chore: update host validation error to 403

2026-01-14 09:57:58 -05:00 · 2026-01-13 16:16:45 -08:00
2 changed files with 12 additions and 92 deletions
--- a/internal/server/server.go
+++ b/internal/server/server.go
@@ -304,10 +304,14 @@ func hostCheck(allowedHosts map[string]struct{}) func(http.Handler) http.Handler
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			_, hasWildcard := allowedHosts["*"]
-			_, hostIsAllowed := allowedHosts[r.Host]
+			hostname := r.Host
+			if host, _, err := net.SplitHostPort(r.Host); err == nil {
+				hostname = host
+			}
+			_, hostIsAllowed := allowedHosts[hostname]
 			if !hasWildcard && !hostIsAllowed {
-				// Return 400 Bad Request or 403 Forbidden to block the attack
-				http.Error(w, "Invalid Host header", http.StatusBadRequest)
+				// Return 403 Forbidden to block the attack
+				http.Error(w, "Invalid Host header", http.StatusForbidden)
 				return
 			}
 			next.ServeHTTP(w, r)
@@ -406,7 +410,11 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 	}
 	allowedHostsMap := make(map[string]struct{}, len(cfg.AllowedHosts))
 	for _, h := range cfg.AllowedHosts {
-		allowedHostsMap[h] = struct{}{}
+		hostname := h
+		if host, _, err := net.SplitHostPort(h); err == nil {
+			hostname = host
+		}
+		allowedHostsMap[hostname] = struct{}{}
 	}
 	r.Use(hostCheck(allowedHostsMap))

--- a/server.json
+++ b/server.json
@@ -31,18 +31,6 @@
                    "default": "tools.yaml",
                    "isRequired": false
                },
-                {
-                    "type": "named",
-                    "name": "--tools-files",
-                    "description": "Multiple file paths specifying tool configurations. Files will be merged. Cannot be used with –-tools-file or –-tools-folder.",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--tools-folder",
-                    "description": "Directory path containing YAML tool configuration files. All .yaml and .yml files in the directory will be loaded and merged. Cannot be used with –-tools-file or –-tools-files.",
-                    "isRequired": false
-                },
                {
                    "type": "named",
                    "name": "--address",
@@ -82,82 +70,6 @@
                        "warn",
                        "error"
                    ]
-                },
-                {
-                    "type": "named",
-                    "name": "--logging-format",
-                    "description": "Specify logging format to use.",
-                    "default": "standard",
-                    "choices": [
-                        "standard",
-                        "json"
-                    ]
-                },
-                {
-                    "type": "named",
-                    "name": "--disable-reload",
-                    "description": "Disables dynamic reloading of tools file.",
-                    "format": "boolean",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--prebuilt",
-                    "description": "Use a prebuilt tool configuration by source type.",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--stdio",
-                    "description": "Listens via MCP STDIO instead of acting as a remote HTTP server.",
-                    "format": "boolean",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--telemetry-gcp",
-                    "description": "Enable exporting directly to Google Cloud Monitoring.",
-                    "format": "boolean",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--telemetry-otlp",
-                    "description": "Enable exporting using OpenTelemetry Protocol (OTLP) to the specified endpoint (e.g. 'http://127.0.0.1:4318').",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--telemetry-service-name",
-                    "description": "Sets the value of the service.name resource attribute for telemetry data.",
-                    "default": "toolbox",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--ui",
-                    "description": "Launches the Toolbox UI web server.",
-                    "format": "boolean",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--allowed-origins",
-                    "description": "Specifies a list of origins permitted to access this server.",
-                    "default": "*",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--help",
-                    "description": "Show help for toolbox",
-                    "isRequired": false
-                },
-                {
-                    "type": "named",
-                    "name": "--version",
-                    "description": "Show version for toolbox",
-                    "isRequired": false
                }
            ]
        }