@berthojoris/mcp-mysql-server 1.0.0

package/dist/security/securityLayer.d.ts

@@ -0,0 +1,52 @@
+import { FeatureConfig } from '../config/featureConfig.js';
+export declare class SecurityLayer {
+    private ajv;
+    private readonly dangerousKeywords;
+    private readonly allowedOperations;
+    private readonly ddlOperations;
+    private featureConfig;
+    constructor(featureConfig?: FeatureConfig);
+    /**
+     * Validate input against a JSON schema
+     */
+    validateInput(schema: object, data: any): {
+        valid: boolean;
+        errors?: any;
+    };
+    /**
+     * Validate and sanitize table/column names to prevent SQL injection
+     */
+    validateIdentifier(identifier: string): {
+        valid: boolean;
+        error?: string;
+    };
+    /**
+     * Validate SQL query for security issues
+     */
+    validateQuery(query: string): {
+        valid: boolean;
+        error?: string;
+        queryType?: string;
+    };
+    /**
+     * Validate parameter values to prevent injection
+     */
+    validateParameters(params: any[]): {
+        valid: boolean;
+        error?: string;
+        sanitizedParams?: any[];
+    };
+    /**
+     * Check if a query is a read-only SELECT query
+     */
+    isReadOnlyQuery(query: string): boolean;
+    /**
+     * Check if a query contains dangerous operations
+     */
+    hasDangerousOperations(query: string): boolean;
+    /**
+     * Escape identifier for safe use in SQL queries
+     */
+    escapeIdentifier(identifier: string): string;
+}
+export default SecurityLayer;

