core/php-mcp
8
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
php-mcp/changelog/2026/jan/security.md
Snider afb3dacd98 monorepo sepration
2026-01-26 20:57:41 +00:00

1.5 KiB
Raw Blame History

Core-MCP - January 2026 - Security Fixes

Critical

Database Connection Validation

Fixed fallback behavior that could bypass read-only connection configuration.

Issue: QueryDatabase tool would silently fall back to default database connection if configured MCP connection was invalid.

Fix: Now throws RuntimeException with clear error message when configured connection doesn't exist.

Files:

  • Tools/QueryDatabase.php - Added connection validation

Impact: Prevents accidental queries against production read-write connections.

High Priority

SQL Query Validator Strengthening

Restricted WHERE clause patterns to prevent SQL injection vectors.

Issue: Whitelist regex patterns used .+ which was too permissive for WHERE clause validation.

Fix: Replaced with strict character class restrictions:

  • Only allows: alphanumeric, spaces, backticks, operators, quotes, parentheses
  • Explicitly supports AND/OR logical operators
  • Blocks function calls and subqueries
  • Prevents nested SELECT statements

Files:

  • Services/SqlQueryValidator.php - Updated DEFAULT_WHITELIST patterns

Before:

'/^\s*SELECT\s+.*\s+FROM\s+`?\w+`?(\s+WHERE\s+.+)?/i'

After:

'/^\s*SELECT\s+.*\s+FROM\s+`?\w+`?(\s+WHERE\s+[\w\s`.,!=<>\'"%()]+(\s+(AND|OR)\s+[\w\s`.,!=<>\'"%()]+)*)?/i'

Defense in depth:

  • Read-only database user (infrastructure)
  • Blocked keywords (application)
  • Pattern validation (application)
  • Whitelist matching (application)
  • Table access controls (application)