@cmd233/mcp-database-server 1.2.0 → 1.4.0

package/{readme.md → README.md}

@@ -105,6 +105,8 @@ node dist/src/index.js --mysql --host <host-name> --database <database-name> --p
 必需参数:
 - `--host`: MySQL 主机名或 IP 地址
 - `--database`: 数据库名称
+
+可选参数:
 - `--port`: 端口号(默认: 3306)
 
 可选参数:
@@ -285,15 +287,18 @@ MCP 数据库服务器提供以下可供 Claude 使用的工具:
 | 工具 | 描述 | 必需参数 |
 |------|-------------|---------------------|
 | `read_query` | 执行 SELECT 查询以读取数据 | `query`: SQL SELECT 语句 |
-| `write_query` | 执行 INSERT、UPDATE 或 DELETE 查询 | `query`: SQL 修改语句 |
-| `create_table` | 在数据库中创建新表 | `query`: CREATE TABLE 语句 |
-| `alter_table` | 修改现有表架构 | `query`: ALTER TABLE 语句 |
+| `write_query` | 执行 INSERT、UPDATE、DELETE 或 TRUNCATE 查询 | `query`: SQL 修改语句<br>`confirm`: 安全标志(必须为 true) |
+| `create_table` | 在数据库中创建新表 | `query`: CREATE TABLE 语句<br>`confirm`: 安全标志(必须为 true) |
+| `alter_table` | 修改现有表架构 | `query`: ALTER TABLE 语句<br>`confirm`: 安全标志(必须为 true) |
 | `drop_table` | 从数据库中删除表 | `table_name`: 表名<br>`confirm`: 安全标志(必须为 true) |
 | `list_tables` | 获取所有表的列表 | 无 |
 | `describe_table` | 查看表的架构信息 | `table_name`: 表名 |
 | `export_query` | 将查询结果导出为 CSV/JSON | `query`: SQL SELECT 语句<br>`format`: "csv" 或 "json" |
-| `append_insight` | 添加业务洞察到备忘录 | `insight`: 洞察文本 |
-| `list_insights` | 列出所有业务洞察 | 无 |
+| `append_insight` | 添加业务洞察到备忘录 (**仅 SQLite**) | `insight`: 洞察文本<br>`confirm`: 安全标志(必须为 true) |
+| `list_insights` | 列出所有业务洞察 (**仅 SQLite**) | 无 |
+| `list_views` | 列出所有视图 (**仅 SQL Server**) | 无 |
+| `describe_view` | 获取视图结构 (**仅 SQL Server**) | `view_name`: 视图名 |
+| `get_view_definition` | 获取视图定义 SQL (**仅 SQL Server**) | `view_name`: 视图名 |
 
 有关如何在 Claude 中使用这些工具的实际示例,请参阅[使用示例](docs/usage-examples.md)。
 

package/dist/src/db/index.js

@@ -95,7 +95,9 @@ export function getDescribeTableQuery(tableName) {
 }
 /**
  * 获取列出视图的数据库特定查询
- * 仅 SQL Server 支持，其他数据库返回空结果
+ * 仅 SQL Server 支持
+ * @returns SQL 查询字符串
+ * @throws 如果数据库不支持视图功能
  */
 export function getListViewsQuery() {
     if (!dbAdapter) {
@@ -104,8 +106,8 @@ export function getListViewsQuery() {
     if (dbAdapter.getListViewsQuery) {
         return dbAdapter.getListViewsQuery();
     }
-    // 不支持视图的数据库返回空结果查询
-    return "SELECT 1 as name WHERE 1=0";
+    // 统一错误处理策略：不支持视图时抛出明确错误
+    throw new Error("当前数据库不支持视图功能");
 }
 /**
  * 获取视图定义的数据库特定查询
@@ -130,3 +132,56 @@ export function supportsViews() {
     }
     return dbAdapter.supportsViews ? dbAdapter.supportsViews() : false;
 }
+/**
+ * 检查存储过程功能是否可用
+ * @returns 可用的数据库适配器
+ * @throws 如果数据库未初始化或不支持存储过程功能
+ */
+function requireProcedureSupport() {
+    if (!dbAdapter) {
+        throw new Error('数据库未初始化');
+    }
+    if (!dbAdapter.getListProceduresQuery) {
+        throw new Error('当前数据库不支持存储过程功能');
+    }
+    return dbAdapter;
+}
+/**
+ * 获取列出存储过程的查询
+ * 仅 SQL Server 支持
+ * @returns SQL 查询字符串
+ * @throws 如果数据库不支持存储过程功能
+ */
+export function getListProceduresQuery() {
+    return requireProcedureSupport().getListProceduresQuery();
+}
+/**
+ * 获取存储过程参数信息的查询
+ * 仅 SQL Server 支持
+ * @param procedureName 存储过程名
+ * @returns SQL 查询字符串
+ * @throws 如果数据库不支持存储过程功能
+ */
+export function getDescribeProcedureQuery(procedureName) {
+    return requireProcedureSupport().getDescribeProcedureQuery(procedureName);
+}
+/**
+ * 获取存储过程定义的查询
+ * 仅 SQL Server 支持
+ * @param procedureName 存储过程名
+ * @returns SQL 查询字符串
+ * @throws 如果数据库不支持存储过程功能
+ */
+export function getProcedureDefinitionQuery(procedureName) {
+    return requireProcedureSupport().getProcedureDefinitionQuery(procedureName);
+}
+/**
+ * 检查数据库是否支持存储过程功能
+ * @returns 如果支持返回 true，否则返回 false
+ */
+export function supportsProcedures() {
+    if (!dbAdapter) {
+        return false;
+    }
+    return dbAdapter.supportsProcedures ? dbAdapter.supportsProcedures() : false;
+}

