test: add adversarial security test cases for layered defense

maxisbey · maxisbey · commit a463ed9f76dc · 2026-03-26T18:24:44.000Z
Adds coverage for encoding-based attack vectors across both security
layers:

Layer 1 (structural integrity in UriTemplate.match):
- Double-encoding %252F decoded once, accepted as literal %2F
- Multi-param template with one poisoned value rejects whole match
- Value decoding to only the forbidden delimiter rejected

Layer 2 (ResourceSecurity traversal check):
- %5C backslash passes structural, caught by traversal normalization
- %2E%2E encoded dots pass structural, caught by traversal check
- Mixed encoded+literal slash fails at regex before decoding
diff --git a/tests/server/mcpserver/resources/test_resource_template.py b/tests/server/mcpserver/resources/test_resource_template.py
@@ -73,6 +73,29 @@ def test_matches_explode_checks_each_segment():
     assert t.matches("api/a/../c") is None
 
 
+def test_matches_encoded_backslash_caught_by_traversal_layer():
+    # %5C decodes to '\\'. Backslash is not a URI delimiter, so it passes
+    # structural integrity (layer 1). The traversal check (layer 2)
+    # normalizes '\\' to '/' and catches the '..' components.
+    t = _make("file://docs/{name}")
+    assert t.matches("file://docs/..%5C..%5Csecret") is None
+
+
+def test_matches_encoded_dots_caught_by_traversal_layer():
+    # %2E%2E decodes to '..'. Contains no structural delimiter, so passes
+    # layer 1. Layer 2's traversal check catches the '..' component.
+    t = _make("file://docs/{name}")
+    assert t.matches("file://docs/%2E%2E") is None
+
+
+def test_matches_mixed_encoded_and_literal_slash():
+    # One encoded slash + one literal: literal '/' prevents the regex
+    # match at layer 0 (simple var stops at '/'), so this never reaches
+    # decoding. Different failure mode than pure-encoded traversal.
+    t = _make("file://docs/{name}")
+    assert t.matches("file://docs/..%2F../etc") is None
+
+
 def test_matches_escapes_template_literals():
     # Regression: old impl treated . as regex wildcard
     t = _make("data://v1.0/{id}")
diff --git a/tests/shared/test_uri_template.py b/tests/shared/test_uri_template.py
@@ -387,6 +387,28 @@ def test_match_structural_integrity_allows_slash_in_reserved():
     assert t.match("a/b") == {"path": "a/b"}
 
 
+def test_match_double_encoding_decoded_once():
+    # %252F is %2F encoded again. Single decode gives "%2F" (a literal
+    # percent sign, a '2', and an 'F'), which contains no '/' and should
+    # be accepted. Guards against over-decoding.
+    t = UriTemplate.parse("file://docs/{name}")
+    assert t.match("file://docs/..%252Fetc") == {"name": "..%2Fetc"}
+
+
+def test_match_multi_param_one_poisoned_rejects_whole():
+    # One bad param in a multi-param template rejects the entire match
+    t = UriTemplate.parse("file://{org}/{repo}")
+    assert t.match("file://acme/..%2Fsecret") is None
+    # But the same template with clean params matches fine
+    assert t.match("file://acme/project") == {"org": "acme", "repo": "project"}
+
+
+def test_match_bare_encoded_delimiter_rejected():
+    # A value that decodes to only the forbidden delimiter
+    t = UriTemplate.parse("file://docs/{name}")
+    assert t.match("file://docs/%2F") is None
+
+
 def test_match_structural_integrity_per_explode_segment():
     t = UriTemplate.parse("/files{/path*}")
     # Each segment checked independently
