@berthojoris/mcp-mysql-server 1.18.0 → 1.19.0

package/CHANGELOG.md

@@ -7,10 +7,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Security
+- Fixed critical SQL execution bypass in transactions by adding comprehensive security validation
+- Enhanced stored procedure creation with body content validation and injection prevention
+- Improved DDL operations with proper default value sanitization to prevent SQL injection
+- Added transaction timeout mechanism (30 minutes) with automatic cleanup to prevent resource exhaustion
+- Integrated security layer across all transaction operations for complete coverage
+
+### Changed
+- Updated TransactionTools to require SecurityLayer for proper validation
+- Enhanced DdlTools with comprehensive input sanitization
+- Improved database connection management with timeout and cleanup features
+
+### Fixed
+- Resolved TypeScript compilation error in SecurityLayer access patterns
+- Eliminated all security bypass paths through the system
+
 ### Removed
 - Preset-based access control configuration: CLI `--preset` flag and `MCP_PRESET` / `MCP_PERMISSION_PRESET` environment variables. Use `MCP_PERMISSIONS` and optionally `MCP_CATEGORIES`.
 - Global masking configuration via `MCP_MASKING_PROFILE`. If you need enforced masking for exports, use the `safe_export_table` macro's `masking_profile` argument.
 
+
+## [1.18.2] - 2025-12-13
+
+### Removed
+- Removed outdated comparison docs under `docs/comparison` (and the related README section). The canonical documentation is `DOCUMENTATIONS.md`.
+
+
+## [1.18.1] - 2025-12-13
+
+### Changed
+- Updated documentation files with current datetime stamps
+
 ## [1.17.0] - 2025-12-12
 
 ### Added

package/DOCUMENTATIONS.md

@@ -1,5 +1,7 @@
 # MySQL MCP Server - Detailed Documentation
 
+**Last Updated:** 2025-12-13T03:05:29.673Z
+
 This file contains detailed documentation for all features of the MySQL MCP Server. For quick start and basic information, see [README.md](README.md).
 
 ---

package/README.md

@@ -4,6 +4,8 @@
 
 **A production-ready Model Context Protocol (MCP) server for MySQL database integration with AI agents**
 
+**Last Updated:** 2025-12-13T03:05:56.256Z
+
 [![npm version](https://img.shields.io/npm/v/@berthojoris/mcp-mysql-server)](https://www.npmjs.com/package/@berthojoris/mysql-mcp)
 [![npm downloads](https://img.shields.io/npm/dm/@berthojoris/mysql-mcp)](https://www.npmjs.com/package/@berthojoris/mysql-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -333,17 +335,7 @@ For comprehensive documentation, see **[DOCUMENTATIONS.md](DOCUMENTATIONS.md)**:
 
 This MySQL MCP is a **powerful intermediary layer** between AI assistants and MySQL databases.
 
-| Comparison Topic | Documentation |
-|------------------|---------------|
-| Data Access & Querying | [docs/comparison/data-access-querying.md](docs/comparison/data-access-querying.md) |
-| Data Analysis | [docs/comparison/data-analysis.md](docs/comparison/data-analysis.md) |
-| Data Validation | [docs/comparison/data-validation.md](docs/comparison/data-validation.md) |
-| Schema Inspection | [docs/comparison/schema-inspection.md](docs/comparison/schema-inspection.md) |
-| Debugging & Diagnostics | [docs/comparison/debugging-diagnostics.md](docs/comparison/debugging-diagnostics.md) |
-| Advanced Operations | [docs/comparison/advanced-operations.md](docs/comparison/advanced-operations.md) |
-| Key Benefits | [docs/comparison/key-benefits.md](docs/comparison/key-benefits.md) |
-| Example Workflows | [docs/comparison/example-workflows.md](docs/comparison/example-workflows.md) |
-| When to Use | [docs/comparison/when-to-use.md](docs/comparison/when-to-use.md) |
+For full feature coverage and usage examples, see **[DOCUMENTATIONS.md](DOCUMENTATIONS.md)**.
 
 ---
 

package/dist/db/connection.d.ts

@@ -4,6 +4,7 @@ declare class DatabaseConnection {
     private pool;
     private activeTransactions;
     private queryCache;
+    private readonly TRANSACTION_TIMEOUT_MS;
     private constructor();
     static getInstance(): DatabaseConnection;
     getConnection(): Promise<mysql.PoolConnection>;
@@ -19,11 +20,32 @@ declare class DatabaseConnection {
         errorCode?: string;
     }>;
     closePool(): Promise<void>;
+    /**
+     * Clean up expired transactions to prevent resource exhaustion
+     */
+    private cleanupExpiredTransactions;
+    /**
+     * Force rollback a transaction (used for cleanup)
+     */
+    private forceRollbackTransaction;
+    /**
+     * Reset transaction timeout (call this when there's activity)
+     */
+    private resetTransactionTimeout;
     beginTransaction(transactionId: string): Promise<void>;
     commitTransaction(transactionId: string): Promise<void>;
     rollbackTransaction(transactionId: string): Promise<void>;
     getActiveTransactionIds(): string[];
     hasActiveTransaction(transactionId: string): boolean;
+    /**
+     * Get transaction information for debugging/monitoring
+     */
+    getTransactionInfo(transactionId: string): {
+        exists: boolean;
+        createdAt?: Date;
+        lastActivity?: Date;
+        ageMs?: number;
+    };
     getQueryLogs(): import("./queryLogger").QueryLog[];
     getLastQueryLog(): import("./queryLogger").QueryLog | undefined;
     getFormattedQueryLogs(count?: number): string;

package/dist/db/connection.js

@@ -9,6 +9,7 @@ const queryLogger_1 = require("./queryLogger");
 const queryCache_1 = require("../cache/queryCache");
 class DatabaseConnection {
     constructor() {
+        this.TRANSACTION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes default timeout
         this.pool = promise_1.default.createPool({
             host: config_1.dbConfig.host,
             port: config_1.dbConfig.port,
@@ -21,6 +22,10 @@ class DatabaseConnection {
         });
         this.activeTransactions = new Map();
         this.queryCache = queryCache_1.QueryCache.getInstance();
+        // Set up periodic cleanup of expired transactions
+        setInterval(() => {
+            this.cleanupExpiredTransactions();
+        }, 5 * 60 * 1000); // Check every 5 minutes
     }
     static getInstance() {
         if (!DatabaseConnection.instance) {
@@ -110,32 +115,108 @@ class DatabaseConnection {
             throw new Error(`Failed to close connection pool: ${error}`);
         }
     }
+    /**
+     * Clean up expired transactions to prevent resource exhaustion
+     */
+    cleanupExpiredTransactions() {
+        const now = new Date();
+        const expiredTransactions = [];
+        for (const [transactionId, transaction,] of this.activeTransactions.entries()) {
+            const timeSinceLastActivity = now.getTime() - transaction.lastActivity.getTime();
+            if (timeSinceLastActivity > this.TRANSACTION_TIMEOUT_MS) {
+                expiredTransactions.push(transactionId);
+            }
+        }
+        for (const transactionId of expiredTransactions) {
+            this.forceRollbackTransaction(transactionId, "Transaction timed out");
+        }
+    }
+    /**
+     * Force rollback a transaction (used for cleanup)
+     */
+    forceRollbackTransaction(transactionId, reason) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction)
+            return;
+        try {
+            // Clear timeout if exists
+            if (transaction.timeout) {
+                clearTimeout(transaction.timeout);
+            }
+            // Attempt to rollback
+            transaction.connection.rollback();
+            transaction.connection.release();
+        }
+        catch (error) {
+            console.error(`Failed to rollback expired transaction ${transactionId}:`, error);
+            try {
+                // Force release connection even if rollback fails
+                transaction.connection.release();
+            }
+            catch (releaseError) {
+                console.error(`Failed to release connection for expired transaction ${transactionId}:`, releaseError);
+            }
+        }
+        this.activeTransactions.delete(transactionId);
+        console.warn(`Transaction ${transactionId} force rolled back: ${reason}`);
+    }
+    /**
+     * Reset transaction timeout (call this when there's activity)
+     */
+    resetTransactionTimeout(transactionId) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction)
+            return;
+        // Clear existing timeout
+        if (transaction.timeout) {
+            clearTimeout(transaction.timeout);
+        }
+        // Update last activity
+        transaction.lastActivity = new Date();
+        // Set new timeout
+        transaction.timeout = setTimeout(() => {
+            this.forceRollbackTransaction(transactionId, "Transaction timeout");
+        }, this.TRANSACTION_TIMEOUT_MS);
+    }
     // Transaction Management Methods
     async beginTransaction(transactionId) {
         try {
             const connection = await this.getConnection();
             await connection.beginTransaction();
-            this.activeTransactions.set(transactionId, connection);
+            const now = new Date();
+            const timeout = setTimeout(() => {
+                this.forceRollbackTransaction(transactionId, "Transaction timeout");
+            }, this.TRANSACTION_TIMEOUT_MS);
+            this.activeTransactions.set(transactionId, {
+                connection,
+                createdAt: now,
+                lastActivity: now,
+                timeout,
+            });
         }
         catch (error) {
             throw new Error(`Failed to begin transaction: ${error}`);
         }
     }
     async commitTransaction(transactionId) {
-        const connection = this.activeTransactions.get(transactionId);
-        if (!connection) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
             throw new Error(`No active transaction found with ID: ${transactionId}`);
         }
         try {
-            await connection.commit();
-            connection.release();
+            // Clear timeout
+            if (transaction.timeout) {
+                clearTimeout(transaction.timeout);
+            }
+            await transaction.connection.commit();
+            transaction.connection.release();
             this.activeTransactions.delete(transactionId);
         }
         catch (error) {
             // If commit fails, rollback and release connection
             try {
-                await connection.rollback();
-                connection.release();
+                await transaction.connection.rollback();
+                transaction.connection.release();
             }
             catch (rollbackError) {
                 console.error("Failed to rollback after commit error:", rollbackError);
@@ -145,17 +226,21 @@ class DatabaseConnection {
         }
     }
     async rollbackTransaction(transactionId) {
-        const connection = this.activeTransactions.get(transactionId);
-        if (!connection) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
             throw new Error(`No active transaction found with ID: ${transactionId}`);
         }
         try {
-            await connection.rollback();
-            connection.release();
+            // Clear timeout
+            if (transaction.timeout) {
+                clearTimeout(transaction.timeout);
+            }
+            await transaction.connection.rollback();
+            transaction.connection.release();
             this.activeTransactions.delete(transactionId);
         }
         catch (error) {
-            connection.release();
+            transaction.connection.release();
             this.activeTransactions.delete(transactionId);
             throw new Error(`Failed to rollback transaction: ${error}`);
         }
@@ -166,6 +251,22 @@ class DatabaseConnection {
     hasActiveTransaction(transactionId) {
         return this.activeTransactions.has(transactionId);
     }
+    /**
+     * Get transaction information for debugging/monitoring
+     */
+    getTransactionInfo(transactionId) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
+            return { exists: false };
+        }
+        const now = new Date();
+        return {
+            exists: true,
+            createdAt: transaction.createdAt,
+            lastActivity: transaction.lastActivity,
+            ageMs: now.getTime() - transaction.createdAt.getTime(),
+        };
+    }
     getQueryLogs() {
         return queryLogger_1.QueryLogger.getLogs();
     }
@@ -206,15 +307,17 @@ class DatabaseConnection {
         this.queryCache.resetStats();
     }
     async executeInTransaction(transactionId, sql, params) {
-        const connection = this.activeTransactions.get(transactionId);
-        if (!connection) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
             throw new Error(`No active transaction found with ID: ${transactionId}`);
         }
         const startTime = Date.now();
         try {
-            const [results] = await connection.query(sql, params);
+            const [results] = await transaction.connection.query(sql, params);
             const duration = Date.now() - startTime;
             queryLogger_1.QueryLogger.log(sql, params, duration, "success");
+            // Reset timeout on successful activity
+            this.resetTransactionTimeout(transactionId);
             return results;
         }
         catch (error) {

