feat: reject duplicate variable names in URI templates

RFC 6570 requires repeated variables to expand to the same value.
Enforcing this at match time would require backreferences with
potentially exponential cost. We reject at parse time instead,
following the recommendation in #697.

Previously a template like {x}/{x} would parse and silently return
only the last captured value on match.

Author: maxisbey

src/mcp/shared/uri_template.py

@@ -500,6 +500,7 @@ def _parse(template: str, *, max_expressions: int) -> tuple[tuple[_Part, ...], t
         i = end + 1
 
     _check_adjacent_explodes(template, parts)
+    _check_duplicate_variables(template, variables)
     return tuple(parts), tuple(variables)
 
 
@@ -570,6 +571,27 @@ def _parse_expression(template: str, body: str, pos: int) -> _Expression:
     return _Expression(operator=operator, variables=tuple(variables))
 
 
+def _check_duplicate_variables(template: str, variables: list[Variable]) -> None:
+    """Reject templates that use the same variable name more than once.
+
+    RFC 6570 requires repeated variables to expand to the same value,
+    which would require backreference matching with potentially
+    exponential cost. Rather than silently returning only the last
+    captured value, we reject at parse time.
+
+    Raises:
+        InvalidUriTemplate: If any variable name appears more than once.
+    """
+    seen: set[str] = set()
+    for var in variables:
+        if var.name in seen:
+            raise InvalidUriTemplate(
+                f"Variable {var.name!r} appears more than once; repeated variables are not supported",
+                template=template,
+            )
+        seen.add(var.name)
+
+
 def _check_adjacent_explodes(template: str, parts: list[_Part]) -> None:
     """Reject templates with adjacent same-operator explode variables.
 

tests/shared/test_uri_template.py

@@ -121,6 +121,15 @@ def test_parse_rejects_adjacent_explodes_same_operator():
         UriTemplate.parse("{/a*}{/b*}")
 
 
+@pytest.mark.parametrize(
+    "template",
+    ["{x}/{x}", "{x,x}", "{a}{b}{a}", "{+x}/foo/{x}"],
+)
+def test_parse_rejects_duplicate_variable_names(template: str):
+    with pytest.raises(InvalidUriTemplate, match="appears more than once"):
+        UriTemplate.parse(template)
+
+
 def test_invalid_uri_template_is_value_error():
     with pytest.raises(ValueError):
         UriTemplate.parse("{}")
@@ -195,7 +204,8 @@ def test_parse_rejects_too_many_expressions():
 
 
 def test_parse_custom_limits_allow_larger():
-    tmpl = UriTemplate.parse("{a}" * 20, max_expressions=20)
+    template = "".join(f"{{v{i}}}" for i in range(20))
+    tmpl = UriTemplate.parse(template, max_expressions=20)
     assert len(tmpl.variables) == 20