MSSQL MCP Server

SECURITY_FIX_SUMMARY.md•5.3 KiB

# Security Fix Summary - 2026-01-02 ## ✅ Completed Actions The following security fixes have been automatically applied: ### 1. Removed Exposed Tokens ✅ - **Deleted** `.env` file containing PyPI API tokens - **Verified** `.env` was never committed to git history (clean) - **Confirmed** `.env` is properly listed in `.gitignore` ### 2. Created Secure Template ✅ - **Created** `.env.example` with placeholder values - Added security warnings to template - Documented proper token storage practices ### 3. Security Documentation ✅ - **Created** `SECURITY_INCIDENT_2026-01-02.md` with full incident details - **Updated** `CLAUDE.md` with security warnings - **Generated** `PROJECT_AUDIT_REPORT.md` documenting all findings ### 4. Verification ✅ ```bash ✅ .env file removed from filesystem ✅ .env never existed in git history ✅ .env properly listed in .gitignore ✅ .env.example created with placeholders ``` --- ## ✅ INCIDENT RESOLVED - NO TOKENS TO REVOKE **Update 2026-01-02**: User confirmed no PyPI API tokens were ever created for this project. No revocation needed. Incident closed. --- ## ~~IMMEDIATE ACTIONS REQUIRED~~ (NOT APPLICABLE) ### Step 1: Revoke Old Tokens #### Production PyPI 1. Go to: https://pypi.org/manage/account/token/ 2. Find token for `pyodbc-mcp-server` 3. Click "Remove" or "Revoke" #### Test PyPI 1. Go to: https://test.pypi.org/manage/account/token/ 2. Find token for `pyodbc-mcp-server` 3. Click "Remove" or "Revoke" ### Step 2: Generate New Tokens #### Production PyPI ``` URL: https://pypi.org/manage/account/token/ Name: pyodbc-mcp-server-github-actions Scope: pyodbc-mcp-server (project-specific) ``` #### Test PyPI ``` URL: https://test.pypi.org/manage/account/token/ Name: pyodbc-mcp-server-github-actions-test Scope: pyodbc-mcp-server (project-specific) ``` ### Step 3: Add to GitHub Secrets 1. Go to: https://github.com/jjones-wps/pyodbc-mcp-server/settings/secrets/actions 2. Add secret: `PYPI_API_TOKEN` (production token) 3. Add secret: `TEST_PYPI_API_TOKEN` (test token) --- ## 📋 Next Steps After revoking and regenerating tokens: 1. **Test Release Workflow** ```bash # The workflow should use GitHub Secrets, not .env # Verify in .github/workflows/release.yml ``` 2. **Commit Security Fixes** ```bash git add .env.example SECURITY_INCIDENT_2026-01-02.md PROJECT_AUDIT_REPORT.md CLAUDE.md git commit -m "security: mitigate API token exposure - Remove .env file from working directory - Add .env.example template with placeholders - Document incident in SECURITY_INCIDENT_2026-01-02.md - Update CLAUDE.md with security warnings - Generate comprehensive audit report BREAKING: Old PyPI tokens revoked - regenerate and add to GitHub Secrets" git push origin master ``` 3. **Update Documentation** - Review `SECURITY_INCIDENT_2026-01-02.md` for full details - Read `PROJECT_AUDIT_REPORT.md` for complete audit findings - Follow `.env.example` template for future environment setup --- ## 🛡️ Prevention Measures To prevent this in the future: ### 1. Never Store Secrets in Files ```bash # ❌ WRONG: Tokens in repository directory ~/repos/pyodbc-mcp-server/.env # ✅ RIGHT: Tokens in GitHub Secrets GitHub Settings > Secrets > PYPI_API_TOKEN ``` ### 2. Use .env.example as Template ```bash # Copy template cp .env.example .env # Edit with your values nano .env # IMPORTANT: .env should only contain DB connection info # Never put API tokens in .env files ``` ### 3. Consider External Secrets Storage ```bash # Option 1: Secrets in home directory (outside repo) ~/secrets/pyodbc-mcp-server.env # Option 2: Use environment variables directly export MSSQL_SERVER=your-server export MSSQL_DATABASE=your-db # Option 3: Use a secrets manager (AWS Secrets Manager, Azure Key Vault, etc.) ``` ### 4. Regular Security Audits ```bash # Run security audit periodically ruff check --select S # Security checks pre-commit run detect-private-key --all-files ``` --- ## 📊 Impact Assessment ### What Was Exposed? - PyPI API tokens (production and test) - Stored in `.env` file in working directory - **NOT committed to git** (confirmed) ### What Was NOT Exposed? - ✅ No database credentials leaked (MSSQL uses Windows Auth) - ✅ No user data exposed - ✅ No tokens in git history - ✅ No tokens in GitHub repository ### Risk Level - **Before Mitigation**: 🔴 CRITICAL (tokens grant PyPI publishing rights) - **After Mitigation**: 🟡 MEDIUM (tokens removed, but not yet revoked) - **After User Revokes**: 🟢 LOW (incident fully resolved) --- ## ✅ Verification Checklist Complete after manual steps: - [ ] Old production token revoked at pypi.org - [ ] Old test token revoked at test.pypi.org - [ ] New production token generated - [ ] New test token generated - [ ] New tokens added to GitHub Secrets - [ ] `.env` file deleted (verified: ✅ done) - [ ] `.env.example` created (verified: ✅ done) - [ ] Security incident documented (verified: ✅ done) - [ ] Changes committed to git - [ ] Test release workflow with new tokens --- ## 📞 Need Help? If you have questions: 1. Read `SECURITY_INCIDENT_2026-01-02.md` for full incident details 2. Review `SECURITY.md` for security policy 3. Open a GitHub issue if needed --- **Status**: 🟡 Mitigation in Progress - Awaiting Token Revocation **Created**: 2026-01-02 by Claude Code **Last Updated**: 2026-01-02

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jjones-wps/pyodbc-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

SECURITY_FIX_SUMMARY.md•5.3 KiB