Skip to content

fix: harden security before production use#6

Open
wedneyyuri wants to merge 1 commit intoJustTryAI:masterfrom
wedneyyuri:fix/security-hardening
Open

fix: harden security before production use#6
wedneyyuri wants to merge 1 commit intoJustTryAI:masterfrom
wedneyyuri:fix/security-hardening

Conversation

@wedneyyuri
Copy link

@wedneyyuri wedneyyuri commented Feb 14, 2026

Summary

  • SecretStr for token: DATABRICKS_TOKEN now uses Pydantic SecretStr, preventing accidental exposure in logs, repr, or stack traces
  • Fail-fast on missing credentials: Server refuses to start if DATABRICKS_TOKEN or DATABRICKS_HOST are missing/placeholder values
  • HTTPS enforced: DATABRICKS_HOST validator now rejects http:// — only https:// is accepted
  • HTTP request hardening: All requests now have timeout=30s and explicit verify=True for TLS certificate validation
  • Fix broken SQL tool: sql.execute_sql() corrected to sql.execute_statement() (was causing AttributeError at runtime)
  • MCP stdio safety: Removed print() calls from config.py that were corrupting the MCP protocol stream (redirected to stderr)
  • Error sanitization: API error messages no longer leak internal URLs or stack traces to MCP clients
  • Secure defaults: SERVER_HOST changed from 0.0.0.0 to 127.0.0.1

Test plan

  • Verify server refuses to start without .env or valid DATABRICKS_TOKEN
  • Verify server refuses http:// in DATABRICKS_HOST
  • Verify execute_sql tool works end-to-end after function name fix
  • Verify MCP stdio communication is not corrupted on startup
  • Verify token does not appear in databricks_mcp.log
  • Run existing test suite (pytest tests/)

🤖 Generated with Claude Code

@wedneyyuri
fix: harden security before production use
f1379da 
- Use SecretStr for DATABRICKS_TOKEN to prevent accidental log leaks
- Fail-fast on missing or placeholder credentials at startup
- Reject http:// hosts, enforce HTTPS only
- Add 30s timeout and explicit verify=True to all HTTP requests
- Fix broken sql.execute_sql() call to sql.execute_statement()
- Replace stdout print() with stderr to avoid corrupting MCP stdio
- Sanitize error messages returned to clients
- Default SERVER_HOST to 127.0.0.1 instead of 0.0.0.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wedneyyuri