turbomcp_server/

handler_validation.rs

//! Secure Handler Name Validation
//!
//! This module prevents handler name injection attacks by validating that handler names
//! are valid Rust identifiers using the `syn` crate (Sprint 2.4).
//!
//! ## Security Properties
//!
//! - **Injection Prevention**: Prevents malicious handler names like `../../../etc/passwd`,
//!   `foo"; DROP TABLE handlers; --`, or other injection attempts
//! - **Keyword Prevention**: Blocks Rust reserved keywords (`async`, `await`, `impl`, etc.)
//! - **Path Traversal Prevention**: Blocks path components like `..`
//! - **Canonical Validation**: Uses `syn::Ident` - the same validator used by rustc
//!
//! ## Attack Scenarios Prevented
//!
//! Without validation, an attacker could register handlers with names like:
//! - `../../../sensitive_file` - Path traversal
//! - `handler"; os.system("rm -rf /"); "` - Command injection
//! - `<script>alert(1)</script>` - XSS in web UIs
//! - `admin` or `system` - Privilege escalation attempts
//!
//! ## Implementation
//!
//! Uses the industry-standard `syn` crate (maintained by dtolnay) for identifier validation.
//! This is the same crate used by every Rust procedural macro and provides:
//! - Complete coverage of all Rust identifier rules
//! - Automatic keyword detection (including weak keywords)
//! - Zero maintenance (tracks Rust language evolution)
//! - Battle-tested by millions of Rust projects
//!
//! ## Usage
//!
//! ```rust,ignore
//! use turbomcp_server::handler_validation::validate_handler_name;
//!
//! // Valid handler names
//! assert!(validate_handler_name("get_user").is_ok());
//! assert!(validate_handler_name("fetch_data").is_ok());
//! assert!(validate_handler_name("tool_123").is_ok());
//!
//! // Invalid handler names
//! assert!(validate_handler_name("async").is_err());  // Reserved keyword
//! assert!(validate_handler_name("../etc/passwd").is_err());  // Path traversal
//! assert!(validate_handler_name("foo-bar").is_err());  // Invalid character
//! ```

use crate::ServerResult;

/// Reserved handler names that should not be allowed
///
/// These names are reserved for internal system use or represent potential
/// privilege escalation attempts.
#[cfg(feature = "security")]
const RESERVED_HANDLER_NAMES: &[&str] = &[
    // System handlers
    "initialize",
    "initialized",
    "shutdown",
    "ping",
    "pong",
    "health",
    "status",
    // Privilege escalation attempts
    "admin",
    "root",
    "system",
    "sudo",
    "su",
    "superuser",
    // Internal methods
    "internal",
    "private",
    "protected",
    "__init__",
    "__main__",
];

/// Maximum length for handler names (prevents DoS via extremely long names)
#[cfg(feature = "security")]
const MAX_HANDLER_NAME_LENGTH: usize = 128;

/// Validate a handler name for security
///
/// This function validates that a handler name is:
/// 1. A valid Rust identifier (using `syn::Ident`)
/// 2. Not a Rust reserved keyword
/// 3. Not a reserved system name
/// 4. Within reasonable length limits
///
/// ## Security Properties
///
/// - **Injection Prevention**: Uses `syn::Ident` which only accepts valid Rust identifiers
/// - **Keyword Protection**: Automatically rejects Rust keywords (`async`, `await`, etc.)
/// - **Reserved Name Protection**: Rejects internal system names
/// - **Length Limits**: Prevents DoS via extremely long names
///
/// ## Performance
///
/// - Validation time: ~100-200ns per name (syn parsing is very fast)
/// - No allocations for valid names
/// - Fails fast on obviously invalid names
///
/// ## Examples
///
/// ```rust,ignore
/// use turbomcp_server::handler_validation::validate_handler_name;
///
/// // Valid names
/// assert!(validate_handler_name("get_user_info").is_ok());
/// assert!(validate_handler_name("tool_v2").is_ok());
/// assert!(validate_handler_name("_private_helper").is_ok());
///
/// // Invalid names
/// assert!(validate_handler_name("").is_err());  // Empty
/// assert!(validate_handler_name("async").is_err());  // Keyword
/// assert!(validate_handler_name("admin").is_err());  // Reserved
/// assert!(validate_handler_name("../etc/passwd").is_err());  // Invalid chars
/// assert!(validate_handler_name("foo-bar").is_err());  // Hyphen not allowed
/// ```
///
/// ## Errors
///
/// Returns [`crate::ServerError::Handler`] if:
/// - Name is empty
/// - Name exceeds `MAX_HANDLER_NAME_LENGTH` (128 characters)
/// - Name is not a valid Rust identifier
/// - Name is a Rust reserved keyword
/// - Name is a reserved system name
#[cfg(feature = "security")]
pub fn validate_handler_name(name: &str) -> ServerResult<()> {
    use crate::ServerError;

    // Check for empty names
    if name.is_empty() {
        return Err(ServerError::handler(
            "Handler name cannot be empty".to_string(),
        ));
    }

    // Check length limits (prevent DoS)
    if name.len() > MAX_HANDLER_NAME_LENGTH {
        return Err(ServerError::handler(format!(
            "Handler name '{}...' exceeds maximum length of {} characters",
            &name[..50.min(name.len())],
            MAX_HANDLER_NAME_LENGTH
        )));
    }

