fix(resources): validate URI template params and strengthen schema tests

Add identifier validation to extractURIParams — rejects non-identifier
strings like code injection or path traversal. Strengthen schema negative
tests to assert error messages reference the specific failing field.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: MacAttak

internal/codegen/mcp_typescript.go

@@ -15,14 +15,22 @@ import (
 // uriParamRe matches {param} placeholders in a URI template.
 var uriParamRe = regexp.MustCompile(`\{([^}]+)\}`)
 
+// validIdentifier matches safe JavaScript/TypeScript identifier names.
+var validIdentifier = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_]*$`)
+
 // extractURIParams returns the list of parameter names found in a URI template.
-func extractURIParams(uri string) []string {
+// Returns an error if any parameter name is not a valid identifier.
+func extractURIParams(uri string) ([]string, error) {
 	matches := uriParamRe.FindAllStringSubmatch(uri, -1)
 	params := make([]string, 0, len(matches))
 	for _, m := range matches {
-		params = append(params, m[1])
+		name := m[1]
+		if !validIdentifier.MatchString(name) {
+			return nil, fmt.Errorf("URI template parameter %q is not a valid identifier", name)
+		}
+		params = append(params, name)
 	}
-	return params
+	return params, nil
 }
 
 // TSMCPGenerator generates TypeScript MCP server projects.
@@ -90,13 +98,17 @@ func (g *TSMCPGenerator) Generate(ctx context.Context, data TemplateData, _ stri
 		if mimeType == "" {
 			mimeType = "text/plain"
 		}
+		uriParams, uriErr := extractURIParams(res.URI)
+		if uriErr != nil {
+			return nil, fmt.Errorf("resource %q: %w", res.Name, uriErr)
+		}
 		resData := tsResourceData{
 			Name:        res.Name,
 			Description: res.Description,
 			URI:         res.URI,
 			MimeType:    mimeType,
 			Entrypoint:  res.Entrypoint,
-			URIParams:   extractURIParams(res.URI),
+			URIParams:   uriParams,
 		}
 		var resFile []byte
 		resFile, err = renderTSTemplate("resource.ts", tsResourceTmpl, resData)

internal/codegen/mcp_typescript_resource_test.go

@@ -1,6 +1,7 @@
 package codegen
 
 import (
+	"context"
 	"strings"
 	"testing"
 
@@ -796,6 +797,65 @@ func TestTSMCP_Resource_IndexRegistersViaImportedFunction(t *testing.T) {
 		hasImport, hasRegistration)
 }
 
+// ---------------------------------------------------------------------------
+// URI template parameter validation
+// ---------------------------------------------------------------------------
+
+func TestTSMCP_Resource_InvalidURIParam_RejectsInjection(t *testing.T) {
+	// A URI with a parameter containing code injection must be rejected.
+	m := mcpManifestSingleResource()
+	m.Resources[0].URI = `file://{"; process.exit(1);//}`
+	gen := NewTSMCPGenerator()
+	data := TemplateData{Manifest: m, Timestamp: "2026-03-09T00:00:00Z", Version: "0.1.0"}
+	_, err := gen.Generate(context.Background(), data, "")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "not a valid identifier",
+		"must reject URI param that is not a safe identifier")
+}
+
+func TestTSMCP_Resource_InvalidURIParam_RejectsSpaces(t *testing.T) {
+	m := mcpManifestSingleResource()
+	m.Resources[0].URI = `file:///{bad param}`
+	gen := NewTSMCPGenerator()
+	data := TemplateData{Manifest: m, Timestamp: "2026-03-09T00:00:00Z", Version: "0.1.0"}
+	_, err := gen.Generate(context.Background(), data, "")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "not a valid identifier")
+}
+
+func TestTSMCP_Resource_InvalidURIParam_RejectsDotPath(t *testing.T) {
+	m := mcpManifestSingleResource()
+	m.Resources[0].URI = `file:///{../etc/passwd}`
+	gen := NewTSMCPGenerator()
+	data := TemplateData{Manifest: m, Timestamp: "2026-03-09T00:00:00Z", Version: "0.1.0"}
+	_, err := gen.Generate(context.Background(), data, "")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "not a valid identifier")
+}
+
+func TestTSMCP_Resource_ValidURIParam_AcceptsUnderscore(t *testing.T) {
+	m := mcpManifestSingleResource()
+	m.Resources[0].URI = `file:///{_path}`
+	gen := NewTSMCPGenerator()
+	data := TemplateData{Manifest: m, Timestamp: "2026-03-09T00:00:00Z", Version: "0.1.0"}
+	files, err := gen.Generate(context.Background(), data, "")
+	require.NoError(t, err)
+	content := fileContent(t, files, "src/resources/file_reader.ts")
+	assert.Contains(t, content, "_path")
+}
+
+func TestTSMCP_Resource_ValidURIParam_AcceptsAlphanumeric(t *testing.T) {
+	m := mcpManifestSingleResource()
+	m.Resources[0].URI = `github://{owner123}/{repo456}`
+	gen := NewTSMCPGenerator()
+	data := TemplateData{Manifest: m, Timestamp: "2026-03-09T00:00:00Z", Version: "0.1.0"}
+	files, err := gen.Generate(context.Background(), data, "")
+	require.NoError(t, err)
+	content := fileContent(t, files, "src/resources/file_reader.ts")
+	assert.Contains(t, content, "owner123")
+	assert.Contains(t, content, "repo456")
+}
+
 // ---------------------------------------------------------------------------
 // Resource handler is not placed in the tools directory
 // ---------------------------------------------------------------------------

