fix: sanitize inputs, add length limits, and annotate destructive tools

Address security findings from #106: mitigate prompt injection via
observations by sanitizing all inputs and enforcing length constraints
at both schema and DB layers. Add MCP destructiveHint annotations to
delete_entity and delete_relation so hosts can gate these calls.
Also fix tsconfig for TypeScript 6 compatibility.

Author: spences10

.changeset/grumpy-mirrors-bathe.md

@@ -0,0 +1,6 @@
+---
+'mcp-memory-libsql': patch
+---
+
+Security: sanitize inputs, add length limits, annotate destructive
+tools, fix tsconfig for TS6

src/db/client.ts

@@ -1,12 +1,35 @@
 import { createClient } from '@libsql/client';
 import { Entity, Relation } from '../types/index.js';
 
+// Input limits
+const MAX_ENTITY_NAME_LENGTH = 256;
+const MAX_ENTITY_TYPE_LENGTH = 256;
+const MAX_OBSERVATION_LENGTH = 4096;
+const MAX_OBSERVATIONS_PER_ENTITY = 100;
+const MAX_RELATION_TYPE_LENGTH = 256;
+
 // Types for configuration
 interface DatabaseConfig {
 	url: string;
 	authToken?: string;
 }
 
+/**
+ * Sanitize a string to mitigate prompt injection.
+ * Strips control characters and common injection markers
+ * while preserving normal content.
+ */
+function sanitize_input(input: string): string {
+	return (
+		input
+			// Strip non-printable control chars (except newline, tab)
+			.replace(/[^\P{C}\n\t]/gu, '')
+			// Collapse excessive whitespace/newlines
+			.replace(/\n{3,}/g, '\n\n')
+			.trim()
+	);
+}
+
 export class DatabaseManager {
 	private static instance: DatabaseManager;
 	private client;
@@ -41,23 +64,39 @@ export class DatabaseManager {
 	): Promise<void> {
 		try {
 			for (const entity of entities) {
-				// Validate entity name
+				// Validate and sanitize entity name
 				if (
 					!entity.name ||
 					typeof entity.name !== 'string' ||
 					entity.name.trim() === ''
 				) {
 					throw new Error('Entity name must be a non-empty string');
 				}
+				const safe_name = sanitize_input(entity.name).slice(
+					0,
+					MAX_ENTITY_NAME_LENGTH,
+				);
+				if (safe_name === '') {
+					throw new Error('Entity name is empty after sanitization');
+				}
 
-				// Validate entity type
+				// Validate and sanitize entity type
 				if (
 					!entity.entityType ||
 					typeof entity.entityType !== 'string' ||
 					entity.entityType.trim() === ''
 				) {
 					throw new Error(
-						`Invalid entity type for entity "${entity.name}"`,
+						`Invalid entity type for entity "${safe_name}"`,
+					);
+				}
+				const safe_type = sanitize_input(entity.entityType).slice(
+					0,
+					MAX_ENTITY_TYPE_LENGTH,
+				);
+				if (safe_type === '') {
+					throw new Error(
+						`Entity type is empty after sanitization for entity "${safe_name}"`,
 					);
 				}
 
@@ -67,49 +106,66 @@ export class DatabaseManager {
 					entity.observations.length === 0
 				) {
 					throw new Error(
-						`Entity "${entity.name}" must have at least one observation`,
+						`Entity "${safe_name}" must have at least one observation`,
 					);
 				}
 
 				if (
-					!entity.observations.every(
-						(obs) => typeof obs === 'string' && obs.trim() !== '',
-					)
+					entity.observations.length > MAX_OBSERVATIONS_PER_ENTITY
 				) {
 					throw new Error(
-						`Entity "${entity.name}" has invalid observations. All observations must be non-empty strings`,
+						`Entity "${safe_name}" exceeds maximum of ${MAX_OBSERVATIONS_PER_ENTITY} observations`,
 					);
 				}
 