package/dist/security/securityLayer.js

@@ -0,0 +1,213 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecurityLayer = void 0;
+const ajv_1 = __importDefault(require("ajv"));
+const featureConfig_js_1 = require("../config/featureConfig.js");
+class SecurityLayer {
+    constructor(featureConfig) {
+        this.ajv = new ajv_1.default();
+        this.featureConfig = featureConfig || new featureConfig_js_1.FeatureConfig();
+        // Define dangerous SQL keywords that should always be blocked (security threats)
+        this.dangerousKeywords = [
+            'GRANT', 'REVOKE', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE',
+            'LOAD DATA', 'INFORMATION_SCHEMA', 'MYSQL', 'PERFORMANCE_SCHEMA',
+            'SYS', 'SHOW', 'DESCRIBE', 'DESC', 'EXPLAIN', 'PROCEDURE',
+            'FUNCTION', 'TRIGGER', 'EVENT', 'VIEW', 'INDEX', 'DATABASE',
+            'SCHEMA', 'USER', 'PASSWORD', 'SLEEP', 'BENCHMARK'
+        ];
+        // Define basic allowed SQL operations
+        this.allowedOperations = ['SELECT', 'INSERT', 'UPDATE', 'DELETE'];
+        // Define DDL operations that require special permission
+        this.ddlOperations = ['CREATE', 'ALTER', 'DROP', 'TRUNCATE', 'RENAME'];
+    }
+    /**
+     * Validate input against a JSON schema
+     */
+    validateInput(schema, data) {
+        const validate = this.ajv.compile(schema);
+        const valid = validate(data);
+        if (!valid) {
+            return {
+                valid: false,
+                errors: validate.errors
+            };
+        }
+        return { valid: true };
+    }
+    /**
+     * Validate and sanitize table/column names to prevent SQL injection
+     */
+    validateIdentifier(identifier) {
+        if (!identifier || typeof identifier !== 'string') {
+            return { valid: false, error: 'Identifier must be a non-empty string' };
+        }
+        // Check length
+        if (identifier.length > 64) {
+            return { valid: false, error: 'Identifier too long (max 64 characters)' };
+        }
+        // MySQL identifier rules: alphanumeric, underscore, dollar sign
+        // Must start with letter, underscore, or dollar sign
+        const identifierRegex = /^[a-zA-Z_$][a-zA-Z0-9_$]*$/;
+        if (!identifierRegex.test(identifier)) {
+            return { valid: false, error: 'Invalid identifier format' };
+        }
+        // Check against MySQL reserved words (basic list)
+        const reservedWords = [
+            'SELECT', 'INSERT', 'UPDATE', 'DELETE', 'FROM', 'WHERE', 'JOIN',
+            'INNER', 'LEFT', 'RIGHT', 'OUTER', 'ON', 'AS', 'AND', 'OR', 'NOT',
+            'NULL', 'TRUE', 'FALSE', 'ORDER', 'BY', 'GROUP', 'HAVING', 'LIMIT',
+            'OFFSET', 'DISTINCT', 'ALL', 'EXISTS', 'IN', 'BETWEEN', 'LIKE',
+            'REGEXP', 'CASE', 'WHEN', 'THEN', 'ELSE', 'END', 'IF', 'IFNULL'
+        ];
+        if (reservedWords.includes(identifier.toUpperCase())) {
+            return { valid: false, error: 'Identifier cannot be a reserved word' };
+        }
+        return { valid: true };
+    }
+    /**
+     * Validate SQL query for security issues
+     */
+    validateQuery(query) {
+        if (!query || typeof query !== 'string') {
+            return { valid: false, error: 'Query must be a non-empty string' };
+        }
+        const trimmedQuery = query.trim().toUpperCase();
+        // Check for empty query
+        if (trimmedQuery.length === 0) {
+            return { valid: false, error: 'Query cannot be empty' };
+        }
+        // Check for multiple statements (basic check)
+        if (query.includes(';') && !query.trim().endsWith(';')) {
+            return { valid: false, error: 'Multiple statements not allowed' };
+        }
+        // Remove trailing semicolon for analysis
+        const cleanQuery = trimmedQuery.replace(/;$/, '');
+        // Determine query type - check basic operations first
+        let queryType = '';
+        for (const operation of this.allowedOperations) {
+            if (cleanQuery.startsWith(operation)) {
+                queryType = operation;
+                break;
+            }
+        }
+        // If not a basic operation, check if it's a DDL operation
+        if (!queryType) {
+            for (const ddlOp of this.ddlOperations) {
+                if (cleanQuery.startsWith(ddlOp)) {
+                    // Check if DDL permission is enabled
+                    if (this.featureConfig.isCategoryEnabled(featureConfig_js_1.ToolCategory.DDL)) {
+                        queryType = ddlOp;
+                        break;
+                    }
+                    else {
+                        return {
+                            valid: false,
+                            error: `DDL operation '${ddlOp}' requires 'ddl' permission. Add 'ddl' to your permissions configuration.`
+                        };
+                    }
+                }
+            }
+        }
+        if (!queryType) {
+            return { valid: false, error: 'Query type not allowed' };
+        }
+        // Check for dangerous keywords (always blocked regardless of permissions)
+        for (const keyword of this.dangerousKeywords) {
+            if (cleanQuery.includes(keyword)) {
+                return { valid: false, error: `Dangerous keyword detected: ${keyword}` };
+            }
+        }
+        // Additional checks for specific query types
+        if (queryType === 'SELECT') {
+            // Check for UNION attacks
+            if (cleanQuery.includes('UNION')) {
+                return { valid: false, error: 'UNION operations not allowed' };
+            }
+            // Check for subqueries in FROM clause (basic check)
+            if (cleanQuery.includes('FROM (')) {
+                return { valid: false, error: 'Subqueries in FROM clause not allowed' };
+            }
+        }
+        // Check for comment-based injection attempts
+        if (cleanQuery.includes('/*') || cleanQuery.includes('--') || cleanQuery.includes('#')) {
+            return { valid: false, error: 'Comments not allowed in queries' };
+        }
+        return { valid: true, queryType };
+    }
+    /**
+     * Validate parameter values to prevent injection
+     */
+    validateParameters(params) {
+        if (!params) {
+            return { valid: true, sanitizedParams: [] };
+        }
+        if (!Array.isArray(params)) {
+            return { valid: false, error: 'Parameters must be an array' };
+        }
+        const sanitizedParams = [];
+        for (let i = 0; i < params.length; i++) {
+            const param = params[i];
+            // Check for null/undefined
+            if (param === null || param === undefined) {
+                sanitizedParams.push(null);
+                continue;
+            }
+            // Validate based on type
+            if (typeof param === 'string') {
+                // Check string length
+                if (param.length > 65535) {
+                    return { valid: false, error: `Parameter ${i} too long (max 65535 characters)` };
+                }
+                // Don't modify strings - let MySQL handle escaping through prepared statements
+                sanitizedParams.push(param);
+            }
+            else if (typeof param === 'number') {
+                // Validate number
+                if (!Number.isFinite(param)) {
+                    return { valid: false, error: `Parameter ${i} must be a finite number` };
+                }
+                sanitizedParams.push(param);
+            }
+            else if (typeof param === 'boolean') {
+                sanitizedParams.push(param);
+            }
+            else if (param instanceof Date) {
+                sanitizedParams.push(param);
+            }
+            else {
+                return { valid: false, error: `Parameter ${i} has unsupported type: ${typeof param}` };
+            }
+        }
+        return { valid: true, sanitizedParams };
+    }
+    /**
+     * Check if a query is a read-only SELECT query
+     */
+    isReadOnlyQuery(query) {
+        const validation = this.validateQuery(query);
+        return validation.valid && validation.queryType === 'SELECT';
+    }
+    /**
+     * Check if a query contains dangerous operations
+     */
+    hasDangerousOperations(query) {
+        const validation = this.validateQuery(query);
+        return !validation.valid;
+    }
+    /**
+     * Escape identifier for safe use in SQL queries
+     */
+    escapeIdentifier(identifier) {
+        const validation = this.validateIdentifier(identifier);
+        if (!validation.valid) {
+            throw new Error(`Invalid identifier: ${validation.error}`);
+        }
+        // Use backticks to escape MySQL identifiers
+        return `\`${identifier}\``;
+    }
+}
+exports.SecurityLayer = SecurityLayer;
+exports.default = SecurityLayer;

