Add maximum query length validation to prevent resource exhaustion #23
Description
Problem
The ExecuteQuery method in internal/app/client.go doesn't validate the maximum size of incoming queries, allowing clients to send extremely large query strings that could cause memory issues.
Location: internal/app/client.go:392
Security Risks
Without query size limits:
- Memory exhaustion: A malicious client could send a 1GB query string causing OOM
- Network bandwidth abuse: Large queries waste bandwidth and processing time
- Logging overhead: Failed queries are logged, potentially filling disk space
- DoS vector: Repeated large queries can degrade service availability
Example Attack
// Client sends 100MB query
hugeQuery := "SELECT * FROM users WHERE id IN (" + strings.Repeat("1,", 50_000_000) + "1)"Proposed Solution
Add configurable maximum query length validation:
const (
// MaxQueryLength defines the maximum allowed query size in bytes
// Default: 1MB should be sufficient for legitimate queries
MaxQueryLength = 1 * 1024 * 1024 // 1MB
)
func (c *PostgreSQLClientImpl) ExecuteQuery(query string) ([]map[string]any, error) {
// Validate query length
if len(query) > MaxQueryLength {
return nil, fmt.Errorf("query exceeds maximum length of %d bytes (got %d bytes)",
MaxQueryLength, len(query))
}
if err := c.validateQuery(query); err != nil {
return nil, err
}
// ... rest of implementation
}Configuration Options
Consider making this configurable:
- Environment variable:
POSTGRES_MCP_MAX_QUERY_LENGTH - Connection parameter: Allow override per connection
- Reasonable default: 1MB should handle legitimate queries
Impact
- Severity: LOW-MEDIUM
- Type: Security Enhancement
- Location:
internal/app/client.go:392 - Affects: All query execution methods
Checklist
- Add MaxQueryLength constant or configuration
- Implement length validation in ExecuteQuery
- Add length validation to ExplainQuery
- Add test cases for oversized queries
- Document query size limits in README
- Consider making limit configurable via environment variable