chore: update host validation error to 403

internal/server/config.go

@@ -16,7 +16,6 @@ package server
 import (
 	"context"
 	"fmt"
-	"regexp"
 	"strings"
 
 	yaml "github.com/goccy/go-yaml"
@@ -140,10 +139,6 @@ func (c *SourceConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interf
 	}
 
 	for name, u := range raw {
-		err := NameValidation(name)
-		if err != nil {
-			return err
-		}
 		// Unmarshal to a general type that ensure it capture all fields
 		var v map[string]any
 		if err := u.Unmarshal(&v); err != nil {
@@ -188,10 +183,6 @@ func (c *AuthServiceConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(i
 	}
 
 	for name, u := range raw {
-		err := NameValidation(name)
-		if err != nil {
-			return err
-		}
 		var v map[string]any
 		if err := u.Unmarshal(&v); err != nil {
 			return fmt.Errorf("unable to unmarshal %q: %w", name, err)
@@ -235,10 +226,6 @@ func (c *EmbeddingModelConfigs) UnmarshalYAML(ctx context.Context, unmarshal fun
 	}
 
 	for name, u := range raw {
-		err := NameValidation(name)
-		if err != nil {
-			return err
-		}
 		// Unmarshal to a general type that ensure it capture all fields
 		var v map[string]any
 		if err := u.Unmarshal(&v); err != nil {
@@ -283,10 +270,6 @@ func (c *ToolConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interfac
 	}
 
 	for name, u := range raw {
-		err := NameValidation(name)
-		if err != nil {
-			return err
-		}
 		var v map[string]any
 		if err := u.Unmarshal(&v); err != nil {
 			return fmt.Errorf("unable to unmarshal %q: %w", name, err)
@@ -340,10 +323,6 @@ func (c *ToolsetConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(inter
 	}
 
 	for name, toolList := range raw {
-		err := NameValidation(name)
-		if err != nil {
-			return err
-		}
 		(*c)[name] = tools.ToolsetConfig{Name: name, ToolNames: toolList}
 	}
 	return nil
@@ -363,10 +342,6 @@ func (c *PromptConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(interf
 	}
 
 	for name, u := range raw {
-		err := NameValidation(name)
-		if err != nil {
-			return err
-		}
 		var v map[string]any
 		if err := u.Unmarshal(&v); err != nil {
 			return fmt.Errorf("unable to unmarshal prompt %q: %w", name, err)
@@ -414,31 +389,7 @@ func (c *PromptsetConfigs) UnmarshalYAML(ctx context.Context, unmarshal func(int
 	}
 
 	for name, promptList := range raw {
-		err := NameValidation(name)
-		if err != nil {
-			return err
-		}
 		(*c)[name] = prompts.PromptsetConfig{Name: name, PromptNames: promptList}
 	}
 	return nil
 }
-
-// Tools naming validation is added in the MCP v2025-11-25, but we'll be
-// implementing it across Toolbox
-// Tool names SHOULD be between 1 and 128 characters in length (inclusive).
-// Tool names SHOULD be considered case-sensitive.
-// The following SHOULD be the only allowed characters: uppercase and lowercase ASCII letters (A-Z, a-z), digits (0-9), underscore (_), hyphen (-), and dot (.)
-// Tool names SHOULD NOT contain spaces, commas, or other special characters.
-// Tool names SHOULD be unique within a server.
-func NameValidation(name string) error {
-	strLen := len(name)
-	if strLen < 1 || strLen > 128 {
-		return fmt.Errorf("resource name SHOULD be between 1 and 128 characters in length (inclusive)")
-	}
-	validChars := regexp.MustCompile("^[a-zA-Z0-9_.-]+$")
-	isValid := validChars.MatchString(name)
-	if !isValid {
-		return fmt.Errorf("invalid character for resource name; only uppercase and lowercase ASCII letters (A-Z, a-z), digits (0-9), underscore (_), hyphen (-), and dot (.) is allowed")
-	}
-	return nil
-}

