@berthojoris/mcp-mysql-server 1.18.0 → 1.20.0

package/CHANGELOG.md

@@ -5,12 +5,45 @@ All notable changes to the MySQL MCP Server will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.20.0] - 2025-12-17
+
+### Changed
+- Version increment for implemented features and improvements
+
 ## [Unreleased]
 
+### Security
+- Fixed critical SQL execution bypass in transactions by adding comprehensive security validation
+- Enhanced stored procedure creation with body content validation and injection prevention
+- Improved DDL operations with proper default value sanitization to prevent SQL injection
+- Added transaction timeout mechanism (30 minutes) with automatic cleanup to prevent resource exhaustion
+- Integrated security layer across all transaction operations for complete coverage
+
+### Changed
+- Updated TransactionTools to require SecurityLayer for proper validation
+- Enhanced DdlTools with comprehensive input sanitization
+- Improved database connection management with timeout and cleanup features
+
+### Fixed
+- Resolved TypeScript compilation error in SecurityLayer access patterns
+- Eliminated all security bypass paths through the system
+
 ### Removed
 - Preset-based access control configuration: CLI `--preset` flag and `MCP_PRESET` / `MCP_PERMISSION_PRESET` environment variables. Use `MCP_PERMISSIONS` and optionally `MCP_CATEGORIES`.
 - Global masking configuration via `MCP_MASKING_PROFILE`. If you need enforced masking for exports, use the `safe_export_table` macro's `masking_profile` argument.
 
+
+## [1.18.2] - 2025-12-13
+
+### Removed
+- Removed outdated comparison docs under `docs/comparison` (and the related README section). The canonical documentation is `DOCUMENTATIONS.md`.
+
+
+## [1.18.1] - 2025-12-13
+
+### Changed
+- Updated documentation files with current datetime stamps
+
 ## [1.17.0] - 2025-12-12
 
 ### Added

package/DOCUMENTATIONS.md

@@ -1,5 +1,7 @@
 # MySQL MCP Server - Detailed Documentation
 
+**Last Updated:** 2025-12-17 00:00:00
+
 This file contains detailed documentation for all features of the MySQL MCP Server. For quick start and basic information, see [README.md](README.md).
 
 ---

package/README.md

@@ -4,6 +4,8 @@
 
 **A production-ready Model Context Protocol (MCP) server for MySQL database integration with AI agents**
 
+**Last Updated:** 2025-12-17 00:00:00
+
 [![npm version](https://img.shields.io/npm/v/@berthojoris/mcp-mysql-server)](https://www.npmjs.com/package/@berthojoris/mysql-mcp)
 [![npm downloads](https://img.shields.io/npm/dm/@berthojoris/mysql-mcp)](https://www.npmjs.com/package/@berthojoris/mysql-mcp)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
@@ -333,17 +335,7 @@ For comprehensive documentation, see **[DOCUMENTATIONS.md](DOCUMENTATIONS.md)**:
 
 This MySQL MCP is a **powerful intermediary layer** between AI assistants and MySQL databases.
 
-| Comparison Topic | Documentation |
-|------------------|---------------|
-| Data Access & Querying | [docs/comparison/data-access-querying.md](docs/comparison/data-access-querying.md) |
-| Data Analysis | [docs/comparison/data-analysis.md](docs/comparison/data-analysis.md) |
-| Data Validation | [docs/comparison/data-validation.md](docs/comparison/data-validation.md) |
-| Schema Inspection | [docs/comparison/schema-inspection.md](docs/comparison/schema-inspection.md) |
-| Debugging & Diagnostics | [docs/comparison/debugging-diagnostics.md](docs/comparison/debugging-diagnostics.md) |
-| Advanced Operations | [docs/comparison/advanced-operations.md](docs/comparison/advanced-operations.md) |
-| Key Benefits | [docs/comparison/key-benefits.md](docs/comparison/key-benefits.md) |
-| Example Workflows | [docs/comparison/example-workflows.md](docs/comparison/example-workflows.md) |
-| When to Use | [docs/comparison/when-to-use.md](docs/comparison/when-to-use.md) |
+For full feature coverage and usage examples, see **[DOCUMENTATIONS.md](DOCUMENTATIONS.md)**.
 
