fix(mcp): add CRLF injection protection and remove duplicate code

Author: timof1308

src/google/adk/runners.py

@@ -618,12 +618,6 @@ async def _run_with_trace(
               # Directly return if the current agent in invocation context is
               # already final.
               return
-            if invocation_context.end_of_agents.get(
-                invocation_context.agent.name
-            ):
-              # Directly return if the current agent in invocation context is
-              # already final.
-              return
 
         async def execute(ctx: InvocationContext) -> AsyncGenerator[Event]:
           async with Aclosing(ctx.agent.run_async(ctx)) as agen:

src/google/adk/tools/mcp_tool/_internal.py

@@ -138,6 +138,26 @@ def validate_header_name(header_name: str) -> None:
     )
 
 
+def validate_header_format(header_format: str) -> None:
+  """Validates that a header format string doesn't contain CRLF injection.
+
+  This prevents header injection attacks where malicious format strings
+  could inject additional headers via CRLF sequences.
+
+  Args:
+      header_format: The format string to validate.
+
+  Raises:
+      ValueError: If header_format contains CRLF sequences.
+  """
+  if "\r" in header_format or "\n" in header_format:
+    raise ValueError(
+        "Header format string cannot contain CRLF (carriage return or line feed) "
+        "characters due to header injection risk. "
+        f"Invalid format: {repr(header_format)}"
+    )
+
+
 def _validate_header_value(value: Any, allow_binary: bool = False) -> None:
   """Validates header values with RFC 7230 compliance and proper binary handling.
 

src/google/adk/tools/mcp_tool/mcp_toolset.py

@@ -49,6 +49,7 @@
 from ..tool_configs import BaseToolConfig
 from ..tool_configs import ToolArgsConfig
 from ._internal import sanitize_header_value
+from ._internal import validate_header_format
 from ._internal import validate_header_name
 from ._internal import validate_header_value
 from .mcp_session_manager import MCPSessionManager
@@ -144,8 +145,9 @@ def create_session_state_header_provider(
           )
       )
   """
-  # Validate header name upfront
+  # Validate header name and format upfront to prevent injection attacks
   validate_header_name(header_name)
+  validate_header_format(header_format)
 
   def provider(ctx: ReadonlyContext) -> Dict[str, str]:
     value = ctx.state.get(state_key, default_value)

tests/unittests/tools/mcp_tool/test_jwt_token_propagation.py

@@ -656,3 +656,40 @@ def test_binary_data_handling(self):
     dangerous_binary = b"dangerous\x00data\x01with\x02control"
     with pytest.raises(ValueError, match="dangerous"):
       _validate_header_value(dangerous_binary, allow_binary=True)
+
+  def test_header_format_crlf_injection_protection(self):
+    """Test that header format strings with CRLF sequences are rejected."""
+    from google.adk.tools.mcp_tool.mcp_toolset import create_session_state_header_provider
+    from google.adk.tools.mcp_tool._internal import validate_header_format
+
+    # Valid format strings should be accepted
+    valid_formats = [
+        "Bearer {value}",
+        "Basic {value}",
+        "key:{value}",
+        "Token {value}",
+        "{value}",
+    ]
+    for fmt in valid_formats:
+      validate_header_format(fmt)  # Should not raise
+
+    # Format strings with CRLF should be rejected
+    invalid_formats = [
+        "Bearer {value}\r\nX-Injected: evil",
+        "Bearer {value}\nInjected-Header: bad",
+        "Bearer {value}\rAnother: header",
+        "Bearer {value}\r\n",
+        "Bearer {value}\n",
+        "Bearer {value}\r",
+    ]
+    for fmt in invalid_formats:
+      with pytest.raises(ValueError, match="CRLF"):
+        validate_header_format(fmt)
+
+    # Test that create_session_state_header_provider validates format
+    with pytest.raises(ValueError, match="CRLF"):
+      create_session_state_header_provider(
+          state_key="token",
+          header_name="Authorization",
+          header_format="Bearer {value}\r\nX-Injected: evil"
+      )