package/dist/src/db/mysql-adapter.js

@@ -1,3 +1,4 @@
+import { validateForbiddenOperations } from "./sql-validator.js";
 import mysql from "mysql2/promise";
 import { Signer } from "@aws-sdk/rds-signer";
 /**
@@ -116,6 +117,8 @@ export class MysqlAdapter {
         if (!this.connection) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作（防止恶意查询）
+        validateForbiddenOperations(query);
         try {
             const [rows] = await this.connection.execute(query, params);
             return Array.isArray(rows) ? rows : [];
@@ -131,6 +134,8 @@ export class MysqlAdapter {
         if (!this.connection) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         try {
             const [result] = await this.connection.execute(query, params);
             const changes = result.affectedRows || 0;
@@ -148,6 +153,8 @@ export class MysqlAdapter {
         if (!this.connection) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         try {
             await this.connection.query(query);
         }

package/dist/src/db/postgresql-adapter.js

@@ -1,3 +1,4 @@
+import { validateForbiddenOperations } from "./sql-validator.js";
 import pg from 'pg';
 /**
  * PostgreSQL 数据库适配器实现
@@ -52,6 +53,8 @@ export class PostgresqlAdapter {
         if (!this.client) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作（防止恶意查询）
+        validateForbiddenOperations(query);
         try {
             // PostgreSQL 使用 $1, $2 等作为参数化查询的占位符
             let paramIndex = 0;
@@ -73,6 +76,8 @@ export class PostgresqlAdapter {
         if (!this.client) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         try {
             // 将 ? 替换为编号参数
             let paramIndex = 0;
@@ -108,6 +113,8 @@ export class PostgresqlAdapter {
         if (!this.client) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         try {
             await this.client.query(query);
         }

package/dist/src/db/sql-validator.js

@@ -0,0 +1,34 @@
+/**
+ * SQL 操作验证工具
+ * 集中管理禁用的 SQL 操作，确保数据库安全
+ */
+/**
+ * 禁用的 SQL 操作类型及其错误消息
+ * 使用更严格的模式，检测注释后的危险语句
+ */
+const FORBIDDEN_OPERATIONS = [
+    {
+        type: 'DROP',
+        // 匹配 DROP，忽略前导空白和单行注释
+        pattern: /^(\s*|--[^\n]*\n)*DROP\s/i,
+        message: 'DROP 操作已被禁用，此类操作应由 DBA 在数据库层面处理'
+    },
+    {
+        type: 'TRUNCATE',
+        // 匹配 TRUNCATE，忽略前导空白和单行注释
+        pattern: /^(\s*|--[^\n]*\n)*TRUNCATE\s/i,
+        message: 'TRUNCATE 操作已被禁用，因为它不可回滚且不触发触发器'
+    }
+];
+/**
+ * 验证 SQL 查询是否包含禁用的操作
+ * @param query 要验证的 SQL 查询
+ * @throws Error 如果查询包含禁用的操作
+ */
+export function validateForbiddenOperations(query) {
+    for (const { pattern, message } of FORBIDDEN_OPERATIONS) {
+        if (pattern.test(query)) {
+            throw new Error(message);
+        }
+    }
+}

package/dist/src/db/sqlite-adapter.js

@@ -1,4 +1,5 @@
 import sqlite3 from "sqlite3";
+import { validateForbiddenOperations } from "./sql-validator.js";
 /**
  * SQLite 数据库适配器实现
  */
@@ -36,6 +37,8 @@ export class SqliteAdapter {
         if (!this.db) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作（防止恶意查询）
+        validateForbiddenOperations(query);
         return new Promise((resolve, reject) => {
             this.db.all(query, params, (err, rows) => {
                 if (err) {
@@ -57,6 +60,8 @@ export class SqliteAdapter {
         if (!this.db) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         return new Promise((resolve, reject) => {
             this.db.run(query, params, function (err) {
                 if (err) {
@@ -77,6 +82,8 @@ export class SqliteAdapter {
         if (!this.db) {
             throw new Error("数据库未初始化");
         }
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         return new Promise((resolve, reject) => {
             this.db.exec(query, (err) => {
                 if (err) {