 ---
 

package/dist/db/connection.d.ts

@@ -4,6 +4,10 @@ declare class DatabaseConnection {
     private pool;
     private activeTransactions;
     private queryCache;
+    private readonly TRANSACTION_TIMEOUT_MS;
+    private readonly TRANSACTION_MONITOR_INTERVAL_MS;
+    private readonly MAX_TRANSACTION_DURATION_MS;
+    private transactionMonitorInterval?;
     private constructor();
     static getInstance(): DatabaseConnection;
     getConnection(): Promise<mysql.PoolConnection>;
@@ -19,11 +23,44 @@ declare class DatabaseConnection {
         errorCode?: string;
     }>;
     closePool(): Promise<void>;
+    /**
+     * Start transaction monitoring system
+     */
+    private startTransactionMonitor;
+    /**
+     * Monitor all active transactions for timeout and security violations
+     */
+    private monitorTransactions;
+    /**
+     * Detect suspicious transaction activity patterns
+     */
+    private detectSuspiciousActivity;
+    /**
+     * Enhanced cleanup of expired transactions with security checks
+     */
+    private cleanupExpiredTransactions;
+    /**
+     * Force rollback a transaction (used for timeout handling)
+     */
+    private forceRollbackTransaction;
+    /**
+     * Reset transaction timeout (call this when there's activity)
+     */
+    private resetTransactionTimeout;
     beginTransaction(transactionId: string): Promise<void>;
     commitTransaction(transactionId: string): Promise<void>;
     rollbackTransaction(transactionId: string): Promise<void>;
     getActiveTransactionIds(): string[];
     hasActiveTransaction(transactionId: string): boolean;
+    /**
+     * Get transaction information for debugging/monitoring
+     */
+    getTransactionInfo(transactionId: string): {
+        exists: boolean;
+        createdAt?: Date;
+        lastActivity?: Date;
+        ageMs?: number;
+    };
     getQueryLogs(): import("./queryLogger").QueryLog[];
     getLastQueryLog(): import("./queryLogger").QueryLog | undefined;
     getFormattedQueryLogs(count?: number): string;

