Skip to content

fix: guard CompletionsHandler against nil params/ref#2502

Merged
SamMorrowDrums merged 3 commits into
mainfrom
sammorrowdrums/fix-completions-nil-deref
May 19, 2026
Merged

fix: guard CompletionsHandler against nil params/ref#2502
SamMorrowDrums merged 3 commits into
mainfrom
sammorrowdrums/fix-completions-nil-deref

Conversation

@SamMorrowDrums
Copy link
Copy Markdown
Collaborator

@SamMorrowDrums SamMorrowDrums commented May 19, 2026

A malformed completion/complete request with missing or empty parameters caused a nil pointer dereference in CompletionsHandler, panicking the process. This adds a nil-guard that rejects such requests with a clear error before dispatching on Ref.Type.

Reported by @manthanghasadiya in GHSA-w4q6-qw23-4rg7.

Impact

  • Local stdio server: a malformed request would crash the process. Trust boundary is the spawning client, so impact is self-DoS.
  • Remote server: not reachable unauthenticated (PAT/token required), so at worst an authenticated caller self-crashes their own session.

Still worth fixing as routine hardening.

Changes

  • pkg/github/server.go: nil-guard on req, req.Params, and req.Params.Ref.
  • pkg/github/server_test.go: TestCompletionsHandler_RejectsMissingRef covering all three nil cases.

Validation

  • script/lint → 0 issues
  • script/test → all packages pass

@SamMorrowDrums @manthanghasadiya
fix: guard CompletionsHandler against nil params/ref
3c916d2 
A malformed completion/complete request with missing or empty
parameters caused a nil pointer dereference in CompletionsHandler,
panicking the process. Reject such requests with a clear error
before dispatching on Ref.Type.

Reported by @manthanghasadiya (GHSA-w4q6-qw23-4rg7).

Co-authored-by: manthanghasadiya <68530736+manthanghasadiya@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SamMorrowDrums SamMorrowDrums requested a review from a team as a code owner May 19, 2026 08:26
Copilot AI review requested due to automatic review settings May 19, 2026 08:26
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens the MCP completion/complete handler to avoid a nil pointer dereference when clients send malformed completion requests, preventing a process panic (self-DoS) by rejecting requests missing params.ref before dispatching on ref.type.

Changes:

  • Added a nil-guard in CompletionsHandler for req, req.Params, and req.Params.Ref with a clear error return.
  • Added a table-driven unit test covering nil req, nil params, and nil ref cases.
Show a summary per file
File Description
pkg/github/server.go Adds early validation to prevent nil deref when handling completion requests.
pkg/github/server_test.go Adds regression test ensuring malformed completion requests are rejected without panicking.

Copilot's findings

  • Files reviewed: 2/2 changed files
  • Comments generated: 1

Comment thread pkg/github/server.go Outdated
@SamMorrowDrums
Align error wording with repo convention
8efe6ec 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@SamMorrowDrums SamMorrowDrums merged commit c88d2ec into main May 19, 2026
18 checks passed
@SamMorrowDrums SamMorrowDrums deleted the sammorrowdrums/fix-completions-nil-deref branch May 19, 2026 09:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@JoannaaKL JoannaaKL JoannaaKL approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SamMorrowDrums @JoannaaKL