feat: forward _meta in upstream MCP requests for resources/read and prompts/get (#4141)

* feat: forward metadata in MCP requests for prompt and resource retrieval

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* feat: implement metadata validation and logging limits for MCP requests

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* feat: streamline resource and prompt retrieval with optional metadata injection

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* feat(tests): add security regression tests for meta_data validation in prompt and resource services

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* feat(tests): update tests to forward meta_data in resource service requests

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* fixup: ruff

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* feat: implement metadata validation limits to prevent excessive load on MCP servers

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* feat: enhance meta_data validation with depth and size checks across services and tests

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* feat: add configurable limits for user-supplied meta_data to prevent excessive load on MCP servers

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

* fix: enhance logging security by ensuring only meta_data key names are logged, protecting sensitive information

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

---------

Signed-off-by: Lang-Akshay <akshay.shinde26@ibm.com>

Author: Lang-Akshay

.env.example

@@ -872,6 +872,15 @@ OTEL_EXPORTER_OTLP_ENDPOINT=http://localhost:4317
 # Default: 10000 characters
 # MAX_PARAM_LENGTH=10000
 
+# CWE-400: Limits for user-supplied meta_data forwarded to upstream MCP servers.
+# Keeps arbitrarily large dicts from amplifying into downstream network/DB load.
+# Maximum number of top-level keys in meta_data (default: 16)
+# META_MAX_KEYS=16
+# Maximum nesting depth in meta_data (default: 2)
+# META_MAX_DEPTH=2
+# Maximum JSON-encoded byte size of meta_data (default: 4096)
+# META_MAX_BYTES=4096
+
 # Regex patterns for dangerous input (JSON array)
 # Used to detect and block malicious input patterns
 # Default patterns:

.secrets.baseline

@@ -3,7 +3,7 @@
     "files": "^.secrets.baseline|package-lock.json|Cargo.lock|scripts/sign_image.sh|scripts/zap|sonar-project.properties|uv.lock|^.secrets.baseline$",
     "lines": null
   },
-  "generated_at": "2026-04-13T09:59:07Z",
+  "generated_at": "2026-04-14T12:29:01Z",
   "plugins_used": [
     {
       "name": "AWSKeyDetector"
@@ -108,71 +108,71 @@
         "hashed_secret": "fa9beb99e4029ad5a6615399e7bbae21356086b3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 977,
+        "line_number": 986,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "7b4455a56fbf1d198e45e04c437488514645a82c",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1003,
+        "line_number": 1012,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ac371b6dcce28a86c90d12bc57d946a800eebf17",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1083,
+        "line_number": 1092,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "0b6ec68df700dec4dcd64babd0eda1edccddace1",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1088,
+        "line_number": 1097,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "4ad6f0082ee224001beb3ca5c3e81c8ceea5ed86",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1093,
+        "line_number": 1102,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "cb32747fcfb55eaa194c8cd8e4ba7d49ada08a94",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1099,
+        "line_number": 1108,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "6c178d51b13520496dbc767ed3d9d7aa5803ac72",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1111,
+        "line_number": 1120,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "ca45060a53fd8a255d1a83ee8d2f025283ccc66e",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1129,
+        "line_number": 1138,
         "type": "Secret Keyword",
         "verified_result": null
       },
       {
         "hashed_secret": "910fbf00f58e9bcb095ea26a75cc1d9a3355e671",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1190,
+        "line_number": 1199,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -5788,15 +5788,15 @@
         "hashed_secret": "c377074d6473f35a91001981355da793dc808ffd",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 700,
+        "line_number": 699,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "9d4e1e23bd5b727046a9e3b4b7db57bd8d6ee684",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 1102,
+        "line_number": 1101,
         "type": "Basic Auth Credentials",
         "verified_result": null
       }
@@ -5814,7 +5814,7 @@
         "hashed_secret": "ff37a98a9963d347e9749a5c1b3936a4a245a6ff",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 2225,
+        "line_number": 2228,
         "type": "Secret Keyword",
         "verified_result": null
       }
@@ -6128,15 +6128,15 @@
         "hashed_secret": "a10b98d7340036e9c8c301704f623eddd733cc1a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 297,
+        "line_number": 346,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "718cbcc5a4207c0d5f38e3a309bdba17cb0074b7",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 3374,
+        "line_number": 3422,
         "type": "Hex High Entropy String",
         "verified_result": null
       }
@@ -10660,15 +10660,15 @@
         "hashed_secret": "b4c9248600a42f8c38c01b632f392dbcb4c7b19a",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 11085,
+        "line_number": 11086,
         "type": "Hex High Entropy String",
         "verified_result": null
       },
       {
         "hashed_secret": "90bd1b48e958257948487b90bee080ba5ed00caa",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 12222,
+        "line_number": 12223,
         "type": "Hex High Entropy String",
         "verified_result": null
       }

mcpgateway/common/validators.py

@@ -50,12 +50,13 @@
 # Standard
 from html.parser import HTMLParser
 import ipaddress
+import json
 import logging
 from pathlib import Path
 import re
 import shlex
 import socket
-from typing import Any, Iterable, List, Optional, Pattern
+from typing import Any, Dict, Iterable, List, Optional, Pattern
 from urllib.parse import urlparse
 import uuid
 
