MySQL Database Server

# Security Policy ## Supported Versions | Version | Supported | | ------- | ------------------ | | 1.x.x | :white_check_mark: | ## Security Features This project includes several built-in security features: - **Prepared Statements**: All queries use parameterized statements to prevent SQL injection - **Operation Blocking**: Destructive operations (DROP, TRUNCATE, ALTER) are always blocked - **Permission System**: Configurable permissions for INSERT, UPDATE, DELETE operations - **Input Validation**: Table names and other inputs are validated before use - **Read-Only Default**: Server starts in read-only mode by default ## Reporting a Vulnerability We take security seriously. If you discover a security vulnerability, please follow these steps: ### 1. Do NOT Open a Public Issue Please do not open a public GitHub issue for security vulnerabilities, as this could put users at risk. ### 2. Report Privately Email the maintainers directly at: - **Email**: [security@yourdomain.com] (replace with actual email) - **Subject**: `[SECURITY] MCP MySQL Server - Brief Description` ### 3. Include Details Please include: - **Description**: Clear description of the vulnerability - **Impact**: What could an attacker do? - **Reproduction Steps**: Step-by-step guide to reproduce - **Affected Versions**: Which versions are affected? - **Suggested Fix**: If you have ideas on how to fix it - **Your Details**: Name and contact info (optional, for credit) ### Example Report ``` Subject: [SECURITY] SQL Injection in table name validation Description: The table name validation regex in mysql_describe_table can be bypassed... Impact: An attacker could potentially execute arbitrary SQL... Steps to Reproduce: 1. Call mysql_describe_table with payload: "users; DROP TABLE..." 2. Observe that... Affected Versions: 1.0.0 Suggested Fix: Use a whitelist approach instead of regex... ``` ## Response Timeline - **Acknowledgment**: Within 48 hours - **Initial Assessment**: Within 1 week - **Fix Development**: Depends on severity - **Patch Release**: As soon as possible after fix is ready - **Public Disclosure**: After patch is released and users have had time to update ## Security Best Practices for Users ### 1. Use Read-Only Mode by Default ```env ALLOW_INSERT_OPERATION=false ALLOW_UPDATE_OPERATION=false ALLOW_DELETE_OPERATION=false ``` ### 2. Never Commit Credentials - Keep `.env` files out of version control - Use environment variables for sensitive data - Rotate credentials regularly ### 3. Use Least Privilege Create a MySQL user with minimal required permissions: ```sql -- Create read-only user CREATE USER 'mcp_readonly'@'localhost' IDENTIFIED BY 'strong_password'; GRANT SELECT ON your_database.* TO 'mcp_readonly'@'localhost'; -- Create limited write user (if needed) CREATE USER 'mcp_writer'@'localhost' IDENTIFIED BY 'strong_password'; GRANT SELECT, INSERT, UPDATE ON your_database.* TO 'mcp_writer'@'localhost'; ``` ### 4. Network Security - Use `localhost` when possible - Use SSL/TLS for remote connections - Firewall MySQL port (3306) from public access - Use VPN for remote database access ### 5. Monitor and Audit - Review MCP server logs regularly - Enable MySQL query logging - Monitor for unusual query patterns - Set up alerts for failed authentication ### 6. Keep Updated - Watch for security updates - Subscribe to security advisories - Update dependencies regularly - Test updates in development first ## Common Security Mistakes ### ❌ Don't Do This ```javascript // NEVER concatenate user input into queries const query = `SELECT * FROM ${userInput}`; // NEVER commit .env files git add .env // DON'T! // NEVER expose passwords in logs console.log(`Password: ${process.env.MYSQL_PASS}`); ``` ### ✅ Do This Instead ```javascript // ALWAYS use prepared statements const query = "SELECT * FROM users WHERE id = ?"; const params = [userId]; // ALWAYS use .gitignore .env // NEVER log sensitive data console.log(`Connected to database: ${process.env.MYSQL_DB}`); ``` ## Security Checklist When using MCP MySQL Server: - [ ] `.env` file is not committed to version control - [ ] Using prepared statements for all user input - [ ] MySQL user has minimal required permissions - [ ] Server starts in read-only mode - [ ] Network access is restricted - [ ] Credentials are strong and rotated regularly - [ ] Server logs are monitored - [ ] Project is kept up to date ## Known Security Considerations ### Connection Pooling The server uses connection pooling. Ensure proper cleanup: - Connections are closed after use - Pool limits are configured appropriately - No connection leaks ### Environment Variables Sensitive data in environment variables: - Not logged to stdout/stderr - Not included in error messages - Not exposed through tools/responses ### MCP Protocol The MCP protocol runs over stdio: - No network exposure by default - Client authentication is MCP client's responsibility - Use trusted MCP clients only ## Credits We appreciate security researchers who help keep this project safe. Contributors will be credited (with their permission) in: - Security advisories - Release notes - This file ## Questions? For non-security questions about the project: - Open a GitHub issue - Check the documentation - See [CONTRIBUTING.md](../CONTRIBUTING.md) For security questions: - Email the security team - Wait for private response - Do not discuss publicly until patched --- **Thank you for helping keep MCP MySQL Server secure!**