package/dist/src/db/sqlserver-adapter.js

@@ -1,4 +1,31 @@
+import { validateForbiddenOperations } from "./sql-validator.js";
 import sql from 'mssql';
+/**
+ * 验证并转义 SQL Server 标识符名称
+ * 防止 SQL 注入攻击
+ * @param name 标识符名称（表名、视图名、存储过程名等）
+ * @returns 转义后的安全标识符
+ * @throws 如果标识符包含非法字符
+ */
+function escapeIdentifier(name) {
+    // 检查名称是否为空
+    if (!name || typeof name !== 'string') {
+        throw new Error('标识符名称不能为空');
+    }
+    // 检查名称长度（SQL Server 限制为 128 字符）
+    if (name.length > 128) {
+        throw new Error('标识符名称长度超过限制（最大 128 字符）');
+    }
+    // 检查是否包含危险的 SQL 字符
+    // 只允许字母、数字、下划线和常见的安全字符
+    const validNamePattern = /^[a-zA-Z_][a-zA-Z0-9_@$#]*$/;
+    if (!validNamePattern.test(name)) {
+        throw new Error(`标识符名称包含非法字符: ${name.substring(0, 20)}...`);
+    }
+    // 使用方括号转义标识符
+    // 方括号内的右方括号需要转义为两个右方括号
+    return `[${name.replace(/]/g, ']]')}]`;
+}
 /**
  * SQL Server 数据库适配器实现
  */
@@ -176,6 +203,8 @@ export class SqlServerAdapter {
      * @returns 包含查询结果的 Promise
      */
     async all(query, params = []) {
+        // 验证禁用的操作（防止恶意查询）
+        validateForbiddenOperations(query);
         return this.executeWithRetry(async (pool) => {
             const request = pool.request();
             // 向请求添加参数
@@ -196,6 +225,8 @@ export class SqlServerAdapter {
      * @returns 包含结果信息的 Promise
      */
     async run(query, params = []) {
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         return this.executeWithRetry(async (pool) => {
             const request = pool.request();
             // 向请求添加参数
@@ -233,6 +264,8 @@ export class SqlServerAdapter {
      * @returns 执行完成后解析的 Promise
      */
     async exec(query) {
+        // 验证禁用的操作
+        validateForbiddenOperations(query);
         return this.executeWithRetry(async (pool) => {
             const request = pool.request();
             await request.batch(query);
@@ -258,8 +291,11 @@ export class SqlServerAdapter {
     /**
      * 获取描述表或视图的数据库特定查询
      * @param tableName 表名或视图名
+     * @returns SQL 查询字符串
      */
     getDescribeTableQuery(tableName) {
+        // 验证并转义表名，防止 SQL 注入
+        const escapedTableName = escapeIdentifier(tableName);
         return `
       SELECT
         c.COLUMN_NAME as name,
@@ -280,13 +316,13 @@ export class SqlServerAdapter {
             SELECT o.object_id
             FROM sys.objects o
             INNER JOIN sys.schemas s ON o.schema_id = s.schema_id
-            WHERE o.name = '${tableName}' AND s.name = c.TABLE_SCHEMA
+            WHERE o.name = ${escapedTableName} AND s.name = c.TABLE_SCHEMA
             AND o.type IN ('U', 'V')
           )
           AND ep.minor_id = c.ORDINAL_POSITION
           AND ep.name = 'MS_Description'
       WHERE
-        c.TABLE_NAME = '${tableName}'
+        c.TABLE_NAME = ${escapedTableName}
       ORDER BY
         c.ORDINAL_POSITION
     `;
@@ -300,10 +336,13 @@ export class SqlServerAdapter {
     /**
      * 获取视图定义的数据库特定查询
      * @param viewName 视图名
+     * @returns SQL 查询字符串
      * 注意: 使用 WITH ENCRYPTION 创建的视图无法获取定义
      */
     getViewDefinitionQuery(viewName) {
-        return `SELECT VIEW_DEFINITION as definition FROM INFORMATION_SCHEMA.VIEWS WHERE TABLE_NAME = '${viewName}'`;
+        // 验证并转义视图名，防止 SQL 注入
+        const escapedViewName = escapeIdentifier(viewName);
+        return `SELECT VIEW_DEFINITION as definition FROM INFORMATION_SCHEMA.VIEWS WHERE TABLE_NAME = ${escapedViewName}`;
     }
     /**
      * 检查数据库是否支持视图功能
@@ -311,4 +350,52 @@ export class SqlServerAdapter {
     supportsViews() {
         return true;
     }
+    /**
+     * 检查数据库是否支持存储过程功能
+     */
+    supportsProcedures() {
+        return true;
+    }
+    /**
+     * 获取列出存储过程的数据库特定查询
+     */
+    getListProceduresQuery() {
+        return "SELECT ROUTINE_NAME as name FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE = 'PROCEDURE' ORDER BY ROUTINE_NAME";
+    }
+    /**
+     * 获取存储过程参数信息的查询
+     * @param procedureName 存储过程名
+     * @returns SQL 查询字符串
+     */
+    getDescribeProcedureQuery(procedureName) {
+        // 验证并转义存储过程名，防止 SQL 注入
+        const escapedProcedureName = escapeIdentifier(procedureName);
+        return `
+      SELECT
+        PARAMETER_NAME as name,
+        DATA_TYPE +
+            CASE
+                WHEN CHARACTER_MAXIMUM_LENGTH IS NOT NULL
+                THEN '(' + CAST(CHARACTER_MAXIMUM_LENGTH AS VARCHAR) + ')'
+                ELSE ''
+            END as type,
+        PARAMETER_MODE as direction,
+        CASE WHEN PARAMETER_MODE IN ('OUT', 'INOUT') THEN 1 ELSE 0 END as is_output,
+        NULL as default_value
+      FROM INFORMATION_SCHEMA.PARAMETERS
+      WHERE SPECIFIC_NAME = ${escapedProcedureName}
+      ORDER BY ORDINAL_POSITION
+    `;
+    }
+    /**
+     * 获取存储过程定义的查询
+     * @param procedureName 存储过程名
+     * @returns SQL 查询字符串
+     * 注意: 使用 WITH ENCRYPTION 创建的存储过程无法获取定义
+     */
+    getProcedureDefinitionQuery(procedureName) {
+        // 验证并转义存储过程名，防止 SQL 注入
+        const escapedProcedureName = escapeIdentifier(procedureName);
+        return `SELECT ROUTINE_DEFINITION as definition FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE = 'PROCEDURE' AND ROUTINE_NAME = ${escapedProcedureName}`;
+    }
 }

