@tejasanik/postgres-mcp-server 1.0.0 → 1.1.0

package/dist/utils/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/utils/index.ts"],"names":[],"mappings":"AAAA,cAAc,iBAAiB,CAAC"}

package/dist/utils/validation.d.ts

@@ -0,0 +1,27 @@
+/**
+ * Validates and sanitizes PostgreSQL identifiers (table names, column names, etc.)
+ * Prevents SQL injection by only allowing valid identifier characters.
+ */
+export declare function validateIdentifier(identifier: string, fieldName: string): string;
+/**
+ * Escapes a PostgreSQL identifier by doubling any internal double quotes
+ * and wrapping in double quotes.
+ */
+export declare function escapeIdentifier(identifier: string): string;
+/**
+ * Validates SQL for read-only operations more thoroughly.
+ * Returns true if the SQL appears to be read-only, false otherwise.
+ */
+export declare function isReadOnlySql(sql: string): {
+    isReadOnly: boolean;
+    reason?: string;
+};
+/**
+ * Validates that a number is within acceptable bounds.
+ */
+export declare function validatePositiveInteger(value: any, fieldName: string, min?: number, max?: number): number;
+/**
+ * Validates index type is one of the allowed PostgreSQL index types.
+ */
+export declare function validateIndexType(indexType: string): string;
+//# sourceMappingURL=validation.d.ts.map

package/dist/utils/validation.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.d.ts","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAqBhF;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAQ3D;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,GAAG,EAAE,MAAM,GAAG;IAAE,UAAU,EAAE,OAAO,CAAC;IAAC,MAAM,CAAC,EAAE,MAAM,CAAA;CAAE,CA4EnF;AAED;;GAEG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,GAAG,EAAE,SAAS,EAAE,MAAM,EAAE,GAAG,GAAE,MAAU,EAAE,GAAG,GAAE,MAAc,GAAG,MAAM,CAWnH;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAS3D"}

