
14401438

14411439
try:
14421440
main_expr: JSONPath = _parse_jsonpath(jsonpath)
@@ -3005,15 +3003,12 @@ async def _call_streamable_http(self, scope, receive, send):
30053003
original_path = scope.get("path", "")
30063004
scope["modified_path"] = original_path
30073005

3008-
# Extract root_path prefix and strip it before pattern matching.
3006+
# Strip root_path prefix before pattern matching.
30093007
# In reverse proxy deployments, scope["path"] may contain the full path
30103008
# including the proxy prefix (e.g., "/dev/mcp-gateway/service/gateway/servers/123/mcp").
30113009
# We need to strip this prefix to correctly match the /servers/ pattern.
3012-
# Pattern follows streamablehttp_transport.py:831 and token_scoping.py:354.
30133010
root_path = (scope.get("root_path") or settings.app_root_path or "").rstrip("/")
3014-
app_path = original_path
3015-
if root_path and original_path.startswith(root_path + "/"):
3016-
app_path = original_path[len(root_path) :]
3011+
app_path = _normalize_scope_path(original_path, root_path)
30173012

30183013
# Skip rewriting for well-known URIs (RFC 9728 OAuth metadata, etc.)
30193014
# These paths may end with /mcp but should not be rewritten to the MCP transport

0 commit comments

Comments
 (0)