Four security issues found and fixed to make MemPalace truly local, telemetry-free, and safe.#841
Four security issues found and fixed to make MemPalace truly local, telemetry-free, and safe.#841groxaxo wants to merge 5 commits into
Conversation
…on, validate LLM URL Agent-Logs-Url: https://github.com/groxaxo/mempalace/sessions/3117774f-bff3-4f1b-b759-fee1086b4efe Co-authored-by: groxaxo <76023196+groxaxo@users.noreply.github.com>
…nfo in LLM URL Agent-Logs-Url: https://github.com/groxaxo/mempalace/sessions/3117774f-bff3-4f1b-b759-fee1086b4efe Co-authored-by: groxaxo <76023196+groxaxo@users.noreply.github.com>
security: disable telemetry, fix shell injection, block Wikipedia leaks, validate LLM URL
|
Hey @groxaxo — really nice catches here, especially the One small friendly note for next time: issues 3 (
Totally not a dig at you though — I checked and this repo doesn't have Private Vulnerability Reporting enabled yet and there's no Friendly suggestion for maintainers @bensig @igorls @jphein: could you enable Private Vulnerability Reporting and add a short Either way — thanks for the solid work @groxaxo, and thanks maintainers for being responsive to contributions in general 🙌 |
Summary
Four security issues found and fixed to make MemPalace truly local, telemetry-free, and safe.
1. ChromaDB telemetry — actually disabled (not just silenced)
Before: The code only silenced the PostHog log warning. ChromaDB's underlying telemetry client was still active and attempted to send usage data to PostHog servers on every operation.
After:
mempalace/__init__.py— setsANONYMIZED_TELEMETRY=Falseenvironment variable (the kill-switch ChromaDB reads)mempalace/backends/chroma.py— passesSettings(anonymized_telemetry=False)directly toPersistentClient(belt-and-suspenders)2. Wikipedia entity lookups — opt-in only (was always-on)
Before:
EntityRegistry.research()automatically sent entity names (people, projects) to the Wikipedia REST API. Any entity lookup silently made an external HTTP request revealing names from private conversations.After: External lookups are disabled by default. Enable explicitly with:
Default behaviour is purely local.
3. Shell injection via
eval— replaced with safe temp-file sourcingBefore:
hooks/mempal_save_hook.shusedeval $(... python3 ...)to parse JSON and assign shell variables. Despite sanitisation,evalis fundamentally dangerous.After: Python writes sanitised values to a
mktemp-created temp file (path passed as a positional argument, never via env var), which the shell then sources. Noevalanywhere in the parse path.4. LLM endpoint URL validation — rejects SSRF vectors
Before: Any string (including
file:///etc/passwd,ftp://,http://user@evil.com) was accepted as an LLM endpoint.After:
LLMConfig._validate_endpoint()enforces:http://orhttps://@) to prevent credential-hiding attacksInstallation
The package is already installable via terminal:
Tests
All new behaviour is covered by tests. No regressions introduced — all pre-existing failures are unrelated (ChromaDB network calls blocked in the CI sandbox).