package/dist/src/handlers/toolHandlers.js

@@ -1,7 +1,7 @@
 import { formatErrorResponse } from '../utils/formatUtils.js';
 // 导入所有工具实现
 import { readQuery, writeQuery, exportQuery } from '../tools/queryTools.js';
-import { createTable, alterTable, dropTable, listTables, describeTable, listViews, describeView, getViewDefinition } from '../tools/schemaTools.js';
+import { createTable, alterTable, dropTable, listTables, describeTable, listViews, describeView, getViewDefinition, listProcedures, describeProcedure, getProcedureDefinition } from '../tools/schemaTools.js';
 import { appendInsight, listInsights } from '../tools/insightTools.js';
 /**
  * 处理列出可用工具的请求
@@ -48,7 +48,7 @@ export function handleListTools() {
             {
                 name: "write_query",
                 title: "Write Query",
-                description: "Execute INSERT, UPDATE, DELETE, or TRUNCATE queries to modify database data. " +
+                description: "Execute INSERT, UPDATE, or DELETE queries to modify database data. " +
                     "Returns the number of affected rows. " +
                     "Cannot be used for SELECT queries - use read_query instead. " +
                     "Supports all database types: SQLite, SQL Server, PostgreSQL, MySQL. " +
@@ -58,7 +58,7 @@ export function handleListTools() {
                     properties: {
                         query: {
                             type: "string",
-                            description: "The SQL INSERT/UPDATE/DELETE/TRUNCATE query to execute"
+                            description: "The SQL INSERT/UPDATE/DELETE query to execute"
                         },
                         confirm: {
                             type: "boolean",
@@ -165,45 +165,6 @@ export function handleListTools() {
                     destructiveHint: true
                 }
             },
-            {
-                name: "drop_table",
-                title: "Drop Table",
-                description: "Permanently delete a table from the database. " +
-                    "This operation cannot be undone - all data and structure will be lost. " +
-                    "Requires confirm=true to execute as a safety measure. " +
-                    "Validates that the table exists before attempting deletion.",
-                inputSchema: {
-                    type: "object",
-                    properties: {
-                        table_name: {
-                            type: "string",
-                            description: "Name of the table to delete"
-                        },
-                        confirm: {
-                            type: "boolean",
-                            description: "Must be set to true to confirm table deletion"
-                        },
-                    },
-                    required: ["table_name", "confirm"],
-                },
-                outputSchema: {
-                    type: "object",
-                    properties: {
-                        success: {
-                            type: "boolean",
-                            description: "True if the table was dropped successfully"
-                        },
-                        message: {
-                            type: "string",
-                            description: "Success message with the dropped table name"
-                        }
-                    }
-                },
-                annotations: {
-                    readOnlyHint: false,
-                    destructiveHint: true
-                }
-            },
             {
                 name: "export_query",
                 title: "Export Query",
@@ -505,6 +466,105 @@ export function handleListTools() {
                     idempotentHint: true
                 }
             },
+            {
+                name: "list_procedures",
+                title: "List Procedures",
+                description: "Retrieve a list of all stored procedure names in the current database. " +
+                    "Only works with SQL Server databases. " +
+                    "Returns only procedure names without parameter details. " +
+                    "Use describe_procedure to get detailed parameter information for a specific procedure.",
+                inputSchema: {
+                    type: "object",
+                    properties: {},
+                },
+                outputSchema: {
+                    type: "object",
+                    properties: {
+                        procedures: {
+                            type: "array",
+                            items: { type: "string" },
+                            description: "Array of stored procedure names in the database"
+                        }
+                    }
+                },
+                annotations: {
+                    readOnlyHint: true,
+                    idempotentHint: true
+                }
+            },
+            {
+                name: "describe_procedure",
+                title: "Describe Procedure",
