google-workspace-unlimited

Overview Schema Related Servers Score Discussions

CRITICAL_SECURITY_UPDATE.md•11 kB

# 🚨 CRITICAL SECURITY UPDATE - Multi-Tenant Session Isolation **Date**: 2024-01-12 **Severity**: CRITICAL **Impact**: All multi-user cloud deployments **Status**: PATCH AVAILABLE ## Executive Summary A critical security vulnerability was discovered in the session management system where new MCP client connections could automatically inherit credentials from previous sessions without authentication. This allowed unauthorized access to Google Workspace credentials in multi-tenant deployments. **This security update implements complete session isolation and mandatory authentication for credential access.** ## Vulnerability Details ### CVE-2024-XXXX: Automatic Session Credential Inheritance **CVSS Score**: 9.8 (Critical) **Attack Vector**: When a new MCP client connects to the server, the middleware automatically reuses the most recent active session, granting immediate access to all stored OAuth credentials without requiring authentication. **Impact**: - Unauthorized access to Google Drive, Gmail, Calendar, and other Google services - Potential data breach for all authenticated users - Complete compromise of multi-tenant security boundaries ### Vulnerable Code Location File: `auth/middleware.py`, lines 129-134 ```python # VULNERABLE CODE - DO NOT USE if not session_id: active_sessions = list_sessions() if active_sessions: # Use the most recently used session session_id = active_sessions[-1] # CRITICAL VULNERABILITY logger.info(f"♻️ Reusing most recent active session: {session_id}") ``` ## Security Patch Implementation ### 1. Core Security Components #### Session Security Manager (`auth/security_patch.py`) - **Session Isolation**: Each connection gets a unique session with no automatic reuse - **Authentication Tokens**: HMAC-signed tokens required for session validation - **Connection Fingerprinting**: Tracks connection characteristics to detect hijacking - **Access Control Lists**: Per-session credential authorization - **Audit Logging**: Complete audit trail of all credential access attempts #### Secure Middleware (`auth/secure_middleware.py`) - Replaces vulnerable `AuthMiddleware` with `SecureAuthMiddleware` - Enforces authentication before credential access - Validates session tokens on every request - Implements rate limiting and anomaly detection ### 2. Key Security Features #### No Automatic Session Reuse ```python # NEW SECURE CODE if not session_id: # Create new unauthenticated session session_id = self._create_new_session() set_session_context(session_id) logger.info(f"🆕 New unauthenticated session created: {session_id[:8]}...") ``` #### Session-Bound Credentials - Credentials are bound to specific authenticated sessions - Session must be explicitly authorized for each user email - Connection fingerprint validation prevents session hijacking #### Authentication Token Flow ``` 1. Client connects → New session created (unauthenticated) 2. User authenticates via OAuth → Session authorized, token generated 3. Client includes token in requests → Token validated on each request 4. Credentials accessed → Session authorization verified 5. Session expires → Re-authentication required ``` ## Deployment Guide ### Step 1: Emergency Patch (Immediate) Apply the emergency patch to disable session reuse immediately: ```python # In your server startup code from auth.secure_server_integration import emergency_disable_session_reuse # Apply emergency patch emergency_disable_session_reuse() ``` This will: - Disable all session reuse - Revoke all existing sessions - Force all users to re-authenticate ### Step 2: Full Security Update #### 2.1 Update Server Initialization Replace your current server initialization: ```python # OLD CODE - VULNERABLE from auth.middleware import AuthMiddleware auth_middleware = AuthMiddleware() mcp_server.add_middleware(auth_middleware) ``` With secure initialization: ```python # NEW CODE - SECURE from auth.secure_server_integration import initialize_secure_server # Initialize with security patches security_config = initialize_secure_server(mcp_server) # Verify initialization if security_config["status"] == "success": logger.info("✅ Security patches applied successfully") else: logger.error("❌ Failed to apply security patches") # DO NOT START SERVER WITHOUT SECURITY PATCHES sys.exit(1) ``` #### 2.2 Environment Configuration Add these security settings to your `.env` file: ```bash # Security Configuration SESSION_SECRET=<generate-64-character-random-string> ENCRYPTION_KEY=<generate-base64-encoded-32-byte-key> CREDENTIAL_STORAGE_MODE=FILE_ENCRYPTED # or MEMORY_WITH_BACKUP for cloud # Session Configuration SESSION_TIMEOUT_MINUTES=30 FORCE_REAUTHENTICATION_HOURS=4 MAX_SESSIONS_PER_USER=5 # Audit Configuration ENABLE_AUDIT_LOGGING=true AUDIT_LOG_PATH=./logs/security_audit.jsonl ``` #### 2.3 Generate Secure Keys ```bash # Generate SESSION_SECRET python -c "import secrets; print(secrets.token_hex(32))" # Generate ENCRYPTION_KEY python -c "import secrets, base64; print(base64.urlsafe_b64encode(secrets.token_bytes(32)).decode())" ``` ### Step 3: Client Integration #### 3.1 Session Token Handling Clients must store and send session tokens with requests: ```python # After authentication response = await authenticate_user(email, oauth_code) session_token = response["session_token"] # Include token in subsequent requests headers = { "X-Session-Token": session_token } ``` #### 3.2 