Skip to content

Four security issues found and fixed to make MemPalace truly local, telemetry-free, and safe.#841

Closed
groxaxo wants to merge 5 commits into
MemPalace:developfrom
groxaxo:develop
Closed

Four security issues found and fixed to make MemPalace truly local, telemetry-free, and safe.#841
groxaxo wants to merge 5 commits into
MemPalace:developfrom
groxaxo:develop

Conversation

@groxaxo

@groxaxo groxaxo commented Apr 14, 2026

Copy link
Copy Markdown

Summary

Four security issues found and fixed to make MemPalace truly local, telemetry-free, and safe.


1. ChromaDB telemetry — actually disabled (not just silenced)

Before: The code only silenced the PostHog log warning. ChromaDB's underlying telemetry client was still active and attempted to send usage data to PostHog servers on every operation.

After:

  • mempalace/__init__.py — sets ANONYMIZED_TELEMETRY=False environment variable (the kill-switch ChromaDB reads)
  • mempalace/backends/chroma.py — passes Settings(anonymized_telemetry=False) directly to PersistentClient (belt-and-suspenders)

2. Wikipedia entity lookups — opt-in only (was always-on)

Before: EntityRegistry.research() automatically sent entity names (people, projects) to the Wikipedia REST API. Any entity lookup silently made an external HTTP request revealing names from private conversations.

After: External lookups are disabled by default. Enable explicitly with:

registry.research("name", wiki_lookup=True)
# or: MEMPALACE_WIKI_LOOKUP=1

Default behaviour is purely local.


3. Shell injection via eval — replaced with safe temp-file sourcing

Before: hooks/mempal_save_hook.sh used eval $(... python3 ...) to parse JSON and assign shell variables. Despite sanitisation, eval is fundamentally dangerous.

After: Python writes sanitised values to a mktemp-created temp file (path passed as a positional argument, never via env var), which the shell then sources. No eval anywhere in the parse path.


4. LLM endpoint URL validation — rejects SSRF vectors

Before: Any string (including file:///etc/passwd, ftp://, http://user@evil.com) was accepted as an LLM endpoint.

After: LLMConfig._validate_endpoint() enforces:

  • Scheme must be http:// or https://
  • URL must have a non-empty host
  • URL must not contain userinfo (@) to prevent credential-hiding attacks

Installation

The package is already installable via terminal:

pip install mempalace          # from PyPI
pip install -e .               # from source (dev mode)

Tests

All new behaviour is covered by tests. No regressions introduced — all pre-existing failures are unrelated (ChromaDB network calls blocked in the CI sandbox).

Copilot AI and others added 4 commits April 14, 2026 01:07
…on, validate LLM URL

Agent-Logs-Url: https://github.com/groxaxo/mempalace/sessions/3117774f-bff3-4f1b-b759-fee1086b4efe

Co-authored-by: groxaxo <76023196+groxaxo@users.noreply.github.com>
security: disable telemetry, fix shell injection, block Wikipedia leaks, validate LLM URL
@igorls igorls added area/hooks Claude Code hook scripts (Stop, PreCompact, SessionStart) area/kg Knowledge graph bug Something isn't working security Security related storage labels Apr 14, 2026
@arnoldwender

Copy link
Copy Markdown
Contributor

Hey @groxaxo — really nice catches here, especially the eval one in the hook script. Thanks for taking the time to write this up properly.

One small friendly note for next time: issues 3 (eval shell injection) and 4 (SSRF in LLM endpoint) are the kind of findings that ideally go through coordinated disclosure first, so users have time to update before the exploit details are public. The normal flow is:

  1. GitHub Security Advisory (private channel): repo → Security tab → Report a vulnerability
  2. Or a quiet email to a maintainer
  3. Agree on a timeline, maintainer ships the patch, then the advisory goes public with credit to you (and often a CVE)

Totally not a dig at you though — I checked and this repo doesn't have Private Vulnerability Reporting enabled yet and there's no SECURITY.md, so there's no obvious private channel documented. That's genuinely hard to work around, and a public PR is a reasonable fallback when there's nowhere else to go.

Friendly suggestion for maintainers @bensig @igorls @jphein: could you enable Private Vulnerability Reporting and add a short SECURITY.md? Two-minute config change that gives future reporters a clean path and protects users in the window between report and patch.

Either way — thanks for the solid work @groxaxo, and thanks maintainers for being responsive to contributions in general 🙌

@bensig

bensig commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

closing — the telemetry fix overlaps with #782 and the other security fixes were addressed in #647/#812. the bundle also conflicts with develop. pls submit any remaining fixes as individual PRs. thanks @groxaxo!

@bensig bensig closed this Apr 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/hooks Claude Code hook scripts (Stop, PreCompact, SessionStart) area/kg Knowledge graph bug Something isn't working security Security related storage

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants