Skip to content

Fix: normalize literal \\r\\n escape sequences in HTTP content from MCP clients #58

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dhawanmayank wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Fix: normalize literal \\r\\n escape sequences in HTTP content from MCP clients #58

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 25 additions & 4 deletions src/main/kotlin/net/portswigger/mcp/tools/Tools.kt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,25 @@ private fun truncateIfNeeded(serialized: String): String {
}
}

/**
* Normalizes HTTP content line endings from MCP clients.
*
* MCP clients (e.g. Claude Code) pass \r\n as literal escape sequences in JSON
* tool parameters, which arrive as the 4-character text sequences backslash-r
* and backslash-n rather than actual CR (0x0D) and LF (0x0A) bytes.
* This produces malformed HTTP that strict servers (e.g. Apache-Coyote) reject
* with 400 Bad Request.
*
* This function converts both literal escape sequences and actual line endings
* into proper HTTP CRLF line termination.
*/
private fun normalizeHttpContent(content: String): String = content
.replace("\\r\\n", "\n") // Literal \r\n escape sequences → LF
.replace("\\n", "\n") // Remaining literal \n → LF
.replace("\\r", "") // Remaining literal \r → remove
.replace("\r", "") // Actual CR → remove
.replace("\n", "\r\n") // All LF → proper CRLF

fun Server.registerTools(api: MontoyaApi, config: McpConfig) {

mcpTool<SendHttp1Request>("Issues an HTTP/1.1 request and returns the response.") {
Expand All @@ -55,7 +74,7 @@ fun Server.registerTools(api: MontoyaApi, config: McpConfig) {

api.logging().logToOutput("MCP HTTP/1.1 request: $targetHostname:$targetPort")

val fixedContent = content.replace("\r", "").replace("\n", "\r\n")
val fixedContent = normalizeHttpContent(content)

val request = HttpRequest.httpRequest(toMontoyaService(), fixedContent)
val response = api.http().sendRequest(request)
Expand Down Expand Up @@ -115,12 +134,14 @@ fun Server.registerTools(api: MontoyaApi, config: McpConfig) {
}

mcpTool<CreateRepeaterTab>("Creates a new Repeater tab with the specified HTTP request and optional tab name. Make sure to use carriage returns appropriately.") {
val request = HttpRequest.httpRequest(toMontoyaService(), content)
val fixedContent = normalizeHttpContent(content)
val request = HttpRequest.httpRequest(toMontoyaService(), fixedContent)
api.repeater().sendToRepeater(request, tabName)
}

mcpTool<SendToIntruder>("Sends an HTTP request to Intruder with the specified HTTP request and optional tab name. Make sure to use carriage returns appropriately.") {
val request = HttpRequest.httpRequest(toMontoyaService(), content)
val fixedContent = normalizeHttpContent(content)
val request = HttpRequest.httpRequest(toMontoyaService(), fixedContent)
api.intruder().sendToIntruder(request, tabName)
}

Expand Down Expand Up @@ -426,4 +447,4 @@ data class GenerateCollaboratorPayload(
@Serializable
data class GetCollaboratorInteractions(
val payloadId: String? = null
)
)