schema_resource_test.go

@@ -412,8 +412,10 @@ func TestSchemaResource_MissingURI_Fails(t *testing.T) {
 		"entrypoint": "./resources/test.sh"
 	}]`)
 	err := validateJSON(t, manifest)
-	assert.Error(t, err,
+	require.Error(t, err,
 		"resource missing 'uri' must fail schema validation")
+	assert.Contains(t, err.Error(), "uri",
+		"error must reference the missing 'uri' field")
 }
 
 func TestSchemaResource_MissingName_Fails(t *testing.T) {
@@ -424,8 +426,10 @@ func TestSchemaResource_MissingName_Fails(t *testing.T) {
 		"entrypoint": "./resources/test.sh"
 	}]`)
 	err := validateJSON(t, manifest)
-	assert.Error(t, err,
+	require.Error(t, err,
 		"resource missing 'name' must fail schema validation")
+	assert.Contains(t, err.Error(), "name",
+		"error must reference the missing 'name' field")
 }
 
 func TestSchemaResource_MissingEntrypoint_Fails(t *testing.T) {
@@ -436,8 +440,10 @@ func TestSchemaResource_MissingEntrypoint_Fails(t *testing.T) {
 		"description": "Missing entrypoint"
 	}]`)
 	err := validateJSON(t, manifest)
-	assert.Error(t, err,
+	require.Error(t, err,
 		"resource missing 'entrypoint' must fail schema validation")
+	assert.Contains(t, err.Error(), "entrypoint",
+		"error must reference the missing 'entrypoint' field")
 }
 
 func TestSchemaResource_MissingAllRequired_Fails(t *testing.T) {
@@ -523,8 +529,10 @@ func TestSchemaResource_URIWrongType_Fails(t *testing.T) {
 				"entrypoint": "./resources/test.sh"
 			}]`)
 			err := validateJSON(t, manifest)
-			assert.Error(t, err,
+			require.Error(t, err,
 				"resource with uri as %s must fail schema validation", tc.name)
+			assert.Contains(t, err.Error(), "uri",
+				"error must reference the 'uri' field")
 		})
 	}
 }
@@ -548,8 +556,10 @@ func TestSchemaResource_NameWrongType_Fails(t *testing.T) {
 				"entrypoint": "./resources/test.sh"
 			}]`)
 			err := validateJSON(t, manifest)
-			assert.Error(t, err,
+			require.Error(t, err,
 				"resource with name as %s must fail schema validation", tc.name)
+			assert.Contains(t, err.Error(), "name",
+				"error must reference the 'name' field")
 		})
 	}
 }
@@ -573,8 +583,10 @@ func TestSchemaResource_EntrypointWrongType_Fails(t *testing.T) {
 				"entrypoint": ` + tc.value + `
 			}]`)
 			err := validateJSON(t, manifest)
-			assert.Error(t, err,
+			require.Error(t, err,
 				"resource with entrypoint as %s must fail schema validation", tc.name)
+			assert.Contains(t, err.Error(), "entrypoint",
+				"error must reference the 'entrypoint' field")
 		})
 	}
 }
@@ -680,37 +692,43 @@ func TestSchemaResource_EachRequiredFieldMissing_Individually(t *testing.T) {
 	// Table-driven: remove one required field at a time. Each must fail independently.
 	// This catches schemas that only enforce some required fields.
 	tests := []struct {
-		name     string
-		resource string
+		name      string
+		resource  string
+		wantField string
 	}{
 		{
 			name: "missing uri only",
 			resource: `{
 				"name": "no-uri",
 				"entrypoint": "./resources/test.sh"
 			}`,
+			wantField: "uri",
 		},
 		{
 			name: "missing name only",
 			resource: `{
 				"uri": "file:///data/item",
 				"entrypoint": "./resources/test.sh"
 			}`,
+			wantField: "name",
 		},
 		{
 			name: "missing entrypoint only",
 			resource: `{
 				"uri": "file:///data/item",
 				"name": "no-ep"
 			}`,
+			wantField: "entrypoint",
 		},
 	}
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
 			manifest := minimalManifestWithResources(`[` + tc.resource + `]`)
 			err := validateJSON(t, manifest)
-			assert.Error(t, err,
+			require.Error(t, err,
 				"resource with %s must fail schema validation", tc.name)
+			assert.Contains(t, err.Error(), tc.wantField,
+				"error must reference the missing %q field", tc.wantField)
 		})
 	}
 }