Fix server conformance tests for v0.1.11

- Update test_elicitation_sep1330_enums tool to test all 5 enum variants
- Add DNS rebinding protection middleware to ConformanceServer

Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>

Author: Copilot

tests/ModelContextProtocol.ConformanceServer/Program.cs

@@ -3,12 +3,22 @@
 using ConformanceServer.Tools;
 using ModelContextProtocol.Protocol;
 using System.Collections.Concurrent;
+using System.Net;
 using System.Text.Json;
 
 namespace ModelContextProtocol.ConformanceServer;
 
 public class Program
 {
+    // Valid localhost values for DNS rebinding protection
+    private static readonly HashSet<string> ValidLocalhostHosts = new(StringComparer.OrdinalIgnoreCase)
+    {
+        "localhost",
+        "127.0.0.1",
+        "[::1]",
+        "::1"
+    };
+
     public static async Task MainAsync(string[] args, ILoggerProvider? loggerProvider = null, CancellationToken cancellationToken = default)
     {
         var builder = WebApplication.CreateBuilder(args);
@@ -92,13 +102,88 @@ public static async Task MainAsync(string[] args, ILoggerProvider? loggerProvide
 
         var app = builder.Build();
 
+        // DNS rebinding protection middleware
+        // Rejects requests with non-localhost Host/Origin headers for localhost servers
+        // See: https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w
+        app.Use(async (context, next) =>
+        {
+            // Check if this is a localhost server
+            var localEndpoint = context.Connection.LocalIpAddress;
+            bool isLocalhostServer = localEndpoint == null ||
+                                     IPAddress.IsLoopback(localEndpoint) ||
+                                     localEndpoint.Equals(IPAddress.IPv6Loopback);
+
+            if (isLocalhostServer)
+            {
+                // Validate Host header
+                var host = context.Request.Host.Host;
+                if (!IsValidLocalhostHost(host))
+                {
+                    context.Response.StatusCode = StatusCodes.Status403Forbidden;
+                    await context.Response.WriteAsync("Forbidden: Invalid Host header for localhost server");
+                    return;
+                }
+
+                // Validate Origin header if present
+                if (context.Request.Headers.TryGetValue("Origin", out var originValues))
+                {
+                    var origin = originValues.FirstOrDefault();
+                    if (!string.IsNullOrEmpty(origin) && Uri.TryCreate(origin, UriKind.Absolute, out var originUri))
+                    {
+                        if (!IsValidLocalhostHost(originUri.Host))
+                        {
+                            context.Response.StatusCode = StatusCodes.Status403Forbidden;
+                            await context.Response.WriteAsync("Forbidden: Invalid Origin header for localhost server");
+                            return;
+                        }
+                    }
+                }
+            }
+
+            await next();
+        });
+
         app.MapMcp();
 
         app.MapGet("/health", () => TypedResults.Ok("Healthy"));
 
         await app.RunAsync(cancellationToken);
     }
 
+    /// <summary>
+    /// Checks if the host is a valid localhost value.
+    /// Valid values: localhost, 127.0.0.1, [::1], ::1 (with optional port)
+    /// </summary>
+    private static bool IsValidLocalhostHost(string host)
+    {
+        if (string.IsNullOrEmpty(host))
+        {
+            return false;
+        }
+
+        // Remove port if present (e.g., "localhost:3001" -> "localhost")
+        var hostWithoutPort = host;
+        if (host.StartsWith('['))
+        {
+            // IPv6 address with brackets, e.g., "[::1]:3001"
+            var bracketEnd = host.IndexOf(']');
+            if (bracketEnd > 0)
+            {
+                hostWithoutPort = host[..(bracketEnd + 1)];
+            }
+        }
+        else
+        {
+            var colonIndex = host.LastIndexOf(':');
+            if (colonIndex > 0)
+            {
+                hostWithoutPort = host[..colonIndex];
+            }
+        }
+
+        return ValidLocalhostHosts.Contains(hostWithoutPort);
+    }
+
     public static async Task Main(string[] args)
     {
         await MainAsync(args);

