fix(server/mcp): guard nil dereference in sseManager.get

[marlonbarreto-git]

Description

sseManager.get() unconditionally accesses session.lastActive after a map lookup, even when the session ID doesn't exist. Since the zero value for a *sseSession pointer is nil, this causes a nil pointer dereference panic at runtime.

This can happen when a client sends a request with a stale or invalid sessionId query parameter — for example, after a network reconnection or if a session was cleaned up by cleanupRoutine.

Changes

Add an ok guard before accessing session.lastActive:

session, ok := m.sseSessions[id]
if ok {
    session.lastActive = time.Now()
}

Test

Added TestSseManagerGetNonExistentSession that calls get() with a non-existent ID and verifies it returns nil, false without panicking.

Fixes #2548

[gemini-code-assist]

Summary of Changes

Hello @marlonbarreto-git, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug where the SSE manager could panic due to a nil pointer dereference when attempting to retrieve a non-existent or stale session. The fix ensures robust handling of invalid session IDs, improving the stability of the server's SSE functionality. A new test case has been introduced to validate this behavior.

Highlights

• Nil Dereference Fix: Implemented a guard in sseManager.get() to prevent a nil pointer dereference panic when a non-existent or stale session ID is provided, ensuring session.lastActive is only accessed if the session exists.
• New Test Case: Added TestSseManagerGetNonExistentSession to specifically verify that the get() method correctly handles requests for non-existent sessions by returning nil, false without panicking.

Changelog

• internal/server/mcp.go
  • Added a conditional check (if ok) before accessing session.lastActive to prevent panics when sseSessions[id] returns a nil session.
• internal/server/mcp_test.go
  • Introduced TestSseManagerGetNonExistentSession to confirm that sseManager.get returns nil, false and does not panic for IDs not present in the map.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Code Review

This pull request effectively addresses a critical nil pointer dereference issue in the sseManager.get() method by adding a necessary ok guard before accessing session.lastActive. The accompanying test case, TestSseManagerGetNonExistentSession, thoroughly validates the fix, ensuring that the function handles non-existent session IDs gracefully without panicking and returns the expected nil, false.

[marlonbarreto-git]

@anubhav756 this PR is ready for review — single commit, CLA signed, conventional commit format.

Could you please trigger the CI by applying the tests: run label or commenting /gcbrun? As an external contributor I can't trigger the Cloud Build checks myself.

All tests pass locally:

$ go test ./internal/server/... -v -run TestSseManager
=== RUN   TestSseManagerGetNonExistentSession
--- PASS: TestSseManagerGetNonExistentSession (0.00s)
PASS

[marlonbarreto-git]

Friendly ping @anubhav756 — both this PR and #2558 are ready for review (single commit each, CLA signed, conventional commits). The only blocker is the integration test which needs a maintainer to trigger (/gcbrun or tests: run label). Happy to address any feedback!

[marlonbarreto-git]

Hey @duwenxin99, I see you've been on a roll this week with the repo — any chance you could spare a few minutes to glance at this one and #2558? They're both pretty small and self-contained (nil deref guard and a defer fix). Main thing blocking CI is a /gcbrun trigger since I can't kick that off as an external contributor. Thanks!

[averikitsch]

/gcbrun

[duwenxin99]

/gcbrun