mcp: add support for max size buffer body (#41962)

wdauchy · web-flow · commit 6d9a080eff87 · 2025-11-17T21:38:51.000-05:00
Commit Message: add support for max size buffer body in mcp fixes #41960 Additional Description: the recent mcp filter is relying on body buffering in order to parse the relevant data we receive. A simple option could allow to limit the body size buffering when such filter is used in an edge environment where clients are not trusted. Risk Level: Testing: success case: ``` $ curl -v -w "Status: %{http_code}\n" -H -X POST https://mcphost/mcp -H 'Content-Type: application/json' -H 'Accept: application/json, text/event-stream' -d "{\"jsonrpc\":\"2.0\",\"method\":\"tools/call\",\"params\":{\"data\":\"$(python3 -c 'print("x"*8092)')\"}, \"id\":1}" [...] > Content-Length: 8160 Status: 200 ``` error case: ``` $ curl -v -w "Status: %{http_code}\n" -H -X POST https://mcphost/mcp -H 'Content-Type: application/json' -H 'Accept: application/json, text/event-stream' -d "{\"jsonrpc\":\"2.0\",\"method\":\"tools/call\",\"params\":{\"data\":\"$(python3 -c 'print("x"*8192)')\"}, \"id\":1}" [...] > Content-Length: 8260 Status: 413 ``` Docs Changes: Release Notes: Platform Specific Features: [Optional Runtime guard:] [Optional Fixes #Issue] [Optional Fixes commit #PR or SHA] [Optional Deprecated:] [Optional [API Considerations](https://github.com/envoyproxy/envoy/blob/main/api/review_checklist.md):] --------- Signed-off-by: William Dauchy <william.dauchy@datadoghq.com>
diff --git a/api/envoy/extensions/filters/http/mcp/v3/mcp.proto b/api/envoy/extensions/filters/http/mcp/v3/mcp.proto
@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.mcp.v3;
 
+import "google/protobuf/wrappers.proto";
+
 import "xds/annotations/v3/status.proto";
 
 import "udpa/annotations/status.proto";
@@ -40,6 +42,15 @@ message Mcp {
   // This allows the route to be re-selected based on the MCP metadata (e.g., method, params).
   // Defaults to false.
   bool clear_route_cache = 2;
+
+  // Maximum size of the request body to buffer for JSON-RPC validation.
+  // If the request body exceeds this size, the request is rejected with ``413 Payload Too Large``.
+  // This limit applies to both ``REJECT_NO_MCP`` and ``PASS_THROUGH`` modes to prevent unbounded buffering.
+  //
+  // It defaults to 8KB (8192 bytes) and the maximum allowed value is 10MB (10485760 bytes).
+  //
+  // Setting it to 0 would disable the limit. It is not recommended to do so in production.
+  google.protobuf.UInt32Value max_request_body_size = 3 [(validate.rules).uint32 = {lte: 10485760}];
 }
 
 // McpOverride for MCP filter
diff --git a/source/extensions/filters/http/mcp/mcp_filter.cc b/source/extensions/filters/http/mcp/mcp_filter.cc
@@ -97,6 +97,14 @@ Http::FilterHeadersStatus McpFilter::decodeHeaders(Http::RequestHeaderMap& heade
     } else {
       // Need to buffer the body to check for JSON-RPC 2.0
       is_mcp_request_ = true;
+
+      // Set the buffer limit - Envoy will automatically send 413 if exceeded
+      const uint32_t max_size = config_->maxRequestBodySize();
+      if (max_size > 0) {
+        decoder_callbacks_->setDecoderBufferLimit(max_size);
+        ENVOY_LOG(debug, "set decoder buffer limit to {} bytes", max_size);
+      }
+
       return Http::FilterHeadersStatus::StopIteration;
     }
   }
@@ -118,7 +126,24 @@ Http::FilterDataStatus McpFilter::decodeData(Buffer::Instance& data, bool end_st
   }
 
