fix: prevent tool exceptions from leaking internal details to client#2198
Open
Varun6578 wants to merge 2 commits intomodelcontextprotocol:mainfrom
Open
fix: prevent tool exceptions from leaking internal details to client#2198Varun6578 wants to merge 2 commits intomodelcontextprotocol:mainfrom
Varun6578 wants to merge 2 commits intomodelcontextprotocol:mainfrom
Conversation
Tool.run() and _handle_call_tool() now return a generic error message for unexpected exceptions instead of str(e), which could expose sensitive internal details like connection strings, file paths, or stack traces to MCP clients. - ToolError is still passed through unchanged (intentional user-facing errors) - UrlElicitationRequiredError and MCPError are re-raised at the server level - All other exceptions log the full traceback server-side and return a generic 'An unexpected error occurred' message to the client Fixes modelcontextprotocol#698 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Add test for ToolError passthrough (covers tools/base.py except ToolError) - Mark unreachable defensive except in _handle_call_tool as no cover Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
maxisbey
requested changes
Mar 5, 2026
| except ToolError as e: | ||
| return CallToolResult(content=[TextContent(type="text", text=str(e))], is_error=True) | ||
| except Exception: # pragma: no cover | ||
| logger.exception(f"Error calling tool {params.name}") |
Contributor
There was a problem hiding this comment.
if we have logging here, then do we need logging in base.py? won't that cause duplicate logs?
| except ToolError as e: | ||
| return CallToolResult(content=[TextContent(type="text", text=str(e))], is_error=True) | ||
| except Exception: # pragma: no cover | ||
| logger.exception(f"Error calling tool {params.name}") |
Contributor
There was a problem hiding this comment.
please remove the pragma and add a unit test
maxisbey
added
bug
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #698
Tool.run()and_handle_call_tool()previously exposed internal exception details (str(e)) to MCP clients. This could leak sensitive information like connection strings, file paths, or internal state.Changes
src/mcp/server/mcpserver/tools/base.py:except ToolError: raiseto pass through intentional user-facing errorsAn unexpected error occurred executing tool {name}instead ofstr(e)src/mcp/server/mcpserver/server.py:except ToolErrorhandler in_handle_call_tool()to pass through ToolError messagesf"Error calling tool {name}: {e}"Tests updated:
test_server.py: Verified exception details are NOT leaked in error responsestest_tool_manager.py: Updated regex match for new generic messagetest_url_elicitation_error_throw.py: Verified generic message and no detail leaktest_sampling_callback.py,test_list_roots_callback.py: Updated expected error messagesSecurity
This is a security hardening change. Before this fix, any Python exception raised inside a tool function would have its full
str()representation sent to the client, potentially exposing: