github doobidoo/mcp-memory-service v10.70.2
v10.70.2 — fix(security): CodeQL log-injection alerts in storage/graph.py
on GitHub

3 hours ago

fix(security): wrap log f-strings in storage/graph.py with _sanitize_log_value()

What Changed

  • Wrapped log f-strings in storage/graph.py with _sanitize_log_value() to prevent log-injection attacks — resolves CodeQL py/log-injection alerts #483, #484, #485, and #486 affecting source_hash, target_hash, and relationship_type log statements.
  • Alert #467 (py/unused-global-variable for MCP_AUTO_EXTRACT_DEFAULT) dismissed as a false positive — the constant is imported via lazy cross-module import in server/handlers/memory.py and is genuinely used.

Security Context

_sanitize_log_value() (from src/mcp_memory_service/compat.py) strips \n, \r, and \x1b characters from user-supplied values before they reach log statements, preventing log-forging and ANSI injection. This pattern is now enforced project-wide via pre_pr_check.sh check 6.5.

Files Changed

  • src/mcp_memory_service/storage/graph.py — log f-string sanitization (PR #1048)

Full Changelog

See CHANGELOG.md for complete details.

Check out latest releases or
releases around doobidoo/mcp-memory-service v10.70.2

Don't miss a new mcp-memory-service release

NewReleases is sending notifications on new releases.

Get notifications