Skip to content

security: enhance log sanitization with stack trace handling and taint-breaking output #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
neverinfamous wants to merge 1 commit into from
Closed

security: enhance log sanitization with stack trace handling and taint-breaking output #23

neverinfamous wants to merge 1 commit into from

Conversation

@neverinfamous
Copy link
Owner

@neverinfamous neverinfamous commented Jan 27, 2026

Summary

Upgrades postgres-mcp's logger sanitization to match db-mcp's comprehensive security implementation.

Security Enhancements

New Features

  1. \sanitizeStack()\ function — Replaces newlines with safe arrow delimiters (\→) in stack traces to prevent log injection
  2. \writeToStderr()\ taint-breaking method — Creates new strings character-by-character to break CodeQL taint tracking paths
  3. Expanded sensitive keys — Added 8 additional OAuth 2.1 fields:
    • \�uthorizationserverurl, \�uthorization_server_url\
    • \�earerformat, \�earer_format\
    • \oauthconfig, \oauth_config, \oauth\
    • \scopes_supported, \scopessupported\
  4. Stricter control character removal — Now removes all ASCII control characters (0x00-0x1F + 0x7F) including tabs and newlines

Comparison with db-mcp

Feature Before After
Message Sanitization ✅ Partial ✅ Full
Context Sanitization ✅ Yes ✅ Yes
Stack Trace Sanitization ❌ No ✅ Yes
Taint-Breaking Output ❌ No ✅ Yes
OAuth Fields Redaction 20 keys 28 keys

Testing

  • npm run typecheck - passed
  • npm run lint - passed
  • npm run test -- src/utils/tests/logger.test.ts - 38 tests passing

Additional Changes

  • Applied Prettier formatting to workflow files and other touched files

security: enhance log sanitization with stack trace handling and tain…
e025f50 
…t-breaking output

- Add sanitizeStack() function to replace newlines with safe arrow delimiters
- Add writeToStderr() taint-breaking method for CodeQL compliance
- Expand sensitive keys with 8 additional OAuth 2.1 fields
- Stricter control character removal (0x00-0x1F + 0x7F)
- Add comprehensive tests for stack trace and OAuth field handling
- Apply prettier formatting to workflow files
@neverinfamous
Copy link
Owner Author

neverinfamous commented Jan 27, 2026

Closing to batch with other changes before release. Will reopen combined PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@neverinfamous