This document describes the security properties of the MongrelDB Lua client and how to report vulnerabilities.
The MongrelDB Lua client is a LuaRock that talks to mongreldb-server over
HTTP. The client itself holds no encryption keys and stores no data at rest;
it is a thin request/response layer over the daemon.
- The client communicates with
mongreldb-serverover plain HTTP. The daemon binds to127.0.0.1by default, so traffic stays on the loopback interface. For remote or multi-tenant deployments, terminate TLS in a reverse proxy (nginx, Caddy) in front of the daemon. - The client supports Bearer token and HTTP Basic auth, matching the
daemon's
--auth-tokenand--auth-usersmodes. Credentials are sent only in theAuthorizationheader and are never logged by the client. - The native Condition API and query builder accept typed parameters (column IDs, typed values). There is no string interpolation and no SQL injection surface. User-supplied values are serialized as typed JSON, not concatenated into queries.
- WARNING — raw SQL: The
sql()method sends a raw SQL string to the server. It does NOT parameterize or sanitize input, and the client never interprets SQL locally. Never interpolate untrusted user input into SQL statements — use parameterized queries where the server supports them, or validate/escape input yourself. (The native condition API and query builder remain type-safe and are not affected.) - Idempotency keys are caller-supplied opaque strings; the client does not derive or store them.
The client is a consumer of mongreldb-server. The daemon's security
posture:
- Binds to
127.0.0.1only, not accessible from other machines. - No authentication by default, any local process can query, write, or
delete data. Enable
--auth-tokenor--auth-usersfor any shared host. - No TLS, traffic is plaintext on the loopback interface.
- No rate limiting or request size caps.
For remote access or multi-tenant environments, place a reverse proxy (nginx, Caddy) in front with TLS termination and authentication. Do not expose the daemon directly to a network.
- The query builder produces typed JSON requests. Invalid column IDs, value encodings, and numeric ranges are rejected before any request is sent.
- Server and network errors are mapped to typed error objects
(
auth,not_found,constraint,connection,query), not leaked as bare strings. - NaN and Infinity are rejected with a clear
queryerror rather than corrupting data.
The MongrelDB Lua client depends on LuaSocket at runtime. LuaSocket is MIT licensed and widely audited. The vendored JSON encoder has no further dependencies. Report dependency vulnerabilities through GitHub's Dependabot alerts or the private vulnerability reporting flow below.
Do not file a public GitHub issue, discussion, or pull request for security problems. Report privately through GitHub's private vulnerability reporting:
- Go to the repository's Security tab.
- Click Report a vulnerability.
- Fill in the advisory form with the details below.
This keeps the report confidential between you and the maintainers until a fix is ready. Please include as much as you can:
- a description of the issue and its impact,
- step-by-step reproduction steps,
- the MongrelDB Lua client version, Lua version, and OS,
- the
mongreldb-serverversion if relevant, - the relevant configuration, error output, or a proof-of-concept,
- a suggested fix or mitigation, if you have one.
- Acknowledgement of your report within a few days.
- An initial assessment and, where confirmed, a remediation plan.
- Progress updates through the private advisory thread until the issue is resolved.
- Credit for your responsible disclosure in the advisory, unless you prefer to remain anonymous.
We ask that you give us a reasonable opportunity to ship a fix before any public disclosure.