+				// Sanitize observations and validate
+				const safe_observations = entity.observations.map((obs) => {
+					if (typeof obs !== 'string' || obs.trim() === '') {
+						throw new Error(
+							`Entity "${safe_name}" has invalid observations. All observations must be non-empty strings`,
+						);
+					}
+					const sanitized = sanitize_input(obs).slice(
+						0,
+						MAX_OBSERVATION_LENGTH,
+					);
+					if (sanitized === '') {
+						throw new Error(
+							`Entity "${safe_name}" has an observation that is empty after sanitization`,
+						);
+					}
+					return sanitized;
+				});
+
 				// Start a transaction
 				const txn = await this.client.transaction('write');
 
 				try {
 					// First try to update
 					const result = await txn.execute({
 						sql: 'UPDATE entities SET entity_type = ? WHERE name = ?',
-						args: [entity.entityType, entity.name],
+						args: [safe_type, safe_name],
 					});
 
 					// If no rows affected, do insert
 					if (result.rowsAffected === 0) {
 						await txn.execute({
 							sql: 'INSERT INTO entities (name, entity_type) VALUES (?, ?)',
-							args: [entity.name, entity.entityType],
+							args: [safe_name, safe_type],
 						});
 					}
 
 					// Clear old observations
 					await txn.execute({
 						sql: 'DELETE FROM observations WHERE entity_name = ?',
-						args: [entity.name],
+						args: [safe_name],
 					});
 
 					// Add new observations
-					for (const observation of entity.observations) {
+					for (const observation of safe_observations) {
 						await txn.execute({
 							sql: 'INSERT INTO observations (entity_name, content) VALUES (?, ?)',
-							args: [entity.name, observation],
+							args: [safe_name, observation],
 						});
 					}
 
@@ -243,11 +299,32 @@ export class DatabaseManager {
 		try {
 			if (relations.length === 0) return;
 
-			// Prepare batch statements for all relations
-			const batch_statements = relations.map((relation) => ({
-				sql: 'INSERT INTO relations (source, target, relation_type) VALUES (?, ?, ?)',
-				args: [relation.from, relation.to, relation.relationType],
-			}));
+			// Sanitize and validate relation inputs
+			const batch_statements = relations.map((relation) => {
+				const safe_from = sanitize_input(relation.from).slice(
+					0,
+					MAX_ENTITY_NAME_LENGTH,
+				);
+				const safe_to = sanitize_input(relation.to).slice(
+					0,
+					MAX_ENTITY_NAME_LENGTH,
+				);
+				const safe_type = sanitize_input(relation.relationType).slice(
+					0,
+					MAX_RELATION_TYPE_LENGTH,
+				);
+
+				if (!safe_from || !safe_to || !safe_type) {
+					throw new Error(
+						'Relation source, target, and type must be non-empty strings',
+					);
+				}
+
+				return {
+					sql: 'INSERT INTO relations (source, target, relation_type) VALUES (?, ?, ?)',
+					args: [safe_from, safe_to, safe_type],
+				};
+			});
 
 			// Execute all inserts in a single batch transaction
 			await this.client.batch(batch_statements, 'write');
@@ -358,9 +435,8 @@ export class DatabaseManager {
 		relations: Relation[];
 	}> {
 		const recent_entities = await this.get_recent_entities();
-		const relations = await this.get_relations_for_entities(
-			recent_entities,
-		);
+		const relations =
+			await this.get_relations_for_entities(recent_entities);
 		return { entities: recent_entities, relations };
 	}
 
@@ -385,9 +461,8 @@ export class DatabaseManager {
 				return { entities: [], relations: [] };
 			}
 
-			const relations = await this.get_relations_for_entities(
-				entities,
-			);
+			const relations =
+				await this.get_relations_for_entities(entities);
 			return { entities, relations };
 		} catch (error) {
 			throw new Error(

src/index.ts

@@ -19,40 +19,49 @@ const package_json = JSON.parse(
 );
 const { name, version } = package_json;
 