package/dist/db/connection.js

@@ -9,6 +9,9 @@ const queryLogger_1 = require("./queryLogger");
 const queryCache_1 = require("../cache/queryCache");
 class DatabaseConnection {
     constructor() {
+        this.TRANSACTION_TIMEOUT_MS = 30 * 60 * 1000; // 30 minutes default timeout
+        this.TRANSACTION_MONITOR_INTERVAL_MS = 60 * 1000; // 1 minute monitoring interval
+        this.MAX_TRANSACTION_DURATION_MS = 60 * 60 * 1000; // 1 hour maximum duration
         this.pool = promise_1.default.createPool({
             host: config_1.dbConfig.host,
             port: config_1.dbConfig.port,
@@ -21,6 +24,12 @@ class DatabaseConnection {
         });
         this.activeTransactions = new Map();
         this.queryCache = queryCache_1.QueryCache.getInstance();
+        // Start transaction monitoring
+        this.startTransactionMonitor();
+        // Set up periodic cleanup of expired transactions
+        setInterval(() => {
+            this.cleanupExpiredTransactions();
+        }, 5 * 60 * 1000); // Check every 5 minutes
     }
     static getInstance() {
         if (!DatabaseConnection.instance) {
@@ -110,32 +119,179 @@ class DatabaseConnection {
             throw new Error(`Failed to close connection pool: ${error}`);
         }
     }
+    /**
+     * Start transaction monitoring system
+     */
+    startTransactionMonitor() {
+        this.transactionMonitorInterval = setInterval(() => {
+            this.monitorTransactions();
+        }, this.TRANSACTION_MONITOR_INTERVAL_MS);
+    }
+    /**
+     * Monitor all active transactions for timeout and security violations
+     */
+    monitorTransactions() {
+        const now = Date.now();
+        const transactionsToCleanup = [];
+        for (const [transactionId, transaction] of this.activeTransactions) {
+            const age = now - transaction.createdAt.getTime();
+            const inactivity = now - transaction.lastActivity.getTime();
+            // Check for maximum duration violation
+            if (age > this.MAX_TRANSACTION_DURATION_MS) {
+                console.warn(`Transaction ${transactionId} exceeded maximum duration, forcing rollback`);
+                transactionsToCleanup.push(transactionId);
+                continue;
+            }
+            // Check for inactivity timeout (server-side verification)
+            if (inactivity > this.TRANSACTION_TIMEOUT_MS) {
+                console.warn(`Transaction ${transactionId} timed out due to inactivity, forcing rollback`);
+                transactionsToCleanup.push(transactionId);
+                continue;
+            }
+            // Check for suspicious activity patterns
+            if (this.detectSuspiciousActivity(transaction)) {
+                console.warn(`Transaction ${transactionId} shows suspicious activity patterns, forcing rollback`);
+                transactionsToCleanup.push(transactionId);
+                continue;
+            }
+        }
+        // Clean up flagged transactions
+        for (const transactionId of transactionsToCleanup) {
+            this.forceRollbackTransaction(transactionId, "Security violation or timeout");
+        }
+    }
+    /**
+     * Detect suspicious transaction activity patterns
+     */
+    detectSuspiciousActivity(transaction) {
+        const now = Date.now();
+        const age = now - transaction.createdAt.getTime();
+        // Very new transactions with excessive activity could indicate automated attacks
+        if (age < 60000 && transaction.queryCount > 100) { // More than 100 queries in first minute
+            return true;
+        }
+        // Transactions with extremely high query count could indicate resource exhaustion attacks
+        if (transaction.queryCount > 10000) {
+            return true;
+        }
+        // Check for rapid-fire queries (potential DoS)
+        if (transaction.lastQueryTime && (now - transaction.lastQueryTime.getTime()) < 10) { // Less than 10ms between queries
+            transaction.rapidQueryCount = (transaction.rapidQueryCount || 0) + 1;
+            if (transaction.rapidQueryCount > 50) { // More than 50 rapid queries
+                return true;
+            }
+        }
+        return false;
+    }
+    /**
+     * Enhanced cleanup of expired transactions with security checks
+     */
+    cleanupExpiredTransactions() {
+        const now = Date.now();
+        const transactionsToCleanup = [];
+        for (const [transactionId, transaction] of this.activeTransactions) {
+            const age = now - transaction.createdAt.getTime();
+            const inactivity = now - transaction.lastActivity.getTime();
+            // Multiple cleanup criteria for security
+            if (inactivity > this.TRANSACTION_TIMEOUT_MS ||
+                age > this.MAX_TRANSACTION_DURATION_MS ||
+                this.detectSuspiciousActivity(transaction)) {
+                transactionsToCleanup.push(transactionId);
+            }
+        }
+        for (const transactionId of transactionsToCleanup) {
+            this.forceRollbackTransaction(transactionId, "Automatic cleanup");
+        }
+    }
+    /**
+     * Force rollback a transaction (used for timeout handling)
+     */
+    forceRollbackTransaction(transactionId, reason) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction)
+            return;
+        try {
+            // Clear timeout if exists
+            if (transaction.timeout) {
+                clearTimeout(transaction.timeout);
+            }
+            // Attempt to rollback
+            transaction.connection.rollback();
+            transaction.connection.release();
+        }
+        catch (error) {
+            console.error(`Failed to rollback expired transaction ${transactionId}:`, error);
+            try {
+                // Force release connection even if rollback fails
+                transaction.connection.release();
+            }
+            catch (releaseError) {
+                console.error(`Failed to release connection for expired transaction ${transactionId}:`, releaseError);
+            }
+        }
+        this.activeTransactions.delete(transactionId);
+        console.warn(`Transaction ${transactionId} force rolled back: ${reason}`);
+    }
+    /**
+     * Reset transaction timeout (call this when there's activity)
+     */
+    resetTransactionTimeout(transactionId) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction)
+            return;
+        // Clear existing timeout
+        if (transaction.timeout) {
+            clearTimeout(transaction.timeout);
+        }
+        // Update last activity
+        transaction.lastActivity = new Date();
+        // Set new timeout
+        transaction.timeout = setTimeout(() => {
+            this.forceRollbackTransaction(transactionId, "Transaction timeout");
+        }, this.TRANSACTION_TIMEOUT_MS);
+    }
     // Transaction Management Methods
     async beginTransaction(transactionId) {
         try {
             const connection = await this.getConnection();
             await connection.beginTransaction();
-            this.activeTransactions.set(transactionId, connection);
+            const now = new Date();
+            const timeout = setTimeout(() => {
+                this.forceRollbackTransaction(transactionId, "Transaction timeout");
+            }, this.TRANSACTION_TIMEOUT_MS);
+            this.activeTransactions.set(transactionId, {
+                connection,
+                createdAt: now,
+                lastActivity: now,
+                lastQueryTime: now,
+                timeout,
+                queryCount: 0,
+                rapidQueryCount: 0,
+            });
         }
         catch (error) {
             throw new Error(`Failed to begin transaction: ${error}`);
         }
     }
     async commitTransaction(transactionId) {
-        const connection = this.activeTransactions.get(transactionId);
-        if (!connection) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
             throw new Error(`No active transaction found with ID: ${transactionId}`);
         }
         try {
-            await connection.commit();
-            connection.release();
+            // Clear timeout
+            if (transaction.timeout) {
+                clearTimeout(transaction.timeout);
+            }
+            await transaction.connection.commit();
+            transaction.connection.release();
             this.activeTransactions.delete(transactionId);
         }
         catch (error) {
             // If commit fails, rollback and release connection
             try {
-                await connection.rollback();
-                connection.release();
+                await transaction.connection.rollback();
+                transaction.connection.release();
             }
             catch (rollbackError) {
                 console.error("Failed to rollback after commit error:", rollbackError);
@@ -145,17 +301,21 @@ class DatabaseConnection {
         }
     }
     async rollbackTransaction(transactionId) {
-        const connection = this.activeTransactions.get(transactionId);
-        if (!connection) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
             throw new Error(`No active transaction found with ID: ${transactionId}`);
         }
         try {
-            await connection.rollback();
-            connection.release();
+            // Clear timeout
+            if (transaction.timeout) {
+                clearTimeout(transaction.timeout);
+            }
+            await transaction.connection.rollback();
+            transaction.connection.release();
             this.activeTransactions.delete(transactionId);
         }
         catch (error) {
-            connection.release();
+            transaction.connection.release();
             this.activeTransactions.delete(transactionId);
             throw new Error(`Failed to rollback transaction: ${error}`);
         }
@@ -166,6 +326,22 @@ class DatabaseConnection {
     hasActiveTransaction(transactionId) {
         return this.activeTransactions.has(transactionId);
     }
+    /**
+     * Get transaction information for debugging/monitoring
+     */
+    getTransactionInfo(transactionId) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
+            return { exists: false };
+        }
+        const now = new Date();
+        return {
+            exists: true,
+            createdAt: transaction.createdAt,
+            lastActivity: transaction.lastActivity,
+            ageMs: now.getTime() - transaction.createdAt.getTime(),
+        };
+    }
     getQueryLogs() {
         return queryLogger_1.QueryLogger.getLogs();
     }
@@ -206,15 +382,22 @@ class DatabaseConnection {
         this.queryCache.resetStats();
     }
     async executeInTransaction(transactionId, sql, params) {
-        const connection = this.activeTransactions.get(transactionId);
-        if (!connection) {
+        const transaction = this.activeTransactions.get(transactionId);
+        if (!transaction) {
             throw new Error(`No active transaction found with ID: ${transactionId}`);
         }
+        // Update query tracking before execution
+        const now = new Date();
+        transaction.lastQueryTime = now;
+        transaction.queryCount++;
         const startTime = Date.now();
         try {
-            const [results] = await connection.query(sql, params);
+            const [results] = await transaction.connection.query(sql, params);
             const duration = Date.now() - startTime;
             queryLogger_1.QueryLogger.log(sql, params, duration, "success");
+            // Reset timeout on successful activity and update last activity
+            this.resetTransactionTimeout(transactionId);
+            transaction.lastActivity = now;
             return results;
         }
         catch (error) {