internal/server/server.go

@@ -304,10 +304,14 @@ func hostCheck(allowedHosts map[string]struct{}) func(http.Handler) http.Handler
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			_, hasWildcard := allowedHosts["*"]
-			_, hostIsAllowed := allowedHosts[r.Host]
+			hostname := r.Host
+			if host, _, err := net.SplitHostPort(r.Host); err == nil {
+				hostname = host
+			}
+			_, hostIsAllowed := allowedHosts[hostname]
 			if !hasWildcard && !hostIsAllowed {
-				// Return 400 Bad Request or 403 Forbidden to block the attack
-				http.Error(w, "Invalid Host header", http.StatusBadRequest)
+				// Return 403 Forbidden to block the attack
+				http.Error(w, "Invalid Host header", http.StatusForbidden)
 				return
 			}
 			next.ServeHTTP(w, r)
@@ -406,7 +410,11 @@ func NewServer(ctx context.Context, cfg ServerConfig) (*Server, error) {
 	}
 	allowedHostsMap := make(map[string]struct{}, len(cfg.AllowedHosts))
 	for _, h := range cfg.AllowedHosts {
-		allowedHostsMap[h] = struct{}{}
+		hostname := h
+		if host, _, err := net.SplitHostPort(h); err == nil {
+			hostname = host
+		}
+		allowedHostsMap[hostname] = struct{}{}
 	}
 	r.Use(hostCheck(allowedHostsMap))
 

internal/server/server_test.go

@@ -200,62 +200,3 @@ func TestUpdateServer(t *testing.T) {
 		t.Errorf("error updating server, promptset (-want +got):\n%s", diff)
 	}
 }
-
-func TestNameValidation(t *testing.T) {
-	testCases := []struct {
-		desc         string
-		resourceName string
-		errStr       string
-	}{
-		{
-			desc:         "names with 0 length",
-			resourceName: "",
-			errStr:       "resource name SHOULD be between 1 and 128 characters in length (inclusive)",
-		},
-		{
-			desc:         "names with allowed length",
-			resourceName: "foo",
-		},
-		{
-			desc:         "names with 128 length",
-			resourceName: strings.Repeat("a", 128),
-		},
-		{
-			desc:         "names with more than 128 length",
-			resourceName: strings.Repeat("a", 129),
-			errStr:       "resource name SHOULD be between 1 and 128 characters in length (inclusive)",
-		},
-		{
-			desc:         "names with space",
-			resourceName: "foo bar",
-			errStr:       "invalid character for resource name; only uppercase and lowercase ASCII letters (A-Z, a-z), digits (0-9), underscore (_), hyphen (-), and dot (.) is allowed",
-		},
-		{
-			desc:         "names with commas",
-			resourceName: "foo,bar",
-			errStr:       "invalid character for resource name; only uppercase and lowercase ASCII letters (A-Z, a-z), digits (0-9), underscore (_), hyphen (-), and dot (.) is allowed",
-		},
-		{
-			desc:         "names with other special character",
-			resourceName: "foo!",
-			errStr:       "invalid character for resource name; only uppercase and lowercase ASCII letters (A-Z, a-z), digits (0-9), underscore (_), hyphen (-), and dot (.) is allowed",
-		},
-		{
-			desc:         "names with allowed special character",
-			resourceName: "foo_.-bar6",
-		},
-	}
-	for _, tc := range testCases {
-		t.Run(tc.desc, func(t *testing.T) {
-			err := server.NameValidation(tc.resourceName)
-			if err != nil {
-				if tc.errStr != err.Error() {
-					t.Fatalf("unexpected error: %s", err)
-				}
-			}
-			if err == nil && tc.errStr != "" {
-				t.Fatalf("expect error: %s", tc.errStr)
-			}
-		})
-	}
-}