+                description: "Get detailed parameter information about a specific stored procedure. " +
+                    "Only works with SQL Server databases. " +
+                    "Returns parameter name, data type, direction (IN/OUT/INOUT), and default value. " +
+                    "The procedure must exist in the database.",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        procedure_name: {
+                            type: "string",
+                            description: "Name of the stored procedure to describe"
+                        },
+                    },
+                    required: ["procedure_name"],
+                },
+                outputSchema: {
+                    type: "object",
+                    properties: {
+                        name: { type: "string", description: "Procedure name" },
+                        type: { type: "string", description: "Always 'procedure'" },
+                        parameters: {
+                            type: "array",
+                            description: "Array of parameter definitions",
+                            items: {
+                                type: "object",
+                                properties: {
+                                    name: { type: "string", description: "Parameter name" },
+                                    type: { type: "string", description: "Data type" },
+                                    direction: { type: "string", enum: ["IN", "OUT", "INOUT"], description: "Parameter direction" },
+                                    default_value: { type: "string", description: "Default value" },
+                                    is_output: { type: "boolean", description: "Whether this is an output parameter" }
+                                }
+                            }
+                        }
+                    }
+                },
+                annotations: {
+                    readOnlyHint: true,
+                    idempotentHint: true
+                }
+            },
+            {
+                name: "get_procedure_definition",
+                title: "Get Procedure Definition",
+                description: "Retrieve the SQL definition (CREATE PROCEDURE statement) of a specific stored procedure. " +
+                    "Only works with SQL Server databases. " +
+                    "Returns the complete CREATE PROCEDURE SQL statement. " +
+                    "Note: Procedures created WITH ENCRYPTION cannot have their definition retrieved.",
+                inputSchema: {
+                    type: "object",
+                    properties: {
+                        procedure_name: {
+                            type: "string",
+                            description: "Name of the stored procedure to get definition for"
+                        },
+                    },
+                    required: ["procedure_name"],
+                },
+                outputSchema: {
+                    type: "object",
+                    properties: {
+                        name: { type: "string", description: "Procedure name" },
+                        definition: { type: "string", description: "CREATE PROCEDURE SQL statement" },
+                        message: { type: "string", description: "Additional information if definition is unavailable" }
+                    }
+                },
+                annotations: {
+                    readOnlyHint: true,
+                    idempotentHint: true
+                }
+            },
         ],
     };
 }
@@ -539,6 +599,12 @@ export async function handleToolCall(name, args) {
                 return await describeView(args.view_name);
             case "get_view_definition":
                 return await getViewDefinition(args.view_name);
+            case "list_procedures":
+                return await listProcedures();
+            case "describe_procedure":
+                return await describeProcedure(args.procedure_name);
+            case "get_procedure_definition":
+                return await getProcedureDefinition(args.procedure_name);
             case "append_insight":
                 return await appendInsight(args.insight, args.confirm);
             case "list_insights":

package/dist/src/tools/queryTools.js

@@ -29,11 +29,12 @@ export async function writeQuery(query, confirm = false) {
         if (lowerQuery.startsWith("select")) {
             throw new Error("SELECT 操作请使用 read_query");
         }
-        // 支持 INSERT、UPDATE、DELETE 和 TRUNCATE 操作
-        const supportedOperations = ["insert", "update", "delete", "truncate"];
+        // 支持 INSERT、UPDATE、DELETE 操作
+        // 注意：TRUNCATE 操作已被禁用，因为它不可回滚且不触发触发器
+        const supportedOperations = ["insert", "update", "delete"];
         const operation = supportedOperations.find(op => lowerQuery.startsWith(op));
         if (!operation) {
-            throw new Error("write_query 只允许执行 INSERT、UPDATE、DELETE 或 TRUNCATE 操作");
+            throw new Error("write_query 只允许执行 INSERT、UPDATE 或 DELETE 操作");
         }
         // 确认检查：防止误操作
         if (!confirm) {

