github doobidoo/mcp-memory-service v10.17.3
v10.17.3 - CodeQL Code Scanning Fixes (21 Alerts Resolved)
on GitHub

latest releases: v10.36.1, v10.36.0, v10.35.0...
one month ago

What's Changed

Fixed

  • Log injection prevention in tag sanitization (CWE-117, ERROR): memory_service.py tag sanitization now strips CRLF characters (\r, \n) before including user-supplied tag strings in log output. Forged log lines via crafted tag values are no longer possible. Resolves CodeQL alerts #258 and #259 (py/log-injection).
  • HTTPClientStorage.retrieve() missing tags parameter (WARNING): The retrieve() method signature in storage/http_client.py did not include the tags keyword argument required by the BaseStorage interface, causing a CodeQL signature-mismatch alert. Parameter added and wired through to the HTTP query. Resolves CodeQL alert #261.
  • Import-time print() replaced with warnings.warn() (NOTE): Three modules (server/utils/response_limiter.py, server/handlers/utility.py, and server/client_detection.py) executed print() at module import time. Replaced with warnings.warn() using stacklevel=2 so callers see the correct source location. Resolves CodeQL alerts #254, #255, #257 (py/print-during-import).
  • Unnecessary pass statements removed (WARNING): Two pass statements that appeared after return or raise statements (unreachable code) were removed from consolidation/consolidator.py and consolidation/compression.py. Resolves CodeQL alerts #252 and #253 (py/unnecessary-pass).
  • Unused global cache variables wired up in models/ontology.py (NOTE): _TYPE_HIERARCHY_CACHE and _VALIDATED_TYPES_CACHE were declared as module-level globals but never read. Both caches are now populated on first access and returned on subsequent calls, eliminating the redundant per-call computation they were intended to prevent. Resolves CodeQL alerts #263, #264, #265.
  • Unused imports removed from consolidation modules (NOTE): Removed five dead import statements across consolidation/clustering.py, consolidation/compression.py, consolidation/consolidator.py, consolidation/forgetting.py, and server_impl.py. No behaviour change. Resolves CodeQL alerts #266, #267, #268, #269, #270 (py/unused-import).
  • Ellipsis (...) replaced with pass in StorageProtocol (NOTE): Four abstract-style method stubs in services/memory_service.py used Ellipsis literals as bodies, which CodeQL flags as ineffectual statements. Replaced with pass for idiomatic Python. Resolves CodeQL alerts #248, #249, #250, #251 (py/ineffectual-statement).

Added

  • tests/services/test_memory_service_log_injection.py: 5 new tests verifying that CRLF characters in tag values are sanitised before reaching log output (covers empty tags, single tag, multiple tags, embedded CRLF, and standalone CR/LF).
  • tests/storage/test_http_client_signature.py: 2 new tests confirming HTTPClientStorage.retrieve() accepts a tags keyword argument matching the BaseStorage interface.

CodeQL Alert Summary

Severity Count Categories
ERROR 2 py/log-injection (CWE-117)
WARNING 3 py/unnecessary-pass, py/signature-mismatch
NOTE 16 py/unused-import, py/unused-global-variable, py/empty-except, py/print-during-import, py/ineffectual-statement
Total 21

Full Changelog: https://github.com/doobidoo/mcp-memory-service/blob/main/CHANGELOG.md

Check out latest releases or
releases around doobidoo/mcp-memory-service v10.17.3

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications