Reject external $ref via the tool schema generator

Move external-$ref rejection into StrictJsonSchema (now in its own
_schema_generator.py) so it happens during schema generation, driven by the
schema_generator parameter of model_json_schema, rather than walking the
schema afterwards. The output-schema path re-raises ExternalSchemaRefError
instead of swallowing it as an unserializable-type ValueError. Drop the
standalone mcp.shared.json_schema_ref helper and the client-side check (the
client receives schemas, it never generates them, and already never fetches
network refs).

Author: Kludex

src/mcp/client/session.py

@@ -17,7 +17,6 @@
 from mcp.shared._compat import resync_tracer
 from mcp.shared.dispatcher import CallOptions, DispatchContext, Dispatcher, ProgressFnT
 from mcp.shared.exceptions import MCPError
-from mcp.shared.json_schema_ref import reject_external_refs
 from mcp.shared.jsonrpc_dispatcher import JSONRPCDispatcher
 from mcp.shared.message import ClientMessageMetadata, SessionMessage
 from mcp.shared.session import RequestResponder
@@ -450,14 +449,7 @@ async def call_tool(
         *,
         meta: RequestParamsMeta | None = None,
     ) -> types.CallToolResult:
-        """Send a tools/call request with optional progress callback support.
-
-        Raises:
-            RuntimeError: If the tool declares an output schema but the result's structured
-                content is missing or fails validation against it.
-            ExternalSchemaRefError: If the tool's output schema contains a `$ref` that is not
-                a same-document reference; such refs are never dereferenced (SEP-2106).
-        """
+        """Send a tools/call request with optional progress callback support."""
 
         result = await self.send_request(
             types.CallToolRequest(
@@ -490,7 +482,6 @@ async def _validate_tool_result(self, name: str, result: types.CallToolResult) -
 
             if result.structured_content is None:
                 raise RuntimeError(f"Tool {name} has an output schema but did not return structured content")
-            reject_external_refs(output_schema, context=f"Output schema for tool {name!r}")
             try:
                 validate(result.structured_content, output_schema)
             except ValidationError as e:

src/mcp/server/mcpserver/tools/base.py

@@ -7,11 +7,11 @@
 from pydantic import BaseModel, Field
 
 from mcp.server.mcpserver.exceptions import ToolError
+from mcp.server.mcpserver.utilities._schema_generator import StrictJsonSchema
 from mcp.server.mcpserver.utilities.context_injection import find_context_parameter
 from mcp.server.mcpserver.utilities.func_metadata import FuncMetadata, func_metadata
 from mcp.shared._callable_inspection import is_async_callable
 from mcp.shared.exceptions import UrlElicitationRequiredError
-from mcp.shared.json_schema_ref import reject_external_refs
 from mcp.shared.tool_name_validation import validate_and_warn_tool_name
 from mcp.types import Icon, ToolAnnotations
 
@@ -78,11 +78,7 @@ def from_function(
             skip_names=[context_kwarg] if context_kwarg is not None else [],
             structured_output=structured_output,
         )
-        parameters = func_arg_metadata.arg_model.model_json_schema(by_alias=True)
-
-        reject_external_refs(parameters, context=f"Input schema for tool {func_name!r}")
-        if func_arg_metadata.output_schema is not None:
-            reject_external_refs(func_arg_metadata.output_schema, context=f"Output schema for tool {func_name!r}")
+        parameters = func_arg_metadata.arg_model.model_json_schema(by_alias=True, schema_generator=StrictJsonSchema)
 