package/dist/src/tools/schemaTools.js

@@ -1,4 +1,4 @@
-import { dbAll, dbExec, getListTablesQuery, getDescribeTableQuery, getListViewsQuery, getViewDefinitionQuery, supportsViews } from '../db/index.js';
+import { dbAll, dbExec, getListTablesQuery, getDescribeTableQuery, getListViewsQuery, getViewDefinitionQuery, supportsViews, getListProceduresQuery, getDescribeProcedureQuery, getProcedureDefinitionQuery, supportsProcedures } from '../db/index.js';
 import { formatSuccessResponse } from '../utils/formatUtils.js';
 /**
  * 检查数据库对象是否存在
@@ -19,6 +19,19 @@ async function checkObjectExists(objectName, objectType) {
     }
     return false;
 }
+/**
+ * 检查存储过程是否存在
+ * @param procedureName 存储过程名
+ * @returns 如果存在返回 true，否则返回 false
+ */
+async function checkProcedureExists(procedureName) {
+    if (!supportsProcedures()) {
+        return false;
+    }
+    const query = getListProceduresQuery();
+    const procedures = await dbAll(query);
+    return procedures.some(proc => proc.name === procedureName);
+}
 /**
  * 格式化列结构信息
  * @param columns 原始列数据数组
@@ -127,32 +140,14 @@ export async function alterTable(query, confirm = false) {
  * @param tableName 要删除的表名
  * @param confirm 安全确认标志
  * @returns 操作结果
+ * @deprecated DROP 操作已被禁用，此类操作应由 DBA 在数据库层面处理
  */
 export async function dropTable(tableName, confirm) {
-    try {
-        if (!tableName) {
-            throw new Error("表名不能为空");
-        }
-        if (!confirm) {
-            return formatSuccessResponse({
-                success: false,
-                message: "需要安全确认。设置 confirm=true 以继续删除表。"
-            });
-        }
-        // 检查表是否存在
-        if (!(await checkObjectExists(tableName, 'table'))) {
-            throw new Error(`表 '${tableName}' 不存在`);
-        }
-        // 删除表
-        await dbExec(`DROP TABLE "${tableName}"`);
-        return formatSuccessResponse({
-            success: true,
-            message: `表 '${tableName}' 删除成功`
-        });
-    }
-    catch (error) {
-        throw new Error(`删除表失败: ${error.message}`);
-    }
+    // DROP 操作已被禁用
+    return formatSuccessResponse({
+        success: false,
+        message: "DROP 操作已被禁用，此类操作应由 DBA 在数据库层面处理。如需删除表，请联系数据库管理员。"
+    });
 }
 /**
  * 列出数据库中的所有表
@@ -197,7 +192,8 @@ export async function describeTable(tableName) {
             objectType = 'view';
         }
         else {
-            throw new Error(supportsViews() ? `表或视图 '${tableName}' 不存在` : `表 '${tableName}' 不存在`);
+            // 错误消息不直接包含用户输入，防止日志注入
+            throw new Error(supportsViews() ? "指定的表或视图不存在" : "指定的表不存在");
         }
         // 使用适配器特定的查询来描述表/视图结构
         const descQuery = getDescribeTableQuery(tableName);
@@ -246,7 +242,8 @@ export async function describeView(viewName) {
         }
         // 检查视图是否存在
         if (!(await checkObjectExists(viewName, 'view'))) {
-            throw new Error(`视图 '${viewName}' 不存在`);
+            // 错误消息不直接包含用户输入，防止日志注入
+            throw new Error("指定的视图不存在");
         }
         // 使用相同的 describe 查询获取视图列结构
         const descQuery = getDescribeTableQuery(viewName);
@@ -278,7 +275,8 @@ export async function getViewDefinition(viewName) {
         }
         // 检查视图是否存在
         if (!(await checkObjectExists(viewName, 'view'))) {
-            throw new Error(`视图 '${viewName}' 不存在`);
+            // 错误消息不直接包含用户输入，防止日志注入
+            throw new Error("指定的视图不存在");
         }
         // 获取视图定义
         const defQuery = getViewDefinitionQuery(viewName);