   if (end_stream) {
-    decoder_callbacks_->addDecodedData(data, true);
+    // Check if the complete request body exceeds the limit
+    const uint32_t max_size = config_->maxRequestBodySize();
+    if (max_size > 0) {
+      decoder_callbacks_->addDecodedData(data, false);
+      const uint64_t total_size = decoder_callbacks_->decodingBuffer()->length();
+
+      if (total_size > max_size) {
+        ENVOY_LOG(debug, "request body size {} exceeds maximum {}", total_size, max_size);
+        decoder_callbacks_->sendLocalReply(
+            Http::Code::PayloadTooLarge,
+            absl::StrCat("Request body size exceeds maximum allowed size of ", max_size, " bytes"),
+            nullptr, absl::nullopt, "mcp_filter_body_too_large");
+        return Http::FilterDataStatus::StopIterationNoBuffer;
+      }
+    } else {
+      decoder_callbacks_->addDecodedData(data, false);
+    }
+
     std::string json = decoder_callbacks_->decodingBuffer()->toString();
     if (metadata_ == nullptr) {
       metadata_ = std::make_unique<Protobuf::Struct>();
diff --git a/source/extensions/filters/http/mcp/mcp_filter.h b/source/extensions/filters/http/mcp/mcp_filter.h
@@ -33,7 +33,10 @@ class McpFilterConfig {
 public:
   explicit McpFilterConfig(const envoy::extensions::filters::http::mcp::v3::Mcp& proto_config)
       : traffic_mode_(proto_config.traffic_mode()),
-        clear_route_cache_(proto_config.clear_route_cache()) {}
+        clear_route_cache_(proto_config.clear_route_cache()),
+        max_request_body_size_(proto_config.has_max_request_body_size()
+                                   ? proto_config.max_request_body_size().value()
+                                   : 8192) {} // Default: 8KB
 
   envoy::extensions::filters::http::mcp::v3::Mcp::TrafficMode trafficMode() const {
     return traffic_mode_;
@@ -45,9 +48,12 @@ class McpFilterConfig {
 
   bool clearRouteCache() const { return clear_route_cache_; }
 
+  uint32_t maxRequestBodySize() const { return max_request_body_size_; }
+
 private:
   const envoy::extensions::filters::http::mcp::v3::Mcp::TrafficMode traffic_mode_;
   const bool clear_route_cache_;
+  const uint32_t max_request_body_size_;
 };
 
 /**
diff --git a/test/extensions/filters/http/mcp/mcp_filter_test.cc b/test/extensions/filters/http/mcp/mcp_filter_test.cc
@@ -150,7 +150,7 @@ TEST_F(McpFilterTest, RejectModeRejectsNonJsonRpc) {
   Buffer::OwnedImpl buffer(body);
   Buffer::OwnedImpl decoding_buffer;
 
-  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, true))
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
       .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
   EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
 
@@ -192,7 +192,7 @@ TEST_F(McpFilterTest, DynamicMetadataSet) {
   Buffer::OwnedImpl buffer(json);
   Buffer::OwnedImpl decoding_buffer;
 
-  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, true))
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
       .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
   EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
 
@@ -241,7 +241,7 @@ TEST_F(McpFilterTest, WrongJsonRpcVersion) {
   Buffer::OwnedImpl buffer(wrong_version);
   Buffer::OwnedImpl decoding_buffer;
 
-  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, true))
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
       .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
   EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
 
@@ -282,6 +282,233 @@ TEST_F(McpFilterTest, PostWithWrongContentType) {
   EXPECT_EQ(Http::FilterHeadersStatus::Continue, filter_->decodeHeaders(headers, false));
 }
 