         return cls(
             fn=fn,

src/mcp/server/mcpserver/utilities/_schema_generator.py

@@ -0,0 +1,63 @@
+"""JSON Schema generator for tool schemas.
+
+Centralizes the `GenerateJsonSchema` subclass used when rendering tool input and
+output schemas. On top of turning pydantic's schema warnings into errors, it
+enforces SEP-2106: a `$ref` that is not a same-document reference (a JSON Pointer
+such as `#/$defs/Foo` or an `$anchor` such as `#Foo`) is an SSRF / fetch-DoS
+vector and MUST NOT appear in a tool schema.
+
+See: https://modelcontextprotocol.io/seps/2106-json-schema-2020-12#security-implications
+"""
+
+from __future__ import annotations
+
+from typing import Any, cast
+
+from pydantic.json_schema import GenerateJsonSchema, JsonSchemaValue, JsonSchemaWarningKind
+from pydantic_core import CoreSchema
+
+
+class ExternalSchemaRefError(ValueError):
+    """A tool schema contains a `$ref` that is not a same-document reference."""
+
+
+class StrictJsonSchema(GenerateJsonSchema):
+    """Render tool schemas, raising on pydantic warnings and external `$ref`s.
+
+    Warnings (e.g. a non-serializable type) become errors so they surface at tool
+    registration instead of silently producing a degenerate schema. External
+    `$ref`s -- which pydantic never emits itself, but a user can inject via
+    `Field(json_schema_extra=...)` -- are rejected for the same reason (SEP-2106).
+    """
+
+    def emit_warning(self, kind: JsonSchemaWarningKind, detail: str) -> None:
+        raise ValueError(f"JSON schema warning: {kind} - {detail}")
+
+    def generate(self, schema: CoreSchema, mode: Any = "validation") -> JsonSchemaValue:
+        json_schema = super().generate(schema, mode)
+        _reject_external_refs(json_schema)
+        return json_schema
+
+
+def _reject_external_refs(json_schema: JsonSchemaValue) -> None:
+    external = sorted(_find_external_refs(json_schema))
+    if external:
+        raise ExternalSchemaRefError(
+            f"Tool schema contains external $ref(s) that MUST NOT be dereferenced (SEP-2106): "
+            f"{', '.join(external)}. Only same-document references (e.g. '#/$defs/Foo') are allowed."
+        )
+
+
+def _find_external_refs(node: Any) -> set[str]:
+    external: set[str] = set()
+    if isinstance(node, dict):
+        mapping = cast("dict[str, Any]", node)
+        ref = mapping.get("$ref")
+        if isinstance(ref, str) and not ref.startswith("#"):
+            external.add(ref)
+        for value in mapping.values():
+            external |= _find_external_refs(value)
+    elif isinstance(node, list):
+        for item in cast("list[Any]", node):
+            external |= _find_external_refs(item)
+    return external

src/mcp/server/mcpserver/utilities/func_metadata.py

@@ -11,7 +11,6 @@
 import pydantic_core
 from pydantic import BaseModel, ConfigDict, Field, PydanticUserError, WithJsonSchema, create_model
 from pydantic.fields import FieldInfo
-from pydantic.json_schema import GenerateJsonSchema, JsonSchemaWarningKind
 from typing_extensions import is_typeddict
 from typing_inspection.introspection import (
     UNKNOWN,
@@ -22,24 +21,14 @@
 )
 
 from mcp.server.mcpserver.exceptions import InvalidSignature
+from mcp.server.mcpserver.utilities._schema_generator import ExternalSchemaRefError, StrictJsonSchema
 from mcp.server.mcpserver.utilities.logging import get_logger
 from mcp.server.mcpserver.utilities.types import Audio, Image
 from mcp.types import CallToolResult, ContentBlock, TextContent
 
 logger = get_logger(__name__)
 
 
-class StrictJsonSchema(GenerateJsonSchema):
-    """A JSON schema generator that raises exceptions instead of emitting warnings.
-
-    This is used to detect non-serializable types during schema generation.
-    """
-
-    def emit_warning(self, kind: JsonSchemaWarningKind, detail: str) -> None:
-        # Raise an exception instead of emitting a warning
-        raise ValueError(f"JSON schema warning: {kind} - {detail}")
-
-
 class ArgModelBase(BaseModel):
     """A model representing the arguments to a function."""
 
@@ -398,6 +387,9 @@ def _try_create_model_and_schema(
         # Use StrictJsonSchema to raise exceptions instead of warnings
         try:
             schema = model.model_json_schema(schema_generator=StrictJsonSchema)
+        except ExternalSchemaRefError:
+            # SEP-2106: an external $ref is a hard error, not an unserializable type.
+            raise
         except (
             PydanticUserError,
             TypeError,

src/mcp/shared/json_schema_ref.py

@@ -5,7 +5,6 @@
 
 from mcp import Client
 from mcp.server import Server, ServerRequestContext
-from mcp.shared.json_schema_ref import ExternalSchemaRefError
 from mcp.types import (
     CallToolRequestParams,
     CallToolResult,
@@ -164,41 +163,3 @@ async def on_call_tool(ctx: ServerRequestContext, params: CallToolRequestParams)
         assert result.is_error is False
 
