From 3c916d27f27ebd2089d6213a8f5cd74fc32b0e91 Mon Sep 17 00:00:00 2001 From: Sam Morrow Date: Tue, 19 May 2026 10:26:38 +0200 Subject: [PATCH 1/2] fix: guard CompletionsHandler against nil params/ref A malformed completion/complete request with missing or empty parameters caused a nil pointer dereference in CompletionsHandler, panicking the process. Reject such requests with a clear error before dispatching on Ref.Type. Reported by @manthanghasadiya (GHSA-w4q6-qw23-4rg7). Co-authored-by: manthanghasadiya <68530736+manthanghasadiya@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- pkg/github/server.go | 3 +++ pkg/github/server_test.go | 24 ++++++++++++++++++++++++ 2 files changed, 27 insertions(+) diff --git a/pkg/github/server.go b/pkg/github/server.go index ee41e90e9..840a17de3 100644 --- a/pkg/github/server.go +++ b/pkg/github/server.go @@ -204,6 +204,9 @@ func NewServer(version, name, title string, opts *mcp.ServerOptions) *mcp.Server func CompletionsHandler(getClient GetClientFn) func(ctx context.Context, req *mcp.CompleteRequest) (*mcp.CompleteResult, error) { return func(ctx context.Context, req *mcp.CompleteRequest) (*mcp.CompleteResult, error) { + if req == nil || req.Params == nil || req.Params.Ref == nil { + return nil, fmt.Errorf("invalid request: missing ref parameter") + } switch req.Params.Ref.Type { case "ref/resource": if strings.HasPrefix(req.Params.Ref.URI, "repo://") { diff --git a/pkg/github/server_test.go b/pkg/github/server_test.go index 7af388f73..1a1b0ff8f 100644 --- a/pkg/github/server_test.go +++ b/pkg/github/server_test.go @@ -349,3 +349,27 @@ func TestResolveEnabledToolsets(t *testing.T) { }) } } + +func TestCompletionsHandler_RejectsMissingRef(t *testing.T) { + getClient := func(_ context.Context) (*gogithub.Client, error) { + return &gogithub.Client{}, nil + } + handler := CompletionsHandler(getClient) + + tests := []struct { + name string + req *mcp.CompleteRequest + }{ + {name: "nil request", req: nil}, + {name: "nil params", req: &mcp.CompleteRequest{}}, + {name: "nil ref", req: &mcp.CompleteRequest{Params: &mcp.CompleteParams{}}}, + } + for _, tc := range tests { + t.Run(tc.name, func(t *testing.T) { + result, err := handler(context.Background(), tc.req) + require.Error(t, err) + assert.Nil(t, result) + assert.Contains(t, err.Error(), "missing ref parameter") + }) + } +} From 8efe6ec0edf78693058c806b79ab127c5ed6a662 Mon Sep 17 00:00:00 2001 From: Sam Morrow Date: Tue, 19 May 2026 10:30:29 +0200 Subject: [PATCH 2/2] Align error wording with repo convention Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- pkg/github/server.go | 2 +- pkg/github/server_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/github/server.go b/pkg/github/server.go index 840a17de3..a9a75642f 100644 --- a/pkg/github/server.go +++ b/pkg/github/server.go @@ -205,7 +205,7 @@ func NewServer(version, name, title string, opts *mcp.ServerOptions) *mcp.Server func CompletionsHandler(getClient GetClientFn) func(ctx context.Context, req *mcp.CompleteRequest) (*mcp.CompleteResult, error) { return func(ctx context.Context, req *mcp.CompleteRequest) (*mcp.CompleteResult, error) { if req == nil || req.Params == nil || req.Params.Ref == nil { - return nil, fmt.Errorf("invalid request: missing ref parameter") + return nil, fmt.Errorf("missing required parameter: ref") } switch req.Params.Ref.Type { case "ref/resource": diff --git a/pkg/github/server_test.go b/pkg/github/server_test.go index 1a1b0ff8f..be078d360 100644 --- a/pkg/github/server_test.go +++ b/pkg/github/server_test.go @@ -369,7 +369,7 @@ func TestCompletionsHandler_RejectsMissingRef(t *testing.T) { result, err := handler(context.Background(), tc.req) require.Error(t, err) assert.Nil(t, result) - assert.Contains(t, err.Error(), "missing ref parameter") + assert.Contains(t, err.Error(), "missing required parameter: ref") }) } }