-// Define schemas
+// Define schemas with length constraints
 const CreateEntitiesSchema = v.object({
-	entities: v.array(
-		v.object({
-			name: v.string(),
-			entityType: v.string(),
-			observations: v.array(v.string()),
-		}),
+	entities: v.pipe(
+		v.array(
+			v.object({
+				name: v.pipe(v.string(), v.maxLength(256)),
+				entityType: v.pipe(v.string(), v.maxLength(256)),
+				observations: v.pipe(
+					v.array(v.pipe(v.string(), v.maxLength(4096))),
+					v.maxLength(100),
+				),
+			}),
+		),
+		v.maxLength(50),
 	),
 });
 
 const SearchNodesSchema = v.object({
-	query: v.string(),
-	limit: v.optional(v.number()),
+	query: v.pipe(v.string(), v.maxLength(512)),
+	limit: v.optional(v.pipe(v.number(), v.maxValue(50))),
 });
 
 const CreateRelationsSchema = v.object({
-	relations: v.array(
-		v.object({
-			source: v.string(),
-			target: v.string(),
-			type: v.string(),
-		}),
+	relations: v.pipe(
+		v.array(
+			v.object({
+				source: v.pipe(v.string(), v.maxLength(256)),
+				target: v.pipe(v.string(), v.maxLength(256)),
+				type: v.pipe(v.string(), v.maxLength(256)),
+			}),
+		),
+		v.maxLength(100),
 	),
 });
 
 const DeleteEntitySchema = v.object({
-	name: v.string(),
+	name: v.pipe(v.string(), v.maxLength(256)),
 });
 
 const DeleteRelationSchema = v.object({
-	source: v.string(),
-	target: v.string(),
-	type: v.string(),
+	source: v.pipe(v.string(), v.maxLength(256)),
+	target: v.pipe(v.string(), v.maxLength(256)),
+	type: v.pipe(v.string(), v.maxLength(256)),
 });
 
 function setupTools(server: McpServer<any>, db: DatabaseManager) {
@@ -62,6 +71,10 @@ function setupTools(server: McpServer<any>, db: DatabaseManager) {
 			name: 'create_entities',
 			description: 'Create new entities with observations',
 			schema: CreateEntitiesSchema,
+			annotations: {
+				readOnlyHint: false,
+				idempotentHint: true,
+			},
 		},
 		async ({ entities }) => {
 			try {
@@ -105,6 +118,9 @@ function setupTools(server: McpServer<any>, db: DatabaseManager) {
 			description:
 				'Search for entities and their relations using text search with relevance ranking',
 			schema: SearchNodesSchema,
+			annotations: {
+				readOnlyHint: true,
+			},
 		},
 		async ({ query, limit }) => {
 			try {
@@ -146,6 +162,9 @@ function setupTools(server: McpServer<any>, db: DatabaseManager) {
 		{
 			name: 'read_graph',
 			description: 'Get recent entities and their relations',
+			annotations: {
+				readOnlyHint: true,
+			},
 		},
 		async () => {
 			try {
@@ -188,6 +207,10 @@ function setupTools(server: McpServer<any>, db: DatabaseManager) {
 			name: 'create_relations',
 			description: 'Create relations between entities',
 			schema: CreateRelationsSchema,
+			annotations: {
+				readOnlyHint: false,
+				idempotentHint: false,
+			},
 		},
 		async ({ relations }) => {
 			try {
@@ -235,8 +258,13 @@ function setupTools(server: McpServer<any>, db: DatabaseManager) {
 		{
 			name: 'delete_entity',
 			description:
-				'Delete an entity and all its associated data (observations and relations)',
+				'Delete an entity and all its associated data (observations and relations). This is a destructive operation that cannot be undone.',
 			schema: DeleteEntitySchema,
+			annotations: {
+				destructiveHint: true,
+				readOnlyHint: false,
+				idempotentHint: true,
+			},
 		},
 		async ({ name }) => {
 			try {
@@ -277,8 +305,14 @@ function setupTools(server: McpServer<any>, db: DatabaseManager) {
 	server.tool<typeof DeleteRelationSchema>(
 		{
 			name: 'delete_relation',
-			description: 'Delete a specific relation between entities',
+			description:
+				'Delete a specific relation between entities. This is a destructive operation that cannot be undone.',
 			schema: DeleteRelationSchema,
+			annotations: {
+				destructiveHint: true,
+				readOnlyHint: false,
+				idempotentHint: true,
+			},
 		},
 		async ({ source, target, type }) => {
 			try {

tsconfig.json

@@ -1,8 +1,9 @@
 {
 	"compilerOptions": {
 		"target": "ES2020",
-		"module": "ES2020",
-		"moduleResolution": "node",
+		"module": "Node16",
+		"moduleResolution": "Node16",
+		"types": ["node"],
 		"esModuleInterop": true,
 		"strict": true,
 		"outDir": "dist",