tests/ModelContextProtocol.ConformanceServer/Tools/ConformanceTools.cs

@@ -328,23 +328,59 @@ public static async Task<string> ElicitationSep1330Enums(
     {
         try
         {
+#pragma warning disable MCP9001 // LegacyTitledEnumSchema is deprecated but required for conformance testing
             var schema = new ElicitRequestParams.RequestSchema
             {
                 Properties =
                 {
-                    ["color"] = new ElicitRequestParams.UntitledSingleSelectEnumSchema()
+                    // 1. Untitled single-select: { type: "string", enum: ["option1", "option2", "option3"] }
+                    ["untitledSingle"] = new ElicitRequestParams.UntitledSingleSelectEnumSchema()
                     {
-                        Description = "Choose a color",
-                        Enum = ["red", "green", "blue"]
+                        Description = "Untitled single-select enum",
+                        Enum = ["option1", "option2", "option3"]
                     },
-                    ["size"] = new ElicitRequestParams.UntitledSingleSelectEnumSchema()
+                    // 2. Titled single-select: { type: "string", oneOf: [{ const: "value1", title: "First Option" }, ...] }
+                    ["titledSingle"] = new ElicitRequestParams.TitledSingleSelectEnumSchema()
                     {
-                        Description = "Choose a size",
-                        Enum = ["small", "medium", "large"],
-                        Default = "medium"
+                        Description = "Titled single-select enum",
+                        OneOf = [
+                            new ElicitRequestParams.EnumSchemaOption { Const = "value1", Title = "First Option" },
+                            new ElicitRequestParams.EnumSchemaOption { Const = "value2", Title = "Second Option" },
+                            new ElicitRequestParams.EnumSchemaOption { Const = "value3", Title = "Third Option" }
+                        ]
+                    },
+                    // 3. Legacy titled (deprecated): { type: "string", enum: ["opt1", "opt2", "opt3"], enumNames: ["Option One", "Option Two", "Option Three"] }
+                    ["legacyEnum"] = new ElicitRequestParams.LegacyTitledEnumSchema()
+                    {
+                        Description = "Legacy titled enum (deprecated)",
+                        Enum = ["opt1", "opt2", "opt3"],
+                        EnumNames = ["Option One", "Option Two", "Option Three"]
+                    },
+                    // 4. Untitled multi-select: { type: "array", items: { type: "string", enum: ["option1", "option2", "option3"] } }
+                    ["untitledMulti"] = new ElicitRequestParams.UntitledMultiSelectEnumSchema()
+                    {
+                        Description = "Untitled multi-select enum",
+                        Items = new ElicitRequestParams.UntitledEnumItemsSchema
+                        {
+                            Enum = ["option1", "option2", "option3"]
+                        }
+                    },
+                    // 5. Titled multi-select: { type: "array", items: { anyOf: [{ const: "value1", title: "First Choice" }, ...] } }
+                    ["titledMulti"] = new ElicitRequestParams.TitledMultiSelectEnumSchema()
+                    {
+                        Description = "Titled multi-select enum",
+                        Items = new ElicitRequestParams.TitledEnumItemsSchema
+                        {
+                            AnyOf = [
+                                new ElicitRequestParams.EnumSchemaOption { Const = "value1", Title = "First Choice" },
+                                new ElicitRequestParams.EnumSchemaOption { Const = "value2", Title = "Second Choice" },
+                                new ElicitRequestParams.EnumSchemaOption { Const = "value3", Title = "Third Choice" }
+                            ]
+                        }
                     }
                 }
             };
+#pragma warning restore MCP9001
 
             var result = await server.ElicitAsync(new ElicitRequestParams
             {
@@ -354,8 +390,7 @@ public static async Task<string> ElicitationSep1330Enums(
 
             if (result.Action == "accept" && result.Content != null)
             {
-                return $"Accepted with values: color={result.Content["color"].GetString()}, " +
-                       $"size={result.Content["size"].GetString()}";
+                return $"Elicitation completed: action={result.Action}, content={result.Content}";
             }
             else
             {