fix(mcp): guard nil SSE session lookup and return 400 for missing session

[bandrade]

Description

Fixes a panic in SSE-backed MCP requests where POST /mcp?sessionId=... could dereference a nil session pointer in sseManager.get and return HTTP 500. The impact is failed MCP message handling after successful /mcp/sse bootstrap. The solution makes session lookup nil-safe, removes corrupt nil entries defensively, and returns HTTP 400 when a provided sessionId is unavailable.

PR Checklist

• Make sure you reviewed CONTRIBUTING.md
• Make sure to open an issue as a bug/issue before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
• Ensure the tests and linter pass
• Code coverage does not decrease (if any source code was changed)
• Appropriate docs were updated (if necessary)
• Make sure to add ! if this involve a breaking change

🛠️ Fixes #2680

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical bug where SSE-backed MCP requests could cause a server panic due to dereferencing a nil session pointer. The changes enhance the robustness of the SSE session management by safely handling unavailable sessions, including those that might be nil in the session map, and by providing a more appropriate HTTP 400 error response to clients when a session is not found.

Highlights

• Nil Session Handling: The sseManager.get method was updated to prevent dereferencing nil session pointers, which previously led to panics. It now explicitly checks for nil session values in the map.
• Error Response Improvement: The httpHandler now returns an HTTP 400 Bad Request status when a requested SSE session is not found or is unavailable, providing a clearer error to the client instead of a server-side panic.
• Defensive Map Cleanup: The sseManager.get method now defensively removes any nil session entries from the sseSessions map if they are encountered, preventing future issues with corrupt entries.
• Test Coverage: A new test case was added to mcp_test.go to specifically verify the correct behavior of sseManager.get when a session ID maps to a nil value.

Changelog

• internal/server/mcp.go
  • Modified sseManager.get to check for nil session values and remove them from the map, returning nil and false if found.
  • Updated httpHandler to return an http.StatusBadRequest (400) with an error message if s.sseManager.get indicates the session is not available.
• internal/server/mcp_test.go
  • Added TestSseManagerGetNilSessionValue to test the new nil session handling logic in sseManager.get.

Activity

• Addressed issue Bug: nil panic in SSE session lookup for /mcp requests #2680, which reported a panic in SSE-backed MCP requests.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request enhances the robustness and error handling of the SSE session management. The sseManager.get method now defensively handles cases where a session ID exists but its value is nil in the map, treating it as unavailable, removing the nil entry, and returning nil, false. Concurrently, the httpHandler is updated to properly respond with an HTTP 400 Bad Request error and terminate processing when an SSE session is not available. A new unit test, TestSseManagerGetNilSessionValue, has been added to validate this improved behavior.

[Yuan325]

Hi @bandrade, Thank you for identifying and fixing this! :)

[Yuan325]

Hi @bandrade do you mind signing the CLA for this? Thank you!

[Yuan325]

/gcbrun

[bandrade]

@Yuan325 Glad to contribute and they PR is useful. I just signed the CLA.

[Yuan325]

/gcbrun

[Yuan325]

/gcbrun