@@ -299,3 +297,116 @@ export async function getViewDefinition(viewName) {
         throw new Error(`获取视图定义失败: ${error.message}`);
     }
 }
+/**
+ * 列出数据库中的所有存储过程
+ * 仅支持 SQL Server
+ * @returns 存储过程名数组
+ */
+export async function listProcedures() {
+    try {
+        if (!supportsProcedures()) {
+            throw new Error("存储过程功能仅支持 SQL Server 数据库");
+        }
+        const query = getListProceduresQuery();
+        const procedures = await dbAll(query);
+        return formatSuccessResponse(procedures.map((p) => p.name));
+    }
+    catch (error) {
+        throw new Error(`列出存储过程失败: ${error.message}`);
+    }
+}
+/**
+ * 验证存储过程名称格式是否合法
+ * @param name 存储过程名称
+ * @throws 如果名称包含非法字符
+ */
+function validateProcedureNameFormat(name) {
+    // 检查名称是否为空
+    if (!name || typeof name !== 'string') {
+        throw new Error("存储过程名不能为空");
+    }
+    // 检查名称长度（SQL Server 限制为 128 字符）
+    if (name.length > 128) {
+        throw new Error("存储过程名称长度超过限制（最大 128 字符）");
+    }
+    // 检查是否包含危险的 SQL 字符
+    // 只允许字母、数字、下划线和常见的安全字符
+    const validNamePattern = /^[a-zA-Z_][a-zA-Z0-9_@$#]*$/;
+    if (!validNamePattern.test(name)) {
+        throw new Error("存储过程名称包含非法字符");
+    }
+}
+/**
+ * 验证存储过程操作的前置条件
+ * @param procedureName 存储过程名
+ */
+async function validateProcedureOperation(procedureName) {
+    // 首先验证名称格式，防止恶意输入
+    validateProcedureNameFormat(procedureName);
+    if (!supportsProcedures()) {
+        throw new Error("存储过程功能仅支持 SQL Server 数据库");
+    }
+    if (!(await checkProcedureExists(procedureName))) {
+        // 错误消息不直接包含用户输入，防止日志注入
+        throw new Error("指定的存储过程不存在");
+    }
+}
+/**
+ * 获取存储过程的参数信息
+ * 仅支持 SQL Server
+ * @param procedureName 存储过程名
+ * @returns 存储过程的参数定义
+ */
+export async function describeProcedure(procedureName) {
+    try {
+        await validateProcedureOperation(procedureName);
+        // 获取参数信息
+        const descQuery = getDescribeProcedureQuery(procedureName);
+        const params = await dbAll(descQuery);
+        // 格式化参数信息
+        const parameters = params.map((param) => ({
+            name: param.name,
+            type: param.type,
+            direction: param.direction,
+            default_value: param.default_value,
+            is_output: !!param.is_output
+        }));
+        return formatSuccessResponse({
+            name: procedureName,
+            type: 'procedure',
+            parameters: parameters
+        });
+    }
+    catch (error) {
+        throw new Error(`描述存储过程失败: ${error.message}`);
+    }
+}
+/**
+ * 获取存储过程的定义 SQL
+ * 仅支持 SQL Server
+ * 注意: 使用 WITH ENCRYPTION 创建的存储过程无法获取定义
+ * @param procedureName 存储过程名
+ * @returns 存储过程定义 SQL
+ */
+export async function getProcedureDefinition(procedureName) {
+    try {
+        await validateProcedureOperation(procedureName);
+        // 获取存储过程定义
+        const defQuery = getProcedureDefinitionQuery(procedureName);
+        const result = await dbAll(defQuery);
+        if (result.length === 0 || !result[0].definition) {
+            return formatSuccessResponse({
+                name: procedureName,
+                definition: null,
+                message: "存储过程定义不可用（可能使用 WITH ENCRYPTION 创建）"
+            });
+        }
+        return formatSuccessResponse({
+            name: procedureName,
+            definition: result[0].definition
+        });
+    }
+    catch (error) {
+        throw new Error(`获取存储过程定义失败: ${error.message}`);
+    }
+}

