1- # Claude Debug
1+ # Claude Debug
22"""Test for HackerOne vulnerability report #3156202 - malformed input DOS."""
33
44import anyio
@@ -23,12 +23,8 @@ async def test_malformed_initialize_request_does_not_crash_server():
2323 instead of crashing the server (HackerOne #3156202).
2424 """
2525 # Create in-memory streams for testing
26- read_send_stream , read_receive_stream = anyio .create_memory_object_stream [
27- SessionMessage | Exception
28- ](10 )
29- write_send_stream , write_receive_stream = anyio .create_memory_object_stream [
30- SessionMessage
31- ](10 )
26+ read_send_stream , read_receive_stream = anyio .create_memory_object_stream [SessionMessage | Exception ](10 )
27+ write_send_stream , write_receive_stream = anyio .create_memory_object_stream [SessionMessage ](10 )
3228
3329 try :
3430 # Create a malformed initialize request (missing required params field)
@@ -38,7 +34,7 @@ async def test_malformed_initialize_request_does_not_crash_server():
3834 method = "initialize" ,
3935 # params=None # Missing required params field
4036 )
41-
37+
4238 # Wrap in session message
4339 request_message = SessionMessage (message = JSONRPCMessage (malformed_request ))
4440
@@ -54,22 +50,22 @@ async def test_malformed_initialize_request_does_not_crash_server():
5450 ):
5551 # Send the malformed request
5652 await read_send_stream .send (request_message )
57-
53+
5854 # Give the session time to process the request
5955 await anyio .sleep (0.1 )
60-
56+
6157 # Check that we received an error response instead of a crash
6258 try :
6359 response_message = write_receive_stream .receive_nowait ()
6460 response = response_message .message .root
65-
61+
6662 # Verify it's a proper JSON-RPC error response
6763 assert isinstance (response , JSONRPCError )
6864 assert response .jsonrpc == "2.0"
6965 assert response .id == "f20fe86132ed4cd197f89a7134de5685"
7066 assert response .error .code == INVALID_PARAMS
7167 assert "Invalid request parameters" in response .error .message
72-
68+
7369 # Verify the session is still alive and can handle more requests
7470 # Send another malformed request to confirm server stability
7571 another_malformed_request = JSONRPCRequest (
@@ -78,21 +74,19 @@ async def test_malformed_initialize_request_does_not_crash_server():
7874 method = "tools/call" ,
7975 # params=None # Missing required params
8076 )
81- another_request_message = SessionMessage (
82- message = JSONRPCMessage (another_malformed_request )
83- )
84-
77+ another_request_message = SessionMessage (message = JSONRPCMessage (another_malformed_request ))
78+
8579 await read_send_stream .send (another_request_message )
8680 await anyio .sleep (0.1 )
87-
81+
8882 # Should get another error response, not a crash
8983 second_response_message = write_receive_stream .receive_nowait ()
9084 second_response = second_response_message .message .root
91-
85+
9286 assert isinstance (second_response , JSONRPCError )
9387 assert second_response .id == "test_id_2"
9488 assert second_response .error .code == INVALID_PARAMS
95-
89+
9690 except anyio .WouldBlock :
9791 pytest .fail ("No response received - server likely crashed" )
9892 finally :
@@ -109,12 +103,8 @@ async def test_multiple_concurrent_malformed_requests():
109103 Test that multiple concurrent malformed requests don't crash the server.
110104 """
111105 # Create in-memory streams for testing
112- read_send_stream , read_receive_stream = anyio .create_memory_object_stream [
113- SessionMessage | Exception
114- ](100 )
115- write_send_stream , write_receive_stream = anyio .create_memory_object_stream [
116- SessionMessage
117- ](100 )
106+ read_send_stream , read_receive_stream = anyio .create_memory_object_stream [SessionMessage | Exception ](100 )
107+ write_send_stream , write_receive_stream = anyio .create_memory_object_stream [SessionMessage ](100 )
118108
119109 try :
120110 # Start a server session
@@ -136,18 +126,16 @@ async def test_multiple_concurrent_malformed_requests():
136126 method = "initialize" ,
137127 # params=None # Missing required params
138128 )
139- request_message = SessionMessage (
140- message = JSONRPCMessage (malformed_request )
141- )
129+ request_message = SessionMessage (message = JSONRPCMessage (malformed_request ))
142130 malformed_requests .append (request_message )
143-
131+
144132 # Send all requests
145133 for request in malformed_requests :
146134 await read_send_stream .send (request )
147-
135+
148136 # Give time to process
149137 await anyio .sleep (0.2 )
150-
138+
151139 # Verify we get error responses for all requests
152140 error_responses = []
153141 try :
@@ -156,10 +144,10 @@ async def test_multiple_concurrent_malformed_requests():
156144 error_responses .append (response_message .message .root )
157145 except anyio .WouldBlock :
158146 pass # No more messages
159-
147+
160148 # Should have received 10 error responses
161149 assert len (error_responses ) == 10
162-
150+
163151 for i , response in enumerate (error_responses ):
164152 assert isinstance (response , JSONRPCError )
165153 assert response .id == f"malformed_{ i }
@@ -169,4 +157,4 @@ async def test_multiple_concurrent_malformed_requests():
169157 await read_send_stream .aclose ()
170158 await write_send_stream .aclose ()
171159 await read_receive_stream .aclose ()
172- await write_receive_stream .aclose ()
160+ await write_receive_stream .aclose ()
0 commit comments