Handle Re-authentication ```python try: result = await call_tool(tool_name, params, headers=headers) except PermissionError as e: if "authentication required" in str(e).lower(): # Re-authenticate session_token = await reauthenticate() # Retry request result = await call_tool(tool_name, params, headers={"X-Session-Token": session_token}) ``` ### Step 4: Monitoring and Audit #### 4.1 Enable Audit Logging Audit logs are automatically written to `logs/security_audit.jsonl`: ```json { "event": "unauthorized_credential_access", "session_id": "abc123...", "requested_email": "user@example.com", "timestamp": "2024-01-12T10:30:00Z" } ``` #### 4.2 Monitor Security Events Key events to monitor: - `unauthorized_credential_access`: Attempted access without authorization - `session_token_mismatch`: Invalid session token usage - `connection_fingerprint_mismatch`: Possible session hijacking - `rate_limit_exceeded`: Potential brute force attack #### 4.3 Set Up Alerts ```python # Example alert configuration SECURITY_ALERTS = { "unauthorized_credential_access": "CRITICAL", "rate_limit_exceeded": "WARNING", "connection_fingerprint_mismatch": "CRITICAL" } ``` ## Migration Checklist - [ ] Backup current credentials and sessions - [ ] Apply emergency patch to disable session reuse - [ ] Generate SESSION_SECRET and ENCRYPTION_KEY - [ ] Update server initialization code - [ ] Configure environment variables - [ ] Deploy updated server - [ ] Update client code to handle session tokens - [ ] Test authentication flow - [ ] Monitor audit logs - [ ] Notify users of required re-authentication ## Testing the Security Update ### Test 1: Session Isolation ```python # Connect with Client A client_a = connect_to_server() session_a = client_a.get_session() # Connect with Client B client_b = connect_to_server() session_b = client_b.get_session() # Verify different sessions assert session_a != session_b ``` ### Test 2: Credential Access Control ```python # Client A authenticates client_a.authenticate("user_a@example.com") # Client B tries to access Client A's credentials try: client_b.access_credentials("user_a@example.com") assert False, "Should have raised PermissionError" except PermissionError: pass # Expected behavior ``` ### Test 3: Session Expiry ```python # Authenticate and get token token = authenticate_user("user@example.com") # Wait for session to expire time.sleep(SESSION_TIMEOUT_MINUTES * 60 + 60) # Try to use expired token try: use_tool_with_token(token) assert False, "Should have raised authentication error" except PermissionError: pass # Expected - session expired ``` ## Rollback Plan If issues occur after deployment: 1. **Immediate Rollback**: ```python # Temporarily allow session reuse (EMERGENCY ONLY) security_manager.allow_session_reuse = True ``` 2. **Restore Previous Middleware**: ```python # Revert to old middleware (NOT RECOMMENDED) from auth.middleware import AuthMiddleware # ... use old middleware ``` 3. **Preserve Audit Logs**: Always preserve audit logs before rollback for investigation ## Security Best Practices ### For Deployment 1. **Never expose SESSION_SECRET**: Store in secure environment variables 2. **Use HTTPS only**: Ensure all connections use TLS 3. **Rotate secrets regularly**: Change SESSION_SECRET monthly 4. **Monitor audit logs**: Set up real-time alerting for security events 5. **Limit session lifetime**: Keep sessions short (30 minutes recommended) ### For Development 1. **Test with multiple clients**: Always test multi-user scenarios 2. **Verify session isolation**: Ensure no credential leakage between sessions 3. **Check audit logs**: Verify all access attempts are logged 4. **Test rate limiting**: Ensure brute force protection works ## Support and Reporting ### Security Issues Report security vulnerabilities to: security@yourcompany.com **Do not disclose security issues publicly until patched.** ### Technical Support - Documentation: `/documentation/security/` - Audit Log Analysis: `scripts/analyze_audit_logs.py` - Migration Support: `scripts/migrate_to_secure_sessions.py` ## Appendix: Configuration Reference ### Environment Variables | Variable | Required | Default | Description | |----------|----------|---------|-------------| | `SESSION_SECRET` | Yes | - | 64-character hex string for signing tokens | | `ENCRYPTION_KEY` | Yes | - | Base64-encoded 32-byte key for credential encryption | | `CREDENTIAL_STORAGE_MODE` | No | `FILE_ENCRYPTED` | Storage mode: `FILE_ENCRYPTED`, `MEMORY_ONLY`, `MEMORY_WITH_BACKUP` | | `SESSION_TIMEOUT_MINUTES` | No | 30 | Session expiry time | | `FORCE_REAUTHENTICATION_HOURS` | No | 4 | Maximum session lifetime | | `MAX_SESSIONS_PER_USER` | No | 5 | Concurrent session limit per user | | `ENABLE_AUDIT_LOGGING` | No | true | Enable security audit logging | ### API Changes | Endpoint | Change | Description | |----------|--------|-------------| | All tools | Requires `X-Session-Token` header | Session token required for authentication | | `/oauth2callback` | Returns session token | Token included in authentication response | | `session://validate` | New resource | Validate current session status | | `revoke_current_session()` | New tool | Revoke active session | --- **Document Version**: 1.0.0 **Last Updated**: 2024-01-12 **Classification**: CRITICAL SECURITY UPDATE - IMMEDIATE ACTION REQUIRED

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/dipseth/google-workspace-unlimited'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

CRITICAL_SECURITY_UPDATE.md•11 kB