This document describes the security properties of the MongrelDB Clojure client and how to report vulnerabilities.
The MongrelDB Clojure client is a pure-Clojure library (no native extensions)
that talks to mongreldb-server over HTTP using the standard library
java.net.http.HttpClient. The client itself holds no encryption keys and
stores no data at rest; it is a thin request/response layer over the daemon.
- The client communicates with
mongreldb-serverover plain HTTP. The daemon binds to127.0.0.1by default - traffic stays on the loopback interface. For remote or multi-tenant deployments, terminate TLS in a reverse proxy (nginx, Caddy) in front of the daemon. - The client supports Bearer token and HTTP Basic auth, matching the
daemon's
--auth-tokenand--auth-usersmodes; the bearer token takes precedence. Credentials are sent only in theAuthorizationheader and are never logged by the client. Credentials containing CR or LF are rejected up front to prevent HTTP header injection. - The native Condition API and query builder accept typed parameters (column IDs, typed values) - no string interpolation, no SQL injection surface. User-supplied values are serialized as typed JSON, not concatenated into queries.
- WARNING - raw SQL: The
sqlfunction sends a raw SQL string to the server. It does NOT parameterize or sanitize input, and the client never interprets SQL locally. Never interpolate untrusted user input into SQL statements - use parameterized queries where the server supports them, or validate/escape input yourself. (The native condition API and query builder remain type-safe and are not affected.) - Idempotency keys are caller-supplied opaque strings; the client does not derive or store them.
The client is a consumer of mongreldb-server. The daemon's security
posture:
- Binds to
127.0.0.1only - not accessible from other machines. - No authentication by default - any local process can query, write, or
delete data. Enable
--auth-tokenor--auth-usersfor any shared host. - No TLS - traffic is plaintext on the loopback interface.
- No rate limiting or request size caps.
For remote access or multi-tenant environments, place a reverse proxy (nginx, Caddy) in front with TLS termination and authentication. Do not expose the daemon directly to a network.
- The query builder produces typed JSON requests. Invalid column IDs, value encodings, and numeric ranges are rejected before any request is sent.
- Server and network errors are mapped to the typed exception hierarchy
(
AuthException,NotFoundException,ConflictException,QueryException) carrying the HTTP status and decoded server envelope, not leaked as generic exceptions. - Path segments are URL-encoded so table names containing
/,?,#, or spaces cannot inject extra path segments. - The client caps response bodies at 256 MB to bound memory use.
The MongrelDB Clojure client has no runtime dependencies beyond Clojure itself and the JDK standard library. Report dependency vulnerabilities through GitHub's Dependabot alerts or the private vulnerability reporting flow below.
Do not file a public GitHub issue, discussion, or pull request for security problems. Report privately through GitHub's private vulnerability reporting:
- Go to the repository's Security tab.
- Click Report a vulnerability.
- Fill in the advisory form with the details below.
This keeps the report confidential between you and the maintainers until a fix is ready. Please include as much as you can:
- a description of the issue and its impact,
- step-by-step reproduction steps,
- the MongrelDB Clojure client version, Clojure version, JDK version, and OS,
- the
mongreldb-serverversion if relevant, - the relevant configuration, error output, or a proof-of-concept,
- a suggested fix or mitigation, if you have one.
- Acknowledgement of your report within a few days.
- An initial assessment and, where confirmed, a remediation plan.
- Progress updates through the private advisory thread until the issue is resolved.
- Credit for your responsible disclosure in the advisory, unless you prefer to remain anonymous.
We ask that you give us a reasonable opportunity to ship a fix before any public disclosure.