fix: guard CompletionsHandler against nil params/ref

SamMorrowDrums · manthanghasadiya · Copilot · SamMorrowDrums · commit 3c916d27f27e · 2026-05-19T10:26:38.000+02:00
A malformed completion/complete request with missing or empty parameters caused a nil pointer dereference in CompletionsHandler, panicking the process. Reject such requests with a clear error before dispatching on Ref.Type. Reported by @manthanghasadiya (GHSA-w4q6-qw23-4rg7). Co-authored-by: manthanghasadiya <68530736+manthanghasadiya@users.noreply.github.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/pkg/github/server.go b/pkg/github/server.go
@@ -204,6 +204,9 @@ func NewServer(version, name, title string, opts *mcp.ServerOptions) *mcp.Server
 
 func CompletionsHandler(getClient GetClientFn) func(ctx context.Context, req *mcp.CompleteRequest) (*mcp.CompleteResult, error) {
 	return func(ctx context.Context, req *mcp.CompleteRequest) (*mcp.CompleteResult, error) {
+		if req == nil || req.Params == nil || req.Params.Ref == nil {
+			return nil, fmt.Errorf("invalid request: missing ref parameter")
+		}
 		switch req.Params.Ref.Type {
 		case "ref/resource":
 			if strings.HasPrefix(req.Params.Ref.URI, "repo://") {
diff --git a/pkg/github/server_test.go b/pkg/github/server_test.go
@@ -349,3 +349,27 @@ func TestResolveEnabledToolsets(t *testing.T) {
 		})
 	}
 }
+
+func TestCompletionsHandler_RejectsMissingRef(t *testing.T) {
+	getClient := func(_ context.Context) (*gogithub.Client, error) {
+		return &gogithub.Client{}, nil
+	}
+	handler := CompletionsHandler(getClient)
+
+	tests := []struct {
+		name string
+		req  *mcp.CompleteRequest
+	}{
+		{name: "nil request", req: nil},
+		{name: "nil params", req: &mcp.CompleteRequest{}},
+		{name: "nil ref", req: &mcp.CompleteRequest{Params: &mcp.CompleteParams{}}},
+	}
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result, err := handler(context.Background(), tc.req)
+			require.Error(t, err)
+			assert.Nil(t, result)
+			assert.Contains(t, err.Error(), "missing ref parameter")
+		})
+	}
+}