package/package.json

@@ -1,7 +1,7 @@
 {
     "name": "@cmd233/mcp-database-server",
-    "version": "1.2.0",
-    "description": "MCP server for interacting with SQLite, SQL Server, PostgreSQL and MySQL databases (Fixed nullable field detection)",
+    "version": "1.4.0",
+    "description": "MCP server for interacting with SQLite, SQL Server, PostgreSQL and MySQL databases (Added stored procedure support and enhanced SQL injection protection)",
     "license": "MIT",
     "author": "cmd233",
     "homepage": "https://github.com/cmd233/mcp-database-server",
@@ -20,7 +20,6 @@
         "watch": "tsc --watch",
         "start": "node dist/src/index.js",
         "dev": "tsc && node dist/src/index.js",
-        "example": "node examples/example.js",
         "clean": "rimraf dist"
     },
     "dependencies": {

package/dist/src/utils/cryptoUtils.js

@@ -1,119 +0,0 @@
-/**
- * 加密和确认码工具模块
- * 用于两步确认机制，防止 AI 模型自动执行危险操作
- */
-// 硬编码密钥，用于生成确认码
-const CONFIRM_SECRET_KEY = 'mcp-db-server-confirm-key-v1';
-/**
- * 获取当前分钟时间戳
- * @returns 当前分钟的时间戳字符串
- */
-function getMinuteTimestamp() {
-    const now = Date.now();
-    // 转换为分钟级时间戳（去掉秒和毫秒）
-    const minuteTimestamp = Math.floor(now / 60000);
-    return minuteTimestamp.toString();
-}
-/**
- * 生成简单哈希
- * 使用简单的字符串哈希算法生成固定长度的哈希值
- * @param content 要哈希的内容
- * @returns 8位十六进制哈希字符串
- */
-function generateSimpleHash(content) {
-    let hash = 0;
-    // 使用简单的字符串哈希算法
-    for (let i = 0; i < content.length; i++) {
-        const char = content.charCodeAt(i);
-        hash = ((hash << 5) - hash) + char;
-        hash = hash & hash; // 转换为 32 位整数
-    }
-    // 转换为无符号整数并转为十六进制，取前 8 位
-    const hashStr = Math.abs(hash).toString(16).padStart(8, '0');
-    return hashStr.substring(0, 8);
-}
-/**
- * 标准化操作内容
- * 移除多余的空格，统一大小写，确保相同操作生成相同的确认码
- * @param query 原始 SQL 查询或操作内容
- * @returns 标准化后的操作内容
- */
-export function normalizeOperationContent(query) {
-    // 移除前后空格，将多个连续空格替换为单个空格
-    return query.trim().replace(/\s+/g, ' ');
-}
-/**
- * 生成确认码
- * 基于操作内容和当前分钟时间戳生成 8 位十六进制确认码
- * @param operationContent 操作内容（SQL 查询或操作描述）
- * @returns 8 位十六进制确认码
- */
-export function generateConfirmCode(operationContent) {
-    const normalized = normalizeOperationContent(operationContent);
-    const minuteTimestamp = getMinuteTimestamp();
-    const hashInput = normalized + minuteTimestamp + CONFIRM_SECRET_KEY;
-    return generateSimpleHash(hashInput);
-}
-/**
- * 验证确认码
- * 验证确认码是否有效，支持当前分钟和上一分钟的确认码（2 分钟窗口）
- * @param operationContent 操作内容（SQL 查询或操作描述）
- * @param confirmCode 要验证的确认码
- * @returns 确认码是否有效
- */
-export function verifyConfirmCode(operationContent, confirmCode) {
-    if (!confirmCode || confirmCode.length !== 8) {
-        return false;
-    }
-    const normalized = normalizeOperationContent(operationContent);
-    const now = Date.now();
-    const currentMinute = Math.floor(now / 60000);
-    const previousMinute = currentMinute - 1;
-    // 验证当前分钟的确认码
-    const currentHashInput = normalized + currentMinute.toString() + CONFIRM_SECRET_KEY;
-    const currentCode = generateSimpleHash(currentHashInput);
-    if (currentCode === confirmCode) {
-        return true;
-    }
-    // 验证上一分钟的确认码
-    const previousHashInput = normalized + previousMinute.toString() + CONFIRM_SECRET_KEY;
-    const previousCode = generateSimpleHash(previousHashInput);
-    return previousCode === confirmCode;
-}
-/**
- * 格式化预览响应
- * 生成预览模式的响应格式，包含确认码和操作说明
- * @param toolName 工具名称
- * @param operationContent 操作内容
- * @param additionalInfo 额外信息（如警告消息）
- * @returns 预览响应对象
- */
-export function formatPreviewResponse(toolName, operationContent, additionalInfo) {
-    const confirmCode = generateConfirmCode(operationContent);
-    const response = {
-        preview: true,
-        tool_name: toolName,
-        confirm_code: confirmCode,
-        message: "⚠️ 预览模式：此操作需要确认",
-        operation_content: normalizeOperationContent(operationContent),
-        instructions: [
-            "请仔细检查上述操作内容",
-            "如确认执行，请重新调用此工具并提供确认码",
-            `参数示例: { "preview": false, "confirm_code": "${confirmCode}" }`
-        ]
-    };
-    // 添加额外信息
-    if (additionalInfo?.warning) {
-        response.warning = additionalInfo.warning;
-    }
-    if (additionalInfo?.operation) {
-        response.operation = additionalInfo.operation;
-    }
-    return {
-        content: [{
-                type: "text",
-                text: JSON.stringify(response, null, 2)
-            }],
-        isError: false
-    };
-}