22952704691

Committed 11 Mar 2026 12:31PM UTC coverage: 63.963% (-0.04%) from 64.006%

Build # 22952704691

Build Type

push

github

Committed by

web-flow

Commit Message

Fix Content-Length mismatch in authz response filter with remote proxies (#4092)

When httputil.ReverseProxy forwards a response from a remote MCP server,
it copies the backend's Content-Length header to the ResponseWriter via
Header(). ResponseFilteringWriter does not override Header(), so the
original Content-Length leaks to the real writer. After Cedar policy
filtering changes the response body size, Go's HTTP server detects the
mismatch and tears down the connection.

Delete the stale Content-Length header before writing filtered responses
for both JSON and SSE content types. Go's HTTP library will handle
correct framing automatically.

Fixes: #4044

Co-authored-by: ChandraMohan0316 <chandrashanmugam007@gmail.com>

Run Details

8 of 8 new or added lines in 1 file covered. (100.0%)

41 existing lines in 6 files now uncovered.

47719 of 74604 relevant lines covered (63.96%)

70.66 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.31

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 22952704691

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous