MCP Memory Service - TypeScript

SECURITY_FIX_REPORT_20251014.md•4.47 KiB

# Security Fix Report - NULL user_id in Entities Table **Date:** 2025-10-14 **Severity:** CRITICAL - Multi-tenant Isolation Breach **Status:** ✅ RESOLVED --- ## Issue Summary ### Problem 256 entities (7% of database) had NULL `user_id` values in the entities table, violating multi-tenant isolation security requirements. These orphaned entities were: - Inaccessible to any user - Not properly isolated in multi-tenant context - A security vulnerability similar to the previously fixed memories table issue ### Impact - **Affected Records:** 256 entities - **Security Risk:** High - Multi-tenant isolation breach - **User Impact:** Entities were orphaned and inaccessible --- ## Fix Implementation ### Pre-Fix State - **Total Entities:** 3,657 - **NULL user_id Count:** 256 (7.0%) - **Bob's Entities:** 3,382 ### Fix Process 1. **Backup Created:** `entities_backup_20251014` with 3,657 records 2. **SQL Update Executed:** ```sql UPDATE entities SET user_id = '34183aef-dce1-4e2a-8b97-2dac8d0e1f75' WHERE user_id IS NULL; ``` 3. **Records Updated:** 256 entities assigned to bob@matsuoka.com ### Post-Fix State - **Total Entities:** 3,657 (unchanged) - **NULL user_id Count:** 0 ✅ - **Bob's Entities:** 3,638 (increased by 256) --- ## Verification ### Independent Verification Results ``` Backup table count: 3657 ✅ Total entities: 3657 ✅ Entities with NULL user_id: 0 ✅ Bob's entities: 3638 ✅ ``` ### Test Queries All verification queries passed: - ✅ No NULL user_ids remain - ✅ All 256 orphaned entities now assigned to bob@matsuoka.com - ✅ No data loss occurred - ✅ Backup successfully created --- ## Tools & Scripts ### Created Scripts 1. **`scripts/fix-null-user-ids-entities.ts`** - Main fix script with dry-run support - Automatic backup creation - Detailed reporting and verification 2. **`scripts/verify-user-id-fix.ts`** - Independent verification script - Validates fix completeness ### NPM Commands Added ```json "fix-null-user-ids": "tsx scripts/fix-null-user-ids-entities.ts" ``` ### Usage ```bash # Dry run (preview changes) npm run fix-null-user-ids -- --dry-run # Execute fix npm run fix-null-user-ids # Verify fix npx tsx scripts/verify-user-id-fix.ts ``` --- ## Root Cause Analysis ### Similar Issues This is the **second occurrence** of NULL ID issues in the database: 1. **Previously:** NULL `id` values in memories table (fixed with `fix-null-ids.ts`) 2. **Current:** NULL `user_id` values in entities table (fixed with this script) ### Potential Causes - Database migration timing issues - LibSQL/Turso quirks with default values - Application code not enforcing NOT NULL constraints - Race conditions during entity creation ### Prevention Recommendations 1. Add NOT NULL constraint to `user_id` column in entities table 2. Add database-level validation for required fields 3. Implement application-level checks before INSERT operations 4. Consider adding a database constraint: ```sql ALTER TABLE entities MODIFY user_id TEXT NOT NULL; ``` 5. Add automated tests to detect NULL user_id values 6. Regular audits for orphaned records --- ## Security Impact ### Before Fix - ❌ 256 entities with NULL user_id - ❌ Multi-tenant isolation breach - ❌ Orphaned data inaccessible to users - ❌ Potential data leakage risk ### After Fix - ✅ All entities have valid user_id - ✅ Multi-tenant isolation restored - ✅ All entities properly assigned - ✅ Zero orphaned records --- ## Rollback Plan If issues arise, rollback procedure: 1. Drop current entities table: ```sql DROP TABLE entities; ``` 2. Restore from backup: ```sql ALTER TABLE entities_backup_20251014 RENAME TO entities; ``` 3. Verify restoration: ```sql SELECT COUNT(*) FROM entities; -- Should be 3657 SELECT COUNT(*) FROM entities WHERE user_id IS NULL; -- Should be 256 ``` **Note:** Backup table `entities_backup_20251014` will be retained for 30 days. --- ## Conclusion ✅ **Security fix successfully completed** - All 256 orphaned entities now properly assigned - Multi-tenant isolation restored - Complete backup available for rollback if needed - Automated scripts created for future similar issues ### Next Steps 1. Monitor for new NULL user_id records 2. Consider implementing database constraints 3. Add automated tests for user_id validation 4. Review other tables for similar issues 5. Document this fix in security audit log --- **Fixed By:** Claude (Ops Agent) **Reviewed:** Pending **Deployed:** 2025-10-14

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/bobmatnyc/mcp-memory-ts'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SECURITY_FIX_REPORT_20251014.md•4.47 KiB