         assert "Tool mystery_tool not listed" in caplog.text
-
-
-@pytest.mark.anyio
-async def test_client_does_not_dereference_network_refs():
-    """SEP-2106: the client MUST NOT auto-dereference network `$ref`s in tool schemas.
-
-    A tool advertises an input and an output schema containing a network-URI `$ref`.
-    Listing the tool leaves the input schema untouched (the network ref is never
-    resolved), and validating its result rejects the external output-schema ref
-    outright instead of fetching it.
-    """
-    canary_ref = "https://canary.invalid/profile-schema.json"
-
-    input_schema = {"type": "object", "properties": {"profile": {"$ref": canary_ref}}}
-    output_schema = {
-        "type": "object",
-        "properties": {"result": {"$ref": canary_ref}, "ok": {"type": "boolean"}},
-        "required": ["ok"],
-    }
-
-    server = _make_server(
-        tools=[
-            Tool(
-                name="lookup",
-                description="Look something up",
-                input_schema=input_schema,
-                output_schema=output_schema,
-            )
-        ],
-        structured_content={"ok": True},
-    )
-
-    async with Client(server) as client:
-        tools = await client.list_tools()
-        assert tools.tools[0].input_schema == input_schema
-
-        with pytest.raises(ExternalSchemaRefError, match="canary.invalid"):
-            await client.call_tool("lookup", {})

tests/client/test_output_schema_validation.py

@@ -0,0 +1,39 @@
+from __future__ import annotations
+
+from typing import Annotated, Any
+
+import pytest
+from pydantic import BaseModel, Field
+
+from mcp.server.mcpserver.utilities._schema_generator import ExternalSchemaRefError, StrictJsonSchema
+
+
+def test_same_document_refs_pass():
+    class Inner(BaseModel):
+        x: int
+
+    class Model(BaseModel):
+        inner: Inner
+
+    schema = Model.model_json_schema(schema_generator=StrictJsonSchema)
+    assert "$defs" in schema
+    assert schema["properties"]["inner"]["$ref"] == "#/$defs/Inner"
+
+
+def test_external_ref_in_property_rejected():
+    class Model(BaseModel):
+        profile: Annotated[dict[str, Any], Field(json_schema_extra={"$ref": "https://evil.example/s.json"})]
+
+    with pytest.raises(ExternalSchemaRefError, match="https://evil.example/s.json"):
+        Model.model_json_schema(schema_generator=StrictJsonSchema)
+
+
+def test_external_ref_nested_in_list_rejected():
+    class Model(BaseModel):
+        items: Annotated[
+            list[str],
+            Field(json_schema_extra={"prefixItems": [{"$ref": "https://evil.example/a.json"}]}),
+        ]
+
+    with pytest.raises(ExternalSchemaRefError, match="https://evil.example/a.json"):
+        Model.model_json_schema(schema_generator=StrictJsonSchema)

tests/server/mcpserver/test_schema_generator.py

@@ -10,8 +10,8 @@
 from mcp.server.mcpserver import Context, MCPServer
 from mcp.server.mcpserver.exceptions import ToolError
 from mcp.server.mcpserver.tools import Tool, ToolManager
+from mcp.server.mcpserver.utilities._schema_generator import ExternalSchemaRefError
 from mcp.server.mcpserver.utilities.func_metadata import ArgModelBase, FuncMetadata
-from mcp.shared.json_schema_ref import ExternalSchemaRefError
 from mcp.types import CallToolResult, TextContent, ToolAnnotations
 
 
@@ -916,7 +916,7 @@ def lookup(
         ...
 
     manager = ToolManager()
-    with pytest.raises(ExternalSchemaRefError, match="Input schema for tool 'lookup'"):
+    with pytest.raises(ExternalSchemaRefError, match="https://evil.example/s.json"):
         manager.add_tool(lookup)
     assert manager.get_tool("lookup") is None
 
@@ -931,7 +931,7 @@ def lookup() -> Out:  # pragma: no cover
         ...
 
     manager = ToolManager()
-    with pytest.raises(ExternalSchemaRefError, match="Output schema for tool 'lookup'"):
+    with pytest.raises(ExternalSchemaRefError, match="https://evil.example/out.json"):
         manager.add_tool(lookup)
     assert manager.get_tool("lookup") is None