@aborruso/ckan-mcp-server 0.4.85 → 0.4.87
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LOG.md +5 -0
- package/dist/index.js +5 -3
- package/dist/worker.js +77 -75
- package/package.json +1 -1
package/LOG.md
CHANGED
|
@@ -1,7 +1,12 @@
|
|
|
1
1
|
# LOG
|
|
2
2
|
|
|
3
|
+
## 2026-03-17
|
|
4
|
+
|
|
5
|
+
- fix(`tools/sparql.ts`): add `; charset=utf-8` to POST Content-Type — fixes accented chars corruption in SPARQL queries (issue #22)
|
|
6
|
+
|
|
3
7
|
## 2026-03-16
|
|
4
8
|
|
|
9
|
+
- docs(`tools/datastore.ts`): add security note to `ckan_datastore_search_sql` — clarifies SQL forwarding boundary; bump v0.4.86
|
|
5
10
|
- security(`tools/sparql.ts`): apply `validateServerUrl()` to `sparql_query` — blocks SSRF via private IPs (gap from GHSA-3xm7-qw7j-qc8v); 1 new test
|
|
6
11
|
|
|
7
12
|
## 2026-03-15
|
package/dist/index.js
CHANGED
|
@@ -2539,7 +2539,9 @@ Examples:
|
|
|
2539
2539
|
- { server_url: "...", sql: "SELECT * FROM "abc-123" LIMIT 10" }
|
|
2540
2540
|
- { server_url: "...", sql: "SELECT COUNT(*) AS total FROM "abc-123"" }
|
|
2541
2541
|
|
|
2542
|
-
Typical workflow: ckan_package_show (get resource_id) \u2192 ckan_datastore_search_sql (run SQL on it)
|
|
2542
|
+
Typical workflow: ckan_package_show (get resource_id) \u2192 ckan_datastore_search_sql (run SQL on it)
|
|
2543
|
+
|
|
2544
|
+
Security note: SQL queries are forwarded directly to the CKAN DataStore API. The CKAN server enforces its own access controls and read-only permissions. No local database is exposed. Queries are limited to public DataStore resources on the target portal.`,
|
|
2543
2545
|
inputSchema: z4.object({
|
|
2544
2546
|
server_url: z4.string().url().describe("Base URL of the CKAN server (e.g., https://dati.gov.it/opendata)"),
|
|
2545
2547
|
sql: z4.string().min(1).describe('SQL SELECT query; resource_id is the table name, must be double-quoted (e.g., SELECT * FROM "abc-123" LIMIT 10)'),
|
|
@@ -4244,7 +4246,7 @@ async function querySparqlEndpoint(endpointUrl, query) {
|
|
|
4244
4246
|
response = await fetch(endpointUrl, {
|
|
4245
4247
|
method: "POST",
|
|
4246
4248
|
signal: controller.signal,
|
|
4247
|
-
headers: { ...commonHeaders, "Content-Type": "application/sparql-query" },
|
|
4249
|
+
headers: { ...commonHeaders, "Content-Type": "application/sparql-query; charset=utf-8" },
|
|
4248
4250
|
body: query
|
|
4249
4251
|
});
|
|
4250
4252
|
if (response.status === 403 || response.status === 405) {
|
|
@@ -5122,7 +5124,7 @@ var registerAllPrompts = (server2) => {
|
|
|
5122
5124
|
function createServer() {
|
|
5123
5125
|
return new McpServer({
|
|
5124
5126
|
name: "ckan-mcp-server",
|
|
5125
|
-
version: "0.4.
|
|
5127
|
+
version: "0.4.87"
|
|
5126
5128
|
});
|
|
5127
5129
|
}
|
|
5128
5130
|
function registerAll(server2) {
|