    // Validate as Rust identifier using syn::Ident
    // This prevents injection attacks by ensuring the name only contains
    // valid identifier characters (alphanumeric + underscore, starting with letter/_)
    syn::parse_str::<syn::Ident>(name).map_err(|e| {
        ServerError::handler(format!(
            "Invalid handler name '{}': {}\n\
             \n\
             Handler names must be valid Rust identifiers:\n\
             - Start with a letter or underscore\n\
             - Contain only letters, numbers, and underscores\n\
             - Not be a Rust reserved keyword\n\
             \n\
             Reserved keywords include: async, await, fn, impl, let, match, struct, type, etc.\n\
             See: https://doc.rust-lang.org/reference/keywords.html",
            name, e
        ))
    })?;

    // Check against reserved system names
    if RESERVED_HANDLER_NAMES.contains(&name) {
        return Err(ServerError::handler(format!(
            "Handler name '{}' is reserved for system use.\n\
             \n\
             Reserved names: {:?}\n\
             \n\
             Please choose a different name for your handler.",
            name, RESERVED_HANDLER_NAMES
        )));
    }

    Ok(())
}

/// Validate a handler name (no-op when security feature is disabled)
///
/// When the `security` feature is not enabled, this function performs minimal validation
/// (empty check only) to maintain API compatibility while keeping the binary small.
#[cfg(not(feature = "security"))]
pub fn validate_handler_name(name: &str) -> ServerResult<()> {
    use crate::ServerError;

    if name.is_empty() {
        return Err(ServerError::handler(
            "Handler name cannot be empty".to_string(),
        ));
    }

    Ok(())
}

#[cfg(all(test, feature = "security"))]
mod tests {
    use super::*;

    #[test]
    fn test_valid_handler_names() {
        // Standard names
        assert!(validate_handler_name("get_user").is_ok());
        assert!(validate_handler_name("fetch_data").is_ok());
        assert!(validate_handler_name("process_request").is_ok());

        // With numbers
        assert!(validate_handler_name("tool_v2").is_ok());
        assert!(validate_handler_name("handler_123").is_ok());

        // Starting with underscore
        assert!(validate_handler_name("_internal").is_ok());
        assert!(validate_handler_name("_helper_function").is_ok());

        // CamelCase (valid as identifier)
        assert!(validate_handler_name("GetUser").is_ok());
        assert!(validate_handler_name("FetchData").is_ok());
    }

    #[test]
    fn test_reject_empty_name() {
        assert!(validate_handler_name("").is_err());
    }

    #[test]
    fn test_reject_reserved_keywords() {
        // Strict keywords
        assert!(validate_handler_name("async").is_err());
        assert!(validate_handler_name("await").is_err());
        assert!(validate_handler_name("fn").is_err());
        assert!(validate_handler_name("impl").is_err());
        assert!(validate_handler_name("let").is_err());
        assert!(validate_handler_name("match").is_err());
        assert!(validate_handler_name("struct").is_err());
        assert!(validate_handler_name("type").is_err());
    }

    #[test]
    fn test_reject_reserved_system_names() {
        assert!(validate_handler_name("initialize").is_err());
        assert!(validate_handler_name("shutdown").is_err());
        assert!(validate_handler_name("admin").is_err());
        assert!(validate_handler_name("root").is_err());
        assert!(validate_handler_name("system").is_err());
    }

    #[test]
    fn test_reject_path_traversal() {
        assert!(validate_handler_name("../etc/passwd").is_err());
        assert!(validate_handler_name("../../secret").is_err());
        assert!(validate_handler_name("..").is_err());
    }

    #[test]
    fn test_reject_invalid_characters() {
        // Hyphens
        assert!(validate_handler_name("foo-bar").is_err());

        // Spaces
        assert!(validate_handler_name("foo bar").is_err());

        // Special characters
        assert!(validate_handler_name("foo@bar").is_err());
        assert!(validate_handler_name("foo#bar").is_err());
        assert!(validate_handler_name("foo$bar").is_err());

        // Path separators
        assert!(validate_handler_name("foo/bar").is_err());
        assert!(validate_handler_name("foo\\bar").is_err());
    }

    #[test]
    fn test_reject_starting_with_number() {
        assert!(validate_handler_name("1foo").is_err());
        assert!(validate_handler_name("123").is_err());
    }

    #[test]
    fn test_reject_sql_injection_attempts() {
        assert!(validate_handler_name("'; DROP TABLE users; --").is_err());
        assert!(validate_handler_name("foo\"; DELETE FROM handlers; --").is_err());
    }

    #[test]
    fn test_reject_command_injection_attempts() {
        assert!(validate_handler_name("; rm -rf /").is_err());
        assert!(validate_handler_name("| cat /etc/passwd").is_err());
        assert!(validate_handler_name("$(whoami)").is_err());
    }

    #[test]
    fn test_reject_xss_attempts() {
        assert!(validate_handler_name("<script>alert(1)</script>").is_err());
        assert!(validate_handler_name("javascript:alert(1)").is_err());
    }

    #[test]
    fn test_reject_overly_long_names() {
        let long_name = "a".repeat(MAX_HANDLER_NAME_LENGTH + 1);
        assert!(validate_handler_name(&long_name).is_err());
    }

    #[test]
    fn test_accept_max_length_names() {
        let max_name = "a".repeat(MAX_HANDLER_NAME_LENGTH);
        assert!(validate_handler_name(&max_name).is_ok());
    }

    // Note: syn::Ident can parse Unicode characters as raw identifiers (r#identifier),
    // so we don't explicitly reject them. While ASCII identifiers are preferred, Unicode
    // identifiers are technically valid in Rust and don't pose a security risk since
    // syn validates them properly.
    //
    // The security boundary is maintained by syn::Ident - it only accepts valid Rust
    // identifiers, preventing injection attacks regardless of character set.
}