package/dist/server.d.ts

@@ -0,0 +1,2 @@
+declare const app: import("express-serve-static-core").Express;
+export default app;

package/dist/server.js

@@ -0,0 +1,283 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = __importDefault(require("express"));
+const cors_1 = __importDefault(require("cors"));
+const helmet_1 = __importDefault(require("helmet"));
+const morgan_1 = __importDefault(require("morgan"));
+const express_rate_limit_1 = __importDefault(require("express-rate-limit"));
+const index_1 = require("./index");
+const winston_1 = require("winston");
+// Initialize the MCP instance
+const mcp = new index_1.MySQLMCP();
+// Create Winston logger
+const logger = (0, winston_1.createLogger)({
+    level: 'info',
+    format: winston_1.format.combine(winston_1.format.timestamp(), winston_1.format.json()),
+    transports: [
+        new winston_1.transports.Console(),
+        new winston_1.transports.File({ filename: 'logs/error.log', level: 'error' }),
+        new winston_1.transports.File({ filename: 'logs/combined.log' })
+    ]
+});
+// Initialize Express app
+const app = (0, express_1.default)();
+const PORT = process.env.PORT || 3000;
+// Middleware
+app.use((0, helmet_1.default)()); // Security headers
+app.use((0, cors_1.default)()); // Enable CORS
+app.use(express_1.default.json()); // Parse JSON bodies
+app.use((0, morgan_1.default)('combined')); // HTTP request logging
+// Rate limiting
+const apiLimiter = (0, express_rate_limit_1.default)({
+    windowMs: 15 * 60 * 1000, // 15 minutes
+    max: 100, // Limit each IP to 100 requests per windowMs
+    standardHeaders: true,
+    legacyHeaders: false,
+});
+app.use(apiLimiter);
+// No authentication middleware needed for MCP server
+// Error handling middleware
+const errorHandler = (err, req, res, next) => {
+    logger.error(`${err.name}: ${err.message}`, {
+        path: req.path,
+        method: req.method,
+        body: req.body,
+        stack: err.stack
+    });
+    res.status(500).json({
+        error: {
+            code: 'SERVER_ERROR',
+            message: 'An unexpected error occurred',
+            details: process.env.NODE_ENV === 'production' ? 'See server logs for details' : err.message
+        }
+    });
+};
+// Health check endpoint (no auth required)
+app.get('/health', (req, res) => {
+    res.status(200).json({ status: 'ok', timestamp: new Date().toISOString() });
+});
+// Feature configuration status endpoint
+app.get('/features', (req, res) => {
+    try {
+        const featureStatus = mcp.getFeatureStatus();
+        res.status(200).json(featureStatus);
+    }
+    catch (error) {
+        logger.error('Error getting feature status', { error });
+        res.status(500).json({
+            status: 'error',
+            error: 'Failed to retrieve feature configuration status'
+        });
+    }
+});
+// API routes - no authentication required for MCP server
+const apiRouter = express_1.default.Router();
+app.use('/api', apiRouter);
+// Database Tools Routes
+apiRouter.get('/databases', async (req, res, next) => {
+    try {
+        const result = await mcp.listDatabases();
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.get('/tables', async (req, res, next) => {
+    try {
+        const result = await mcp.listTables({ database: undefined });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.get('/tables/:tableName/schema', async (req, res, next) => {
+    try {
+        const { tableName } = req.params;
+        const result = await mcp.readTableSchema({ table_name: tableName });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+// CRUD Operations Routes
+apiRouter.post('/tables/:tableName/records', async (req, res, next) => {
+    try {
+        const { tableName } = req.params;
+        const { data } = req.body;
+        if (!data) {
+            return res.status(400).json({
+                error: {
+                    code: 'INVALID_INPUT',
+                    message: 'Missing data field in request body',
+                    details: 'The request body must contain a data object with the record fields'
+                }
+            });
+        }
+        const result = await mcp.createRecord({
+            table_name: tableName,
+            data
+        });
+        res.status(201).json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.get('/tables/:tableName/records', async (req, res, next) => {
+    try {
+        const { tableName } = req.params;
+        const { filters, limit, offset, sort_by, sort_direction } = req.query;
+        const result = await mcp.readRecords({
+            table_name: tableName,
+            filters: filters ? JSON.parse(filters) : undefined,
+            pagination: {
+                page: offset ? Math.floor(parseInt(offset) / (limit ? parseInt(limit) : 10)) + 1 : 1,
+                limit: limit ? parseInt(limit) : 10
+            },
+            sorting: sort_by ? {
+                field: sort_by,
+                direction: sort_direction?.toLowerCase() === 'desc' ? 'desc' : 'asc'
+            } : undefined
+        });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.put('/tables/:tableName/records/:id', async (req, res, next) => {
+    try {
+        const { tableName, id } = req.params;
+        const { data, id_field } = req.body;
+        if (!data) {
+            return res.status(400).json({
+                error: {
+                    code: 'INVALID_INPUT',
+                    message: 'Missing data field in request body',
+                    details: 'The request body must contain a data object with the fields to update'
+                }
+            });
+        }
+        const result = await mcp.updateRecord({
+            table_name: tableName,
+            data,
+            conditions: [{ field: id_field || 'id', operator: '=', value: id }]
+        });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.delete('/tables/:tableName/records/:id', async (req, res, next) => {
+    try {
+        const { tableName, id } = req.params;
+        const { id_field } = req.query;
+        const result = await mcp.deleteRecord({
+            table_name: tableName,
+            conditions: [{ field: id_field || 'id', operator: '=', value: id }]
+        });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+// Query Tools Routes
+apiRouter.post('/query', async (req, res, next) => {
+    try {
+        const { query, params } = req.body;
+        if (!query) {
+            return res.status(400).json({
+                error: {
+                    code: 'INVALID_INPUT',
+                    message: 'Missing query field in request body',
+                    details: 'The request body must contain a query string'
+                }
+            });
+        }
+        const result = await mcp.runQuery({
+            query,
+            params: params || []
+        });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.post('/execute', async (req, res, next) => {
+    try {
+        const { query, params } = req.body;
+        if (!query) {
+            return res.status(400).json({
+                error: {
+                    code: 'INVALID_INPUT',
+                    message: 'Missing query field in request body',
+                    details: 'The request body must contain a query string'
+                }
+            });
+        }
+        const result = await mcp.executeSql({
+            query,
+            params: params || []
+        });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+// Utility Tools Routes
+apiRouter.get('/connection', async (req, res, next) => {
+    try {
+        const result = await mcp.describeConnection();
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.get('/connection/test', async (req, res, next) => {
+    try {
+        const result = await mcp.testConnection();
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+apiRouter.get('/tables/:tableName/relationships', async (req, res, next) => {
+    try {
+        const { tableName } = req.params;
+        const result = await mcp.getTableRelationships({ table_name: tableName });
+        res.json(result);
+    }
+    catch (error) {
+        next(error);
+    }
+});
+// Apply error handler
+app.use(errorHandler);
+// Start the server
+const server = app.listen(PORT, () => {
+    logger.info(`MCP MySQL Server running on port ${PORT}`);
+    console.log(`MCP MySQL Server running on port ${PORT}`);
+});
+// Graceful shutdown
+process.on('SIGTERM', () => {
+    logger.info('SIGTERM signal received: closing HTTP server');
+    server.close(async () => {
+        logger.info('HTTP server closed');
+        await mcp.close();
+        logger.info('Database connections closed');
+        process.exit(0);
+    });
+});
+exports.default = app;