+// Test default max body size configuration
+TEST_F(McpFilterTest, DefaultMaxBodySizeIsEightKB) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  // Don't set max_request_body_size, should default to 8KB
+  auto config = std::make_shared<McpFilterConfig>(proto_config);
+  EXPECT_EQ(8192u, config->maxRequestBodySize());
+}
+
+// Test custom max body size configuration
+TEST_F(McpFilterTest, CustomMaxBodySizeConfiguration) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(16384);
+  auto config = std::make_shared<McpFilterConfig>(proto_config);
+  EXPECT_EQ(16384u, config->maxRequestBodySize());
+}
+
+// Test disabled max body size (0 = no limit)
+TEST_F(McpFilterTest, DisabledMaxBodySizeConfiguration) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(0);
+  auto config = std::make_shared<McpFilterConfig>(proto_config);
+  EXPECT_EQ(0u, config->maxRequestBodySize());
+}
+
+// Test request body under the limit succeeds
+TEST_F(McpFilterTest, RequestBodyUnderLimitSucceeds) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(1024); // 1KB limit
+  config_ = std::make_shared<McpFilterConfig>(proto_config);
+  filter_ = std::make_unique<McpFilter>(config_);
+  filter_->setDecoderFilterCallbacks(decoder_callbacks_);
+
+  Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
+                                         {"content-type", "application/json"},
+                                         {"accept", "application/json"},
+                                         {"accept", "text/event-stream"}};
+
+  EXPECT_CALL(decoder_callbacks_, setDecoderBufferLimit(1024));
+  filter_->decodeHeaders(headers, false);
+
+  // Create a JSON-RPC body that's under 1KB
+  std::string json = R"({"jsonrpc": "2.0", "method": "test", "params": {"key": "value"}, "id": 1})";
+  Buffer::OwnedImpl buffer(json);
+  Buffer::OwnedImpl decoding_buffer;
+
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
+      .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
+  EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
+  EXPECT_CALL(decoder_callbacks_.stream_info_, setDynamicMetadata("mcp_proxy", _));
+
+  EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(buffer, true));
+}
+
+// Test request body exceeding the limit gets 413
+TEST_F(McpFilterTest, RequestBodyExceedingLimitRejected) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(100); // Very small limit
+  config_ = std::make_shared<McpFilterConfig>(proto_config);
+  filter_ = std::make_unique<McpFilter>(config_);
+  filter_->setDecoderFilterCallbacks(decoder_callbacks_);
+
+  Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
+                                         {"content-type", "application/json"},
+                                         {"accept", "application/json"},
+                                         {"accept", "text/event-stream"}};
+
+  EXPECT_CALL(decoder_callbacks_, setDecoderBufferLimit(100));
+  filter_->decodeHeaders(headers, false);
+
+  // Create a JSON body that exceeds 100 bytes
+  std::string json =
+      R"({"jsonrpc": "2.0", "method": "test", "params": {"key": "value", "longkey": "this is a very long string to exceed the limit"}, "id": 1})";
+  Buffer::OwnedImpl buffer(json);
+  Buffer::OwnedImpl decoding_buffer;
+
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
+      .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
+  EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
+
+  EXPECT_CALL(decoder_callbacks_,
+              sendLocalReply(Http::Code::PayloadTooLarge,
+                             testing::HasSubstr("Request body size exceeds maximum allowed size"),
+                             _, _, "mcp_filter_body_too_large"));
+
+  EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, filter_->decodeData(buffer, true));
+}
+
+// Test request body with limit disabled (0 = no limit) allows large bodies
+TEST_F(McpFilterTest, RequestBodyWithDisabledLimitAllowsLargeBodies) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(0); // Disable limit
+  config_ = std::make_shared<McpFilterConfig>(proto_config);
+  filter_ = std::make_unique<McpFilter>(config_);
+  filter_->setDecoderFilterCallbacks(decoder_callbacks_);
+
+  Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
+                                         {"content-type", "application/json"},
+                                         {"accept", "application/json"},
+                                         {"accept", "text/event-stream"}};
+
+  // Should NOT call setDecoderBufferLimit when limit is 0
+  EXPECT_CALL(decoder_callbacks_, setDecoderBufferLimit(_)).Times(0);
+  filter_->decodeHeaders(headers, false);
+
+  // Create a large JSON-RPC body
+  std::string large_data(50000, 'x'); // 50KB of data
+  std::string json = R"({"jsonrpc": "2.0", "method": "test", "params": {"data": ")" + large_data +
+                     R"("}, "id": 1})";
+  Buffer::OwnedImpl buffer(json);
+  Buffer::OwnedImpl decoding_buffer;
+
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
+      .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
+  EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
+  EXPECT_CALL(decoder_callbacks_.stream_info_, setDynamicMetadata("mcp_proxy", _));
+
+  // Should succeed even with large body
+  EXPECT_EQ(Http::FilterDataStatus::Continue, filter_->decodeData(buffer, true));
+}
+
+// Test request body exactly at the limit succeeds
+TEST_F(McpFilterTest, RequestBodyExactlyAtLimitSucceeds) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(100); // 100 byte limit
+  config_ = std::make_shared<McpFilterConfig>(proto_config);
+  filter_ = std::make_unique<McpFilter>(config_);
+  filter_->setDecoderFilterCallbacks(decoder_callbacks_);
+
+  Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
+                                         {"content-type", "application/json"},