package/dist/index.d.ts

@@ -1309,9 +1309,7 @@ export declare class MySQLMCP {
                 column_name: string;
                 pattern_type: string;
                 description: string;
-                metrics? /**
-                 * Get current schema version
-                 */: Record<string, any>;
+                metrics?: Record<string, any>;
                 recommendations?: string[];
             }>;
             summary: {

package/dist/index.js

@@ -51,8 +51,8 @@ class MySQLMCP {
         this.crudTools = new crudTools_1.CrudTools(this.security);
         this.queryTools = new queryTools_1.QueryTools(this.security);
         this.utilityTools = new utilityTools_1.UtilityTools();
-        this.ddlTools = new ddlTools_1.DdlTools();
-        this.transactionTools = new transactionTools_1.TransactionTools();
+        this.ddlTools = new ddlTools_1.DdlTools(this.security);
+        this.transactionTools = new transactionTools_1.TransactionTools(this.security);
         this.storedProcedureTools = new storedProcedureTools_1.StoredProcedureTools(this.security);
         this.dataExportTools = new dataExportTools_1.DataExportTools(this.security);
         this.viewTools = new viewTools_1.ViewTools(this.security);

package/dist/security/securityLayer.d.ts

@@ -8,6 +8,10 @@ export declare class SecurityLayer {
     private featureConfig;
     masking: MaskingLayer;
     constructor(featureConfig?: FeatureConfig);
+    /**
+     * Check if a specific tool is enabled in the feature configuration
+     */
+    isToolEnabled(toolName: string): boolean;
     /**
      * Check if a query is a read-only information query (SHOW, DESCRIBE, EXPLAIN, etc.)
      */

package/dist/security/securityLayer.js

@@ -37,6 +37,12 @@ class SecurityLayer {
         // Define DDL operations that require special permission
         this.ddlOperations = ["CREATE", "ALTER", "DROP", "TRUNCATE", "RENAME"];
     }
+    /**
+     * Check if a specific tool is enabled in the feature configuration
+     */
+    isToolEnabled(toolName) {
+        return this.featureConfig.isToolEnabled(toolName);
+    }
     /**
      * Check if a query is a read-only information query (SHOW, DESCRIBE, EXPLAIN, etc.)
      */

package/dist/tools/ddlTools.d.ts

@@ -1,6 +1,12 @@
+import { SecurityLayer } from "../security/securityLayer";
 export declare class DdlTools {
     private db;
-    constructor();
+    private security;
+    constructor(security: SecurityLayer);
+    /**
+     * Sanitize default value for SQL safety
+     */
+    private sanitizeDefaultValue;
     /**
      * Create a new table
      */