package/dist/utils/validation.js

@@ -0,0 +1,133 @@
+/**
+ * Validates and sanitizes PostgreSQL identifiers (table names, column names, etc.)
+ * Prevents SQL injection by only allowing valid identifier characters.
+ */
+export function validateIdentifier(identifier, fieldName) {
+    if (!identifier || typeof identifier !== 'string') {
+        throw new Error(`${fieldName} is required and must be a string`);
+    }
+    // PostgreSQL identifier rules:
+    // - Must start with a letter (a-z) or underscore
+    // - Can contain letters, digits, underscores, and dollar signs
+    // - Maximum 63 characters
+    // We're being more restrictive for security
+    const validIdentifierRegex = /^[a-zA-Z_][a-zA-Z0-9_$]*$/;
+    if (identifier.length > 63) {
+        throw new Error(`${fieldName} must be 63 characters or less`);
+    }
+    if (!validIdentifierRegex.test(identifier)) {
+        throw new Error(`${fieldName} contains invalid characters. Only letters, numbers, underscores, and dollar signs are allowed, and it must start with a letter or underscore.`);
+    }
+    return identifier;
+}
+/**
+ * Escapes a PostgreSQL identifier by doubling any internal double quotes
+ * and wrapping in double quotes.
+ */
+export function escapeIdentifier(identifier) {
+    // Validate first
+    if (!identifier || typeof identifier !== 'string') {
+        throw new Error('Identifier is required and must be a string');
+    }
+    // Double any internal double quotes and wrap in quotes
+    return `"${identifier.replace(/"/g, '""')}"`;
+}
+/**
+ * Validates SQL for read-only operations more thoroughly.
+ * Returns true if the SQL appears to be read-only, false otherwise.
+ */
+export function isReadOnlySql(sql) {
+    if (!sql || typeof sql !== 'string') {
+        return { isReadOnly: false, reason: 'SQL is required' };
+    }
+    // Normalize: remove comments, extra whitespace
+    let normalizedSql = sql
+        // Remove single-line comments
+        .replace(/--[^\n]*/g, '')
+        // Remove multi-line comments
+        .replace(/\/\*[\s\S]*?\*\//g, '')
+        // Normalize whitespace
+        .replace(/\s+/g, ' ')
+        .trim()
+        .toUpperCase();
+    // Check for write operations at any position (not just start)
+    const writeOperations = [
+        'INSERT',
+        'UPDATE',
+        'DELETE',
+        'DROP',
+        'CREATE',
+        'ALTER',
+        'TRUNCATE',
+        'GRANT',
+        'REVOKE',
+        'COPY',
+        'VACUUM',
+        'REINDEX',
+        'CLUSTER',
+        'REFRESH MATERIALIZED VIEW',
+        'LOCK',
+        'DISCARD',
+        'RESET',
+        'SET ', // Note: space to avoid matching in column names
+        'DO ', // Anonymous code blocks
+        'CALL', // Stored procedures
+    ];
+    // Check if any write operation appears as a keyword (word boundary check)
+    for (const op of writeOperations) {
+        // Check at start or after common statement separators
+        const patterns = [
+            new RegExp(`^${op}\\b`), // At start
+            new RegExp(`\\(\\s*${op}\\b`), // After opening paren (subquery)
+            new RegExp(`;\\s*${op}\\b`), // After semicolon
+            new RegExp(`\\bWITH\\b.*\\bAS\\s*\\(\\s*${op}\\b`, 's'), // In CTE
+        ];
+        for (const pattern of patterns) {
+            if (pattern.test(normalizedSql)) {
+                return { isReadOnly: false, reason: `Write operation '${op.trim()}' detected` };
+            }
+        }
+    }
+    // Check for function calls that could have side effects
+    const dangerousFunctions = [
+        'LO_IMPORT',
+        'LO_EXPORT',
+        'LO_UNLINK',
+        'PG_READ_FILE',
+        'PG_READ_BINARY_FILE',
+        'PG_WRITE_FILE',
+        'DBLINK_EXEC',
+        'DBLINK',
+    ];
+    for (const func of dangerousFunctions) {
+        if (new RegExp(`\\b${func}\\s*\\(`).test(normalizedSql)) {
+            return { isReadOnly: false, reason: `Dangerous function '${func}' detected` };
+        }
+    }
+    return { isReadOnly: true };
+}
+/**
+ * Validates that a number is within acceptable bounds.
+ */
+export function validatePositiveInteger(value, fieldName, min = 1, max = 10000) {
+    if (value === undefined || value === null) {
+        return min;
+    }
+    const num = parseInt(value, 10);
+    if (isNaN(num) || num < min || num > max) {
+        throw new Error(`${fieldName} must be an integer between ${min} and ${max}`);
+    }
+    return num;
+}
+/**
+ * Validates index type is one of the allowed PostgreSQL index types.
+ */
+export function validateIndexType(indexType) {
+    const validTypes = ['btree', 'hash', 'gist', 'spgist', 'gin', 'brin'];
+    const normalized = (indexType || 'btree').toLowerCase();
+    if (!validTypes.includes(normalized)) {
+        throw new Error(`Invalid index type '${indexType}'. Must be one of: ${validTypes.join(', ')}`);
+    }
+    return normalized;
+}
+//# sourceMappingURL=validation.js.map