+                                         {"accept", "application/json"},
+                                         {"accept", "text/event-stream"}};
+
+  EXPECT_CALL(decoder_callbacks_, setDecoderBufferLimit(100));
+  filter_->decodeHeaders(headers, false);
+
+  // Create a JSON body that's exactly 100 bytes
+  std::string json =
+      R"({"jsonrpc": "2.0", "method": "testMethod", "params": {"key": "val"}, "id": 1})"; // 81
+                                                                                          // bytes
+  // Pad to exactly 100 bytes
+  while (json.size() < 100) {
+    json.insert(json.size() - 1, " ");
+  }
+  json = json.substr(0, 100);
+
+  Buffer::OwnedImpl buffer(json);
+  Buffer::OwnedImpl decoding_buffer;
+
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
+      .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
+  EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
+
+  // Should NOT be rejected
+  EXPECT_CALL(decoder_callbacks_, sendLocalReply(Http::Code::PayloadTooLarge, _, _, _, _)).Times(0);
+
+  // Note: This might fail JSON parsing due to padding, but should not trigger size limit
+  filter_->decodeData(buffer, true);
+}
+
+// Test that buffer limit is set for valid MCP POST requests
+TEST_F(McpFilterTest, BufferLimitSetForValidMcpPostRequest) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(8192);
+  config_ = std::make_shared<McpFilterConfig>(proto_config);
+  filter_ = std::make_unique<McpFilter>(config_);
+  filter_->setDecoderFilterCallbacks(decoder_callbacks_);
+
+  Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
+                                         {"content-type", "application/json"},
+                                         {"accept", "application/json"},
+                                         {"accept", "text/event-stream"}};
+
+  EXPECT_CALL(decoder_callbacks_, setDecoderBufferLimit(8192));
+  EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, filter_->decodeHeaders(headers, false));
+}
+
+// Test that buffer limit is NOT set when limit is disabled
+TEST_F(McpFilterTest, BufferLimitNotSetWhenDisabled) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.mutable_max_request_body_size()->set_value(0); // Disabled
+  config_ = std::make_shared<McpFilterConfig>(proto_config);
+  filter_ = std::make_unique<McpFilter>(config_);
+  filter_->setDecoderFilterCallbacks(decoder_callbacks_);
+
+  Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
+                                         {"content-type", "application/json"},
+                                         {"accept", "application/json"},
+                                         {"accept", "text/event-stream"}};
+
+  EXPECT_CALL(decoder_callbacks_, setDecoderBufferLimit(_)).Times(0);
+  EXPECT_EQ(Http::FilterHeadersStatus::StopIteration, filter_->decodeHeaders(headers, false));
+}
+
+// Test body size check in PASS_THROUGH mode
+TEST_F(McpFilterTest, BodySizeLimitInPassThroughMode) {
+  envoy::extensions::filters::http::mcp::v3::Mcp proto_config;
+  proto_config.set_traffic_mode(envoy::extensions::filters::http::mcp::v3::Mcp::PASS_THROUGH);
+  proto_config.mutable_max_request_body_size()->set_value(50); // Small limit
+  config_ = std::make_shared<McpFilterConfig>(proto_config);
+  filter_ = std::make_unique<McpFilter>(config_);
+  filter_->setDecoderFilterCallbacks(decoder_callbacks_);
+
+  Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
+                                         {"content-type", "application/json"},
+                                         {"accept", "application/json"},
+                                         {"accept", "text/event-stream"}};
+
+  EXPECT_CALL(decoder_callbacks_, setDecoderBufferLimit(50));
+  filter_->decodeHeaders(headers, false);
+
+  // Large body should be rejected even in PASS_THROUGH mode
+  std::string json =
+      R"({"jsonrpc": "2.0", "method": "test", "params": {"key": "value with lots of data"}, "id": 1})";
+  Buffer::OwnedImpl buffer(json);
+  Buffer::OwnedImpl decoding_buffer;
+
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
+      .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
+  EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
+
+  EXPECT_CALL(decoder_callbacks_,
+              sendLocalReply(Http::Code::PayloadTooLarge, _, _, _, "mcp_filter_body_too_large"));
+
+  EXPECT_EQ(Http::FilterDataStatus::StopIterationNoBuffer, filter_->decodeData(buffer, true));
+}
+
 // Test route cache is NOT cleared by default when metadata is set
 TEST_F(McpFilterTest, RouteCacheNotClearedByDefault) {
   Http::TestRequestHeaderMapImpl headers{{":method", "POST"},
@@ -295,7 +522,7 @@ TEST_F(McpFilterTest, RouteCacheNotClearedByDefault) {
   Buffer::OwnedImpl buffer(json);
   Buffer::OwnedImpl decoding_buffer;
 
-  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, true))
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
       .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
   EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
 
@@ -323,7 +550,7 @@ TEST_F(McpFilterTest, RouteCacheNotClearedWhenDisabled) {
   Buffer::OwnedImpl buffer(json);
   Buffer::OwnedImpl decoding_buffer;
 
-  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, true))
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
       .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
   EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
 
@@ -351,7 +578,7 @@ TEST_F(McpFilterTest, RouteCacheClearedWhenExplicitlyEnabled) {
   Buffer::OwnedImpl buffer(json);
   Buffer::OwnedImpl decoding_buffer;
 
-  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, true))
+  EXPECT_CALL(decoder_callbacks_, addDecodedData(_, false))
       .WillOnce([&decoding_buffer](Buffer::Instance& data, bool) { decoding_buffer.move(data); });
   EXPECT_CALL(decoder_callbacks_, decodingBuffer()).WillRepeatedly(Return(&decoding_buffer));
 