package/dist/tools/crudTools.d.ts

@@ -0,0 +1,59 @@
+import SecurityLayer from '../security/securityLayer';
+import { FilterCondition, Pagination, Sorting } from '../validation/schemas';
+export declare class CrudTools {
+    private db;
+    private security;
+    constructor(security: SecurityLayer);
+    /**
+     * Create a new record in the specified table
+     */
+    createRecord(params: {
+        table_name: string;
+        data: Record<string, any>;
+    }): Promise<{
+        status: string;
+        data?: any;
+        error?: string;
+    }>;
+    /**
+     * Read records from the specified table with optional filters, pagination, and sorting
+     */
+    readRecords(params: {
+        table_name: string;
+        filters?: FilterCondition[];
+        pagination?: Pagination;
+        sorting?: Sorting;
+    }): Promise<{
+        status: string;
+        data?: any[];
+        total?: number;
+        error?: string;
+    }>;
+    /**
+     * Update records in the specified table based on conditions
+     */
+    updateRecord(params: {
+        table_name: string;
+        data: Record<string, any>;
+        conditions: FilterCondition[];
+    }): Promise<{
+        status: string;
+        data?: {
+            affectedRows: number;
+        };
+        error?: string;
+    }>;
+    /**
+     * Delete records from the specified table based on conditions
+     */
+    deleteRecord(params: {
+        table_name: string;
+        conditions: FilterCondition[];
+    }): Promise<{
+        status: string;
+        data?: {
+            affectedRows: number;
+        };
+        error?: string;
+    }>;
+}