bug(mcp): Safe mode GUID tracking leaks across sessions in HTTP server mode #950
Description
Summary
Safe mode in the MCP server uses a module-level global variable to track GUIDs of resources created during a session. This works correctly in stdio mode (each invocation is a new process), but in HTTP server mode, multiple requests share the same Python process and therefore share the same GUID tracking set.
Reported by: @aaronsteers (AJ Steers)
Current Implementation
# airbyte/mcp/_tool_utils.py
_GUIDS_CREATED_IN_SESSION: set[str] = set()The Bug
- In stdio mode (CLI): Each invocation is a new process, so the set is fresh each time. Works correctly.
- In HTTP server mode: The server runs as a single long-lived process. Multiple HTTP requests (from different users/sessions) share the same
_GUIDS_CREATED_IN_SESSIONset.
Impact: User B could delete resources created by User A because the GUID was added to the shared set, defeating the purpose of safe mode protection.
Potential Solutions
Option 1: Session ID Header (Recommended)
Require clients to send a session ID header (e.g., X-Airbyte-Session-Id), then maintain {session_id: set[guid]} with TTL cleanup. This requires client cooperation but provides true session isolation.
We already have the MCPServerConfigArg infrastructure for HTTP headers, so this would be consistent with the existing pattern.
Option 2: Per-Request Context
Use FastMCP's Context object to store created GUIDs. However, this only works within a single request - multi-request sessions would still need client-side session tracking.
Option 3: Connection-Scoped State (SSE only)
For SSE transport, the connection is persistent, so we could track GUIDs per-connection. But this doesn't help HTTP transport which is stateless.
Option 4: Disable Safe Mode in HTTP Mode
Simple but loses the protection. Could document that safe mode only works in stdio mode.
Related
- chore(mcp): migrate to fastmcp-extensions library #949: Migration to fastmcp-extensions library
- Safe mode is controlled by
AIRBYTE_CLOUD_MCP_SAFE_MODEenvironment variable (default: enabled)