package/dist/tools/ddlTools.js

@@ -6,8 +6,51 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.DdlTools = void 0;
 const connection_1 = __importDefault(require("../db/connection"));
 class DdlTools {
-    constructor() {
+    constructor(security) {
         this.db = connection_1.default.getInstance();
+        this.security = security;
+    }
+    /**
+     * Sanitize default value for SQL safety
+     */
+    sanitizeDefaultValue(defaultValue) {
+        if (defaultValue === null || defaultValue === undefined) {
+            return "NULL";
+        }
+        if (typeof defaultValue === "number") {
+            return String(defaultValue);
+        }
+        if (typeof defaultValue === "boolean") {
+            return defaultValue ? "1" : "0";
+        }
+        if (typeof defaultValue === "string") {
+            // Check for dangerous SQL patterns in default values
+            const dangerousPatterns = [
+                /;/g, // Statement separators
+                /--/g, // SQL comments
+                /\/\*/g, // Block comment start
+                /\*\//g, // Block comment end
+                /\bUNION\b/gi, // UNION operations
+                /\bSELECT\b/gi, // SELECT statements
+                /\bINSERT\b/gi, // INSERT statements
+                /\bUPDATE\b/gi, // UPDATE statements
+                /\bDELETE\b/gi, // DELETE statements
+                /\bDROP\b/gi, // DROP statements
+                /\bCREATE\b/gi, // CREATE statements
+                /\bALTER\b/gi, // ALTER statements
+            ];
+            let sanitized = defaultValue;
+            for (const pattern of dangerousPatterns) {
+                if (pattern.test(sanitized)) {
+                    throw new Error(`Dangerous SQL pattern detected in default value: ${pattern.source}`);
+                }
+            }
+            // Escape single quotes and backslashes
+            sanitized = sanitized.replace(/\\/g, "\\\\").replace(/'/g, "''");
+            return `'${sanitized}'`;
+        }
+        // For other types, convert to string and escape
+        return `'${String(defaultValue).replace(/\\/g, "\\\\").replace(/'/g, "''")}'`;
     }
     /**
      * Create a new table
@@ -26,7 +69,9 @@ class DdlTools {
                     def += " AUTO_INCREMENT";
                 }
                 if (col.default !== undefined) {
-                    def += ` DEFAULT ${col.default}`;
+                    // SECURITY: Properly sanitize default values to prevent SQL injection
+                    const sanitizedDefault = this.sanitizeDefaultValue(col.default);
+                    def += ` DEFAULT ${sanitizedDefault}`;
                 }
                 if (col.primary_key) {
                     def += " PRIMARY KEY";
@@ -83,8 +128,11 @@ class DdlTools {
                         query += ` ADD COLUMN \`${op.column_name}\` ${op.column_type}`;
                         if (op.nullable === false)
                             query += " NOT NULL";
-                        if (op.default !== undefined)
-                            query += ` DEFAULT ${op.default}`;
+                        if (op.default !== undefined) {
+                            // SECURITY: Properly sanitize default values to prevent SQL injection
+                            const sanitizedDefault = this.sanitizeDefaultValue(op.default);
+                            query += ` DEFAULT ${sanitizedDefault}`;
+                        }
                         break;
                     case "drop_column":
                         if (!op.column_name) {
@@ -105,8 +153,11 @@ class DdlTools {
                         query += ` MODIFY COLUMN \`${op.column_name}\` ${op.column_type}`;
                         if (op.nullable === false)
                             query += " NOT NULL";
-                        if (op.default !== undefined)
-                            query += ` DEFAULT ${op.default}`;
+                        if (op.default !== undefined) {
+                            // SECURITY: Properly sanitize default values to prevent SQL injection
+                            const sanitizedDefault = this.sanitizeDefaultValue(op.default);
+                            query += ` DEFAULT ${sanitizedDefault}`;
+                        }
                         break;
                     case "rename_column":
                         if (!op.column_name || !op.new_column_name || !op.column_type) {

package/dist/tools/storedProcedureTools.d.ts

@@ -40,6 +40,10 @@ export declare class StoredProcedureTools {
         data?: any;
         error?: string;
     }>;
+    /**
+     * Validate stored procedure body content for security
+     */
+    private validateProcedureBody;
     /**
      * Create a new stored procedure
      */

