Send same message for non-existent and non-authorized container

labkey-adam · labkey-adam · commit 8fbc903f7831 · 2026-03-26T09:03:58.000-07:00
diff --git a/core/src/org/labkey/core/CoreMcp.java b/core/src/org/labkey/core/CoreMcp.java
@@ -99,24 +99,22 @@ String setContainer(ToolContext context, @ToolParam(description = "Container pat
     {
         final String message;
 
-        if (containerPath == null)
+        if (StringUtils.isBlank(containerPath))
         {
-            message = "Container path was null. Please provide a valid containerPath parameter. Try using the listContainers tool to see them.";
+            message = "Container path was missing. Please provide a valid containerPath parameter. Try using the listContainers tool to see them.";
         }
         else
         {
             Container container = ContainerManager.getForPath(containerPath);
 
-            if (container == null)
+            // Must exist and user must have read permission to set a container. Note: Send the same message in both
+            // cases to prevent information exposure.
+            if (container == null || !container.hasPermission(getUser(context), ReadPermission.class))
             {
                 message = "That's not a valid container path. Try using listContainers to see them.";
             }
             else
             {
-                // Must have read permission to set a container
-                if (!container.hasPermission(getUser(context), ReadPermission.class))
-                    throw new UnauthorizedException();
-
                 McpService.get().saveSessionContainer(context, container);
                 message = "Container has been set to " + container.getPath();
             }

Original file line number	Diff line number	Diff line change
`@@ -99,24 +99,22 @@ String setContainer(ToolContext context, @ToolParam(description = "Container pat`
`99`	`99`	`{`
`100`	`100`	`final String message;`
`101`	`101`
`102`		`- if (containerPath == null)`
	`102`	`+ if (StringUtils.isBlank(containerPath))`
`103`	`103`	`{`
`104`		`- message = "Container path was null. Please provide a valid containerPath parameter. Try using the listContainers tool to see them.";`
	`104`	`+ message = "Container path was missing. Please provide a valid containerPath parameter. Try using the listContainers tool to see them.";`
`105`	`105`	`}`
`106`	`106`	`else`
`107`	`107`	`{`
`108`	`108`	`Container container = ContainerManager.getForPath(containerPath);`
`109`	`109`
`110`		`- if (container == null)`
	`110`	`+ // Must exist and user must have read permission to set a container. Note: Send the same message in both`
	`111`	`+ // cases to prevent information exposure.`
	`112`	`+ if (container == null \|\| !container.hasPermission(getUser(context), ReadPermission.class))`
`111`	`113`	`{`
`112`	`114`	`message = "That's not a valid container path. Try using listContainers to see them.";`
`113`	`115`	`}`
`114`	`116`	`else`
`115`	`117`	`{`
`116`		`- // Must have read permission to set a container`
`117`		`- if (!container.hasPermission(getUser(context), ReadPermission.class))`
`118`		`- throw new UnauthorizedException();`
`119`		`-`
`120`	`118`	`McpService.get().saveSessionContainer(context, container);`
`121`	`119`	`message = "Container has been set to " + container.getPath();`
`122`	`120`	`}`