This release is a patch release for v1.4.0.
It contains cherry-picks for several security improvements. Security advisories will follow.
Fixes
Update of the segmentio/encoding module version
The JSON parsing library that was adopted to avoid attacks taking advantage of the Go's standard parser being case insensitive turned out to contain an issue itself. We have submitted the fix upstream and this release updates the dependency to the patched version.
Cross-origin requests protection
We have added additional protection against cross origin requests. From now on, we verify that Content-Type for JSON-RPC POST requests is set to application/json and use the new http.CrossOriginProtection functionality to verify the origin of the request. Usage of this functionality required increasing the required Go version to 1.25, which is in line with our Go version policy of supporting two newest Go versions. The behavior can be customized by passing a configured http.CrossOriginProtection object to StreamableHTTPOptions.
Since this is a behavior change, we introduced a compatibility parameter disablecrossoriginprotection that will allow to temporarily disable it. It will be removed in v1.6.0 version of the SDK. See here for more details about behavior changes and a history of compatibility parameters across SDK versions.
Allowing customization of http.Client for client-side OAuth
We have introduced an optional http.Client parameter to AuthorizationCodeHandlerConfig. This allows customization of the transport, for example implementing environment specific protection against Server-Side Request Forgery.
Pull requests
- internal: fix Unicode zero character handling by @maciej-kisiel in #841
- auth: allow passing custom http.Client to AuthorizationCodeHandler by @maciej-kisiel in #840
- mcp: verify 'Origin' and 'Content-Type' headers by @maciej-kisiel in #842
Full Changelog: v1.4.0...v1.4.1