package/dist/tools/storedProcedureTools.js

@@ -294,6 +294,51 @@ class StoredProcedureTools {
             };
         }
     }
+    /**
+     * Validate stored procedure body content for security
+     */
+    validateProcedureBody(body) {
+        if (!body || typeof body !== "string") {
+            return {
+                valid: false,
+                error: "Procedure body must be a non-empty string",
+            };
+        }
+        const trimmedBody = body.trim();
+        // Check for dangerous SQL patterns in procedure body
+        const dangerousPatterns = [
+            /\bGRANT\b/i,
+            /\bREVOKE\b/i,
+            /\bDROP\s+USER\b/i,
+            /\bCREATE\s+USER\b/i,
+            /\bALTER\s+USER\b/i,
+            /\bSET\s+PASSWORD\b/i,
+            /\bINTO\s+OUTFILE\b/i,
+            /\bINTO\s+DUMPFILE\b/i,
+            /\bLOAD\s+DATA\b/i,
+            /\bLOAD_FILE\s*\(/i,
+            /\bSYSTEM\s*\(/i,
+            /\bEXEC\s*\(/i,
+            /\bEVAL\s*\(/i,
+        ];
+        for (const pattern of dangerousPatterns) {
+            if (pattern.test(trimmedBody)) {
+                return {
+                    valid: false,
+                    error: `Dangerous SQL pattern detected: ${pattern.source}`,
+                };
+            }
+        }
+        // Check for multiple statement separators that might indicate injection attempts
+        const semicolonCount = (trimmedBody.match(/;/g) || []).length;
+        if (semicolonCount > 50) {
+            return {
+                valid: false,
+                error: "Too many statements in procedure body",
+            };
+        }
+        return { valid: true };
+    }
     /**
      * Create a new stored procedure
      */
@@ -325,6 +370,18 @@ class StoredProcedureTools {
                     error: identifierValidation.error || "Invalid procedure name",
                 };
             }
+            // SECURITY VALIDATION: Validate procedure body content
+            const bodyValidation = this.validateProcedureBody(body);
+            if (!bodyValidation.valid) {
+                return {
+                    status: "error",
+                    error: bodyValidation.error || "Invalid procedure body",
+                };
+            }
+            // Sanitize comment to prevent SQL injection
+            const sanitizedComment = comment
+                ? comment.replace(/'/g, "''").replace(/\\/g, "\\\\")
+                : "";
             // Build parameter list
             const parameterList = parameters
                 .map((param) => {
@@ -336,9 +393,8 @@ class StoredProcedureTools {
                 .join(", ");
             // Build CREATE PROCEDURE statement
             let createQuery = `CREATE PROCEDURE \`${database}\`.\`${procedure_name}\`(${parameterList})\n`;
-            if (comment) {
-                createQuery += `COMMENT '${comment.replace(/'/g, "''")}'
-`;
+            if (sanitizedComment) {
+                createQuery += `COMMENT '${sanitizedComment}'\n`;
             }
             // Check if body already contains BEGIN/END, if not add them
             const trimmedBody = body.trim();

package/dist/tools/transactionTools.d.ts

@@ -1,3 +1,4 @@
+import { SecurityLayer } from "../security/securityLayer";
 export interface TransactionResult {
     status: "success" | "error";
     transactionId?: string;
@@ -7,7 +8,8 @@ export interface TransactionResult {
 }
 export declare class TransactionTools {
     private db;
-    constructor();
+    private security;
+    constructor(security: SecurityLayer);
     /**
      * Begin a new transaction
      */

package/dist/tools/transactionTools.js

@@ -6,8 +6,9 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.TransactionTools = void 0;
 const connection_1 = __importDefault(require("../db/connection"));
 class TransactionTools {
-    constructor() {
+    constructor(security) {
         this.db = connection_1.default.getInstance();
+        this.security = security;
     }
     /**
      * Begin a new transaction
@@ -114,7 +115,25 @@ class TransactionTools {
                     error: "Query is required",
                 };
             }
-            const result = await this.db.executeInTransaction(params.transactionId, params.query, params.params);
+            // SECURITY VALIDATION: Check if user has execute permission
+            const hasExecutePermission = this.security.isToolEnabled("executeSql");
+            // SECURITY VALIDATION: Validate the query before execution
+            const queryValidation = this.security.validateQuery(params.query, hasExecutePermission);
+            if (!queryValidation.valid) {
+                return {
+                    status: "error",
+                    error: `Query validation failed: ${queryValidation.error}`,
+                };
+            }
+            // SECURITY VALIDATION: Validate and sanitize parameters
+            const paramValidation = this.security.validateParameters(params.params || []);
+            if (!paramValidation.valid) {
+                return {
+                    status: "error",
+                    error: `Parameter validation failed: ${paramValidation.error}`,
+                };
+            }
+            const result = await this.db.executeInTransaction(params.transactionId, params.query, paramValidation.sanitizedParams);
             return {
                 status: "success",
                 data: result,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@berthojoris/mcp-mysql-server",
-  "version": "1.18.0",
+  "version": "1.19.0",
   "description": "Model Context Protocol server for MySQL database integration with dynamic per-project permissions, backup/restore, data import/export, and data migration capabilities",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",