package/dist/utils/validation.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"validation.js","sourceRoot":"","sources":["../../src/utils/validation.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,MAAM,UAAU,kBAAkB,CAAC,UAAkB,EAAE,SAAiB;IACtE,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,mCAAmC,CAAC,CAAC;IACnE,CAAC;IAED,+BAA+B;IAC/B,iDAAiD;IACjD,+DAA+D;IAC/D,0BAA0B;IAC1B,4CAA4C;IAC5C,MAAM,oBAAoB,GAAG,2BAA2B,CAAC;IAEzD,IAAI,UAAU,CAAC,MAAM,GAAG,EAAE,EAAE,CAAC;QAC3B,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,gCAAgC,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,gJAAgJ,CAAC,CAAC;IAChL,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,UAAkB;IACjD,iBAAiB;IACjB,IAAI,CAAC,UAAU,IAAI,OAAO,UAAU,KAAK,QAAQ,EAAE,CAAC;QAClD,MAAM,IAAI,KAAK,CAAC,6CAA6C,CAAC,CAAC;IACjE,CAAC;IAED,uDAAuD;IACvD,OAAO,IAAI,UAAU,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;AAC/C,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,aAAa,CAAC,GAAW;IACvC,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;QACpC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,iBAAiB,EAAE,CAAC;IAC1D,CAAC;IAED,+CAA+C;IAC/C,IAAI,aAAa,GAAG,GAAG;QACrB,8BAA8B;SAC7B,OAAO,CAAC,WAAW,EAAE,EAAE,CAAC;QACzB,6BAA6B;SAC5B,OAAO,CAAC,mBAAmB,EAAE,EAAE,CAAC;QACjC,uBAAuB;SACtB,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC;SACpB,IAAI,EAAE;SACN,WAAW,EAAE,CAAC;IAEjB,8DAA8D;IAC9D,MAAM,eAAe,GAAG;QACtB,QAAQ;QACR,QAAQ;QACR,QAAQ;QACR,MAAM;QACN,QAAQ;QACR,OAAO;QACP,UAAU;QACV,OAAO;QACP,QAAQ;QACR,MAAM;QACN,QAAQ;QACR,SAAS;QACT,SAAS;QACT,2BAA2B;QAC3B,MAAM;QACN,SAAS;QACT,OAAO;QACP,MAAM,EAAG,gDAAgD;QACzD,KAAK,EAAI,wBAAwB;QACjC,MAAM,EAAG,oBAAoB;KAC9B,CAAC;IAEF,0EAA0E;IAC1E,KAAK,MAAM,EAAE,IAAI,eAAe,EAAE,CAAC;QACjC,sDAAsD;QACtD,MAAM,QAAQ,GAAG;YACf,IAAI,MAAM,CAAC,IAAI,EAAE,KAAK,CAAC,EAAY,WAAW;YAC9C,IAAI,MAAM,CAAC,UAAU,EAAE,KAAK,CAAC,EAAM,iCAAiC;YACpE,IAAI,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,EAAQ,kBAAkB;YACrD,IAAI,MAAM,CAAC,+BAA+B,EAAE,KAAK,EAAE,GAAG,CAAC,EAAE,SAAS;SACnE,CAAC;QAEF,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;gBAChC,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,oBAAoB,EAAE,CAAC,IAAI,EAAE,YAAY,EAAE,CAAC;YAClF,CAAC;QACH,CAAC;IACH,CAAC;IAED,wDAAwD;IACxD,MAAM,kBAAkB,GAAG;QACzB,WAAW;QACX,WAAW;QACX,WAAW;QACX,cAAc;QACd,qBAAqB;QACrB,eAAe;QACf,aAAa;QACb,QAAQ;KACT,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,kBAAkB,EAAE,CAAC;QACtC,IAAI,IAAI,MAAM,CAAC,MAAM,IAAI,SAAS,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC;YACxD,OAAO,EAAE,UAAU,EAAE,KAAK,EAAE,MAAM,EAAE,uBAAuB,IAAI,YAAY,EAAE,CAAC;QAChF,CAAC;IACH,CAAC;IAED,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;AAC9B,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,uBAAuB,CAAC,KAAU,EAAE,SAAiB,EAAE,MAAc,CAAC,EAAE,MAAc,KAAK;IACzG,IAAI,KAAK,KAAK,SAAS,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;QAC1C,OAAO,GAAG,CAAC;IACb,CAAC;IAED,MAAM,GAAG,GAAG,QAAQ,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IAChC,IAAI,KAAK,CAAC,GAAG,CAAC,IAAI,GAAG,GAAG,GAAG,IAAI,GAAG,GAAG,GAAG,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,GAAG,SAAS,+BAA+B,GAAG,QAAQ,GAAG,EAAE,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,SAAiB;IACjD,MAAM,UAAU,GAAG,CAAC,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;IACtE,MAAM,UAAU,GAAG,CAAC,SAAS,IAAI,OAAO,CAAC,CAAC,WAAW,EAAE,CAAC;IAExD,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;QACrC,MAAM,IAAI,KAAK,CAAC,uBAAuB,SAAS,sBAAsB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjG,CAAC;IAED,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/package.json

@@ -1,7 +1,8 @@
 {
   "name": "@tejasanik/postgres-mcp-server",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "A Model Context Protocol (MCP) server for PostgreSQL database management and analysis",
+  "type": "module",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
   "bin": {
@@ -11,8 +12,10 @@
     "build": "tsc",
     "start": "node dist/index.js",
     "dev": "ts-node src/index.ts",
+    "test": "node --experimental-vm-modules node_modules/jest/bin/jest.js",
+    "test:watch": "node --experimental-vm-modules node_modules/jest/bin/jest.js --watch",
     "prepare": "npm run build",
-    "prepublishOnly": "npm run build"
+    "prepublishOnly": "npm run build && npm test"
   },
   "keywords": [
     "mcp",
@@ -31,9 +34,12 @@
     "uuid": "^11.0.3"
   },
   "devDependencies": {
+    "@types/jest": "^29.5.14",
     "@types/node": "^22.10.2",
     "@types/pg": "^8.11.10",
     "@types/uuid": "^10.0.0",
+    "jest": "^29.7.0",
+    "ts-jest": "^29.2.5",
     "typescript": "^5.7.2"
   },
   "engines": {