@@ -76,9 +77,7 @@
 _HTML_SPECIAL_CHARS_RE: Pattern[str] = re.compile(r'[<>"\']')  # / removed per SEP-986
 _DANGEROUS_TEMPLATE_TAGS_RE: Pattern[str] = re.compile(r"<(script|iframe|object|embed|link|meta|base|form)\b", re.IGNORECASE)
 _EVENT_HANDLER_RE: Pattern[str] = re.compile(r"on\w+\s*=", re.IGNORECASE)
-_MIME_TYPE_RE: Pattern[str] = re.compile(
-    r'^[a-zA-Z0-9][a-zA-Z0-9!#$&\-\^_+\.]*\/[a-zA-Z0-9][a-zA-Z0-9!#$&\-\^_+\.]*(?:\s*;\s*[a-zA-Z0-9!#$&\-\^_+\.]+=(?:[a-zA-Z0-9!#$&\-\^_+\.]+|"[^"\r\n]*"))*$'
-)
+_MIME_TYPE_RE: Pattern[str] = re.compile(r'^[a-zA-Z0-9][a-zA-Z0-9!#$&\-\^_+\.]*\/[a-zA-Z0-9][a-zA-Z0-9!#$&\-\^_+\.]*(?:\s*;\s*[a-zA-Z0-9!#$&\-\^_+\.]+=(?:[a-zA-Z0-9!#$&\-\^_+\.]+|"[^"\r\n]*"))*$')
 _URI_SCHEME_RE: Pattern[str] = re.compile(r"^[a-zA-Z][a-zA-Z0-9+\-.]*://")
 _SHELL_DANGEROUS_CHARS_RE: Pattern[str] = re.compile(r"[;&|`$(){}\[\]<>]")
 _ANSI_ESCAPE_RE: Pattern[str] = re.compile(r"\x1B\[[0-9;]*[A-Za-z]")
@@ -1815,3 +1814,60 @@ def validate_core_url(value: str, field_name: str = "URL") -> str:
         The validated URL string.
     """
     return SecurityValidator.validate_url(value, field_name)
+
+
+# CWE-400: Limits for user-supplied meta_data forwarded to upstream MCP servers.
+# Keeps arbitrarily large dicts from amplifying into downstream network/DB load.
+# These are now read from config (settings.meta_max_keys, etc.) but kept as
+# module-level aliases for backward-compatible imports.
+META_MAX_KEYS: int = settings.meta_max_keys
+META_MAX_DEPTH: int = settings.meta_max_depth
+META_MAX_BYTES: int = settings.meta_max_bytes
+
+
+def validate_meta_data(meta_data: Optional[Dict[str, Any]]) -> None:
+    """Enforce size, key-count, and depth limits on user-supplied meta_data (CWE-400).
+
+    Args:
+        meta_data: The metadata dictionary to validate. ``None`` is always accepted.
+
+    Raises:
+        ValueError: if any limit is exceeded.
+    """
+    max_keys = settings.meta_max_keys
+    max_depth = settings.meta_max_depth
+    max_bytes = settings.meta_max_bytes
+
+    if not meta_data:
+        return
+    if len(meta_data) > max_keys:
+        raise ValueError(f"meta_data exceeds maximum key count ({max_keys}): got {len(meta_data)}")
+
+    def _check_depth(obj: Any, depth: int) -> None:
+        """Recursively enforce nesting depth, traversing both dicts and lists (CWE-400).
+
+        Lists are traversed without incrementing the depth counter so that a
+        list-of-dicts does not hide an extra level of dict nesting — e.g.
+        ``{"k": [{"l2": {"l3": "x"}}]}`` is correctly caught as depth 3.
+        """
+        if depth > max_depth:
+            raise ValueError(f"meta_data exceeds maximum nesting depth ({max_depth})")
+        if isinstance(obj, dict):
+            for v in obj.values():
+                _check_depth(v, depth + 1)
+        elif isinstance(obj, list):
+            for item in obj:
+                _check_depth(item, depth)
+
+    for v in meta_data.values():
+        _check_depth(v, 1)
+
+    try:
+        # CWE-20: Use strict json.dumps (no default=str) so non-serializable objects
+        # raise TypeError rather than being silently coerced — keeps the byte limit
+        # meaningful and matches the strict rejection behaviour used in prompt_service.
+        size = len(json.dumps(meta_data))
+        if size > max_bytes:
+            raise ValueError(f"meta_data exceeds maximum size ({max_bytes} bytes): got {size}")
+    except (TypeError, ValueError) as exc:
+        raise ValueError(f"meta_data is not serializable: {exc}") from exc

mcpgateway/config.py

@@ -360,6 +360,9 @@ class Settings(BaseSettings):
     allowed_roots: List[str] = Field(default_factory=list, description="Allowed root paths for resource access")
     max_path_depth: int = Field(default=10, description="Maximum allowed path depth")
     max_param_length: int = Field(default=10000, description="Maximum parameter length")
+    meta_max_keys: int = Field(default=16, description="Maximum number of keys in user-supplied meta_data forwarded to upstream MCP servers (CWE-400)")
+    meta_max_depth: int = Field(default=2, description="Maximum nesting depth for user-supplied meta_data forwarded to upstream MCP servers (CWE-400)")
+    meta_max_bytes: int = Field(default=4096, description="Maximum JSON-encoded byte size for user-supplied meta_data forwarded to upstream MCP servers (CWE-400)")
     dangerous_patterns: List[str] = Field(
         default_factory=lambda: [
             r"[;&|`$(){}\[\]<>]",  # Shell metacharacters