package/dist/index.d.ts

@@ -1309,9 +1309,7 @@ export declare class MySQLMCP {
                 column_name: string;
                 pattern_type: string;
                 description: string;
-                metrics? /**
-                 * Get current schema version
-                 */: Record<string, any>;
+                metrics?: Record<string, any>;
                 recommendations?: string[];
             }>;
             summary: {

package/dist/index.js

@@ -51,8 +51,8 @@ class MySQLMCP {
         this.crudTools = new crudTools_1.CrudTools(this.security);
         this.queryTools = new queryTools_1.QueryTools(this.security);
         this.utilityTools = new utilityTools_1.UtilityTools();
-        this.ddlTools = new ddlTools_1.DdlTools();
-        this.transactionTools = new transactionTools_1.TransactionTools();
+        this.ddlTools = new ddlTools_1.DdlTools(this.security);
+        this.transactionTools = new transactionTools_1.TransactionTools(this.security);
         this.storedProcedureTools = new storedProcedureTools_1.StoredProcedureTools(this.security);
         this.dataExportTools = new dataExportTools_1.DataExportTools(this.security);
         this.viewTools = new viewTools_1.ViewTools(this.security);

package/dist/security/securityLayer.d.ts

@@ -8,6 +8,10 @@ export declare class SecurityLayer {
     private featureConfig;
     masking: MaskingLayer;
     constructor(featureConfig?: FeatureConfig);
+    /**
+     * Check if a specific tool is enabled in the feature configuration
+     */
+    isToolEnabled(toolName: string): boolean;
     /**
      * Check if a query is a read-only information query (SHOW, DESCRIBE, EXPLAIN, etc.)
      */
@@ -27,7 +31,7 @@ export declare class SecurityLayer {
         error?: string;
     };
     /**
-     * Validate SQL query for security issues
+     * Enhanced SQL query validation for security issues
      * @param query - The SQL query to validate
      * @param bypassDangerousCheck - If true, skips dangerous keyword check (for users with 'execute' permission)
      */
@@ -36,6 +40,26 @@ export declare class SecurityLayer {
         error?: string;
         queryType?: string;
     };
+    /**
+     * Enhanced comment detection to prevent bypass techniques
+     */
+    private detectComments;
+    /**
+     * Enhanced multiple statement detection
+     */
+    private detectMultipleStatements;
+    /**
+     * Enhanced query type detection
+     */
+    private detectQueryType;
+    /**
+     * Enhanced dangerous keyword detection
+     */
+    private detectDangerousKeywords;
+    /**
+     * Enhanced SELECT query validation
+     */
+    private validateSelectQuery;
     /**
      * Validate parameter values to prevent injection
      */