Skip to content

server: add max_body_bytes guard for HTTP request bodies #2012

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
TheodorNEngoy wants to merge 6 commits into
base: main
Choose a base branch
from
Open

server: add max_body_bytes guard for HTTP request bodies #2012

TheodorNEngoy wants to merge 6 commits into from
+626 −31

Conversation

@TheodorNEngoy
Copy link

@TheodorNEngoy TheodorNEngoy commented Feb 7, 2026
edited
Loading

Adds a configurable request-body size cap to avoid unbounded await request.body() buffering for MCP HTTP endpoints.

Changes:

  • Add max_body_bytes (default: 1_000_000, None disables) to:
    • StreamableHTTPServerTransport
    • StreamableHTTPSessionManager + Server.streamable_http_app() plumbing
    • MCPServer.streamable_http_app() / MCPServer.run(..., transport='streamable-http') passthrough
    • SseServerTransport
    • MCPServer.sse_app() / MCPServer.run(..., transport='sse') passthrough
    • OAuth dynamic client registration /register handler via ClientRegistrationOptions.max_body_bytes
  • Enforce the limit while reading the body (streaming) and return 413 Payload Too Large (with Connection: close) when exceeded.
  • Add tests covering StreamableHTTP, SSE, and /register.
  • Add README notes about the default limit + how to override.

Local checks:

  • uv run ruff check src tests
  • uv run pyright
  • uv run pytest -q tests/server/test_streamable_http_manager.py tests/server/test_sse_max_body_bytes.py tests/server/auth/test_error_handling.py

@TheodorNEngoy
Copy link
Author

TheodorNEngoy commented Feb 7, 2026

Pushed a follow-up to fix CI:

  • end-of-file fixer issue in http_body.py
  • added focused tests to cover max_body_bytes edge cases + transport validation
  • adjusted one test for pyright (typed Any)

Coverage now reports 100% locally (matches CI settings), so checks should go green on the next run.

@TheodorNEngoy
Copy link
Author

TheodorNEngoy commented Feb 8, 2026

Clarifying my previous comment (shell ate the backticks):

  • Removed a few incorrect '# pragma: no cover' markers so strict-no-cover passes.
  • Expanded SSE tests so the CI fail_under=100 coverage gate stays green.

@TheodorNEngoy
Copy link
Author

TheodorNEngoy commented Feb 8, 2026

Follow-up (CI): windows py3.12 locked was failing in TestChildProcessCleanup.test_nested_process_tree due to a timing-sensitive “file grew after 0.3s” assertion and then leaking subprocesses on failure.

I updated that test to poll briefly for file growth and to always terminate the process tree in finally, which should make that job reliable.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheodorNEngoy