feat: add URI length guard to UriTemplate.match()

Adds a max_uri_length keyword argument (default 64 KiB) that returns
None for oversized inputs before regex evaluation. Guards against
resource exhaustion from pathologically long URIs, particularly on
stdio transport where there is no inherent message size limit.

Consistent with the existing max_length/max_expressions limits on
parse(); the default is exported as DEFAULT_MAX_URI_LENGTH.

Author: maxisbey

src/mcp/shared/uri_template.py

@@ -30,6 +30,7 @@
 
 DEFAULT_MAX_TEMPLATE_LENGTH = 1_000_000
 DEFAULT_MAX_EXPRESSIONS = 10_000
+DEFAULT_MAX_URI_LENGTH = 65_536
 
 # RFC 3986 reserved characters, kept unencoded by {+var} and {#var}.
 _RESERVED = ":/?#[]@!$&'()*+,;="
@@ -333,7 +334,7 @@ def expand(self, variables: Mapping[str, str | Sequence[str]]) -> str:
                 out.append(_expand_expression(part, variables))
         return "".join(out)
 
-    def match(self, uri: str) -> dict[str, str | list[str]] | None:
+    def match(self, uri: str, *, max_uri_length: int = DEFAULT_MAX_URI_LENGTH) -> dict[str, str | list[str]] | None:
         """Match a concrete URI against this template and extract variables.
 
         This is the inverse of :meth:`expand`. The URI is matched against
@@ -368,13 +369,19 @@ def match(self, uri: str) -> dict[str, str | list[str]] | None:
 
         Args:
             uri: A concrete URI string.
+            max_uri_length: Maximum permitted length of the input URI.
+                Oversized inputs return ``None`` without regex evaluation,
+                guarding against resource exhaustion.
 
         Returns:
             A mapping from variable names to decoded values (``str`` for
             scalar variables, ``list[str]`` for explode variables), or
-            ``None`` if the URI does not match the template or a decoded
-            value violates structural integrity.
+            ``None`` if the URI does not match the template, a decoded
+            value violates structural integrity, or the URI exceeds
+            ``max_uri_length``.
         """
+        if len(uri) > max_uri_length:
+            return None
         m = self._pattern.fullmatch(uri)
         if m is None:
             return None

tests/shared/test_uri_template.py

@@ -427,6 +427,26 @@ def test_match_bare_encoded_delimiter_rejected():
     assert t.match("file://docs/%2F") is None
 
 
+def test_match_rejects_oversized_uri():
+    t = UriTemplate.parse("{var}")
+    assert t.match("x" * 100, max_uri_length=50) is None
+
+
+def test_match_accepts_uri_within_custom_limit():
+    t = UriTemplate.parse("{var}")
+    assert t.match("x" * 100, max_uri_length=200) == {"var": "x" * 100}
+
+
+def test_match_default_uri_length_limit():
+    from mcp.shared.uri_template import DEFAULT_MAX_URI_LENGTH
+
+    t = UriTemplate.parse("{+var}")
+    # Just at the limit: should match
+    assert t.match("x" * DEFAULT_MAX_URI_LENGTH) is not None
+    # One over: should reject
+    assert t.match("x" * (DEFAULT_MAX_URI_LENGTH + 1)) is None
+
+
 def test_match_structural_integrity_per_explode_segment():
     t = UriTemplate.parse("/files{/path*}")
     # Each segment checked independently