mcp-database-inspector 2.0.1

package/src/validators/input-validator.ts

@@ -0,0 +1,318 @@
+import { z } from 'zod';
+import { ValidationResult } from '../database/types.js';
+
+export class InputValidator {
+  // Schema for database connection URLs
+  static readonly connectionUrlSchema = z.string()
+    .url()
+    .refine(url => url.startsWith('mysql://') || url.startsWith('postgresql://') || url.startsWith('postgres://'), {
+      message: 'URL must start with mysql://, postgresql://, or postgres://'
+    })
+    .refine(url => {
+      try {
+        const parsed = new URL(url);
+        return parsed.hostname && parsed.username && parsed.password;
+      } catch {
+        return false;
+      }
+    }, {
+      message: 'URL must contain hostname, username, and password'
+    });
+
+  // Schema for database names
+  static readonly databaseNameSchema = z.string()
+    .min(1, 'Database name cannot be empty')
+    .max(64, 'Database name cannot exceed 64 characters')
+    .regex(/^[a-zA-Z_][a-zA-Z0-9_$-]*$/, 'Invalid database name format');
+
+  // Schema for table names
+  static readonly tableNameSchema = z.string()
+    .min(1, 'Table name cannot be empty')
+    .max(64, 'Table name cannot exceed 64 characters')
+    .regex(/^[a-zA-Z_][a-zA-Z0-9_$-]*$|^`[^`]+`$/, 'Invalid table name format');
+
+  // Schema for column names
+  static readonly columnNameSchema = z.string()
+    .min(1, 'Column name cannot be empty')
+    .max(64, 'Column name cannot exceed 64 characters')
+    .regex(/^[a-zA-Z_][a-zA-Z0-9_$-]*$|^`[^`]+`$/, 'Invalid column name format');
+
+  // Schema for general text input
+  static readonly textInputSchema = z.string()
+    .max(10000, 'Input too long')
+    .refine(text => !text.includes('\0'), {
+      message: 'Input cannot contain null bytes'
+    });
+
+  /**
+   * Validate a connection URL
+   */
+  static validateConnectionUrl(url: string): ValidationResult {
+    try {
+      this.connectionUrlSchema.parse(url);
+      return { isValid: true };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        return {
+          isValid: false,
+          error: error.issues.map(e => e.message).join(', ')
+        };
+      }
+      return {
+        isValid: false,
+        error: 'Invalid connection URL format'
+      };
+    }
+  }
+
+  /**
+   * Validate a database name
+   */
+  static validateDatabaseName(name: string): ValidationResult {
+    try {
+      this.databaseNameSchema.parse(name);
+      return { isValid: true };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        return {
+          isValid: false,
+          error: error.issues.map(e => e.message).join(', ')
+        };
+      }
+      return {
+        isValid: false,
+        error: 'Invalid database name'
+      };
+    }
+  }
+
+  /**
+   * Validate a table name
+   */
+  static validateTableName(name: string): ValidationResult {
+    try {
+      this.tableNameSchema.parse(name);
+      return { isValid: true };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        return {
+          isValid: false,
+          error: error.issues.map(e => e.message).join(', ')
+        };
+      }
+      return {
+        isValid: false,
+        error: 'Invalid table name'
+      };
+    }
+  }
+
+  /**
+   * Validate a column name
+   */
+  static validateColumnName(name: string): ValidationResult {
+    try {
+      this.columnNameSchema.parse(name);
+      return { isValid: true };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        return {
+          isValid: false,
+          error: error.issues.map(e => e.message).join(', ')
+        };
+      }
+      return {
+        isValid: false,
+        error: 'Invalid column name'
+      };
+    }
+  }
+
+  /**
+   * Validate text input
+   */
+  static validateTextInput(text: string): ValidationResult {
+    try {
+      this.textInputSchema.parse(text);
+      return { isValid: true };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        return {
+          isValid: false,
+          error: error.issues.map(e => e.message).join(', ')
+        };
+      }
+      return {
+        isValid: false,
+        error: 'Invalid text input'
+      };
+    }
+  }
+
+  /**
+   * Sanitize string input by removing dangerous characters
+   */
+  static sanitizeString(input: string): string {
+    if (!input) return '';
+
+    return input
+      // Remove null bytes
+      .replace(/\0/g, '')
+      // Remove control characters except tab, newline, carriage return
+      .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
+      // Trim whitespace
+      .trim();
+  }
+
+  /**
+   * Escape MySQL identifiers (table names, column names)
+   */
+  static escapeIdentifier(identifier: string): string {
+    if (!identifier) return '';
+
+    // If already quoted, return as is
+    if (identifier.startsWith('`') && identifier.endsWith('`')) {
+      return identifier;
+    }
+
+    // Remove any existing backticks and escape them
+    const cleaned = identifier.replace(/`/g, '``');
+    return `\`${cleaned}\``;
+  }
+
+  /**
+   * Validate tool arguments based on schema
+   */
+  static validateToolArgs<T>(args: unknown, schema: z.ZodSchema<T>): ValidationResult & { data?: T } {
+    try {
+      const data = schema.parse(args);
+      return { isValid: true, data };
+    } catch (error) {
+      if (error instanceof z.ZodError) {
+        return {
+          isValid: false,
+          error: `Invalid arguments: ${error.issues.map(e => `${e.path.join('.')}: ${e.message}`).join(', ')}`
+        };
+      }
+      return {
+        isValid: false,
+        error: 'Invalid arguments format'
+      };
+    }
+  }
+
+  /**
+   * Validate that a string represents a valid number
+   */
+  static validateNumeric(value: string, options?: { min?: number; max?: number; integer?: boolean }): ValidationResult {
+    const num = Number(value);
+
+    if (isNaN(num)) {
+      return { isValid: false, error: 'Value must be a valid number' };
+    }
+
+    if (options?.integer && !Number.isInteger(num)) {
+      return { isValid: false, error: 'Value must be an integer' };
+    }
+
+    if (options?.min !== undefined && num < options.min) {
+      return { isValid: false, error: `Value must be at least ${options.min}` };
+    }
+
+    if (options?.max !== undefined && num > options.max) {
+      return { isValid: false, error: `Value must be at most ${options.max}` };
+    }
+
+    return { isValid: true };
+  }
+
+  /**
+   * Validate an array of values
+   */
+  static validateArray<T>(
+    values: unknown[],
+    itemValidator: (item: unknown) => ValidationResult & { data?: T }
+  ): ValidationResult & { data?: T[] } {
+    if (!Array.isArray(values)) {
+      return { isValid: false, error: 'Value must be an array' };
+    }
+
+    const validatedItems: T[] = [];
+    const errors: string[] = [];
+
+    for (let i = 0; i < values.length; i++) {
+      const result = itemValidator(values[i]);
+      if (result.isValid && result.data !== undefined) {
+        validatedItems.push(result.data);
+      } else {
+        errors.push(`Item ${i}: ${result.error || 'Validation failed'}`);
+      }
+    }
+
+    if (errors.length > 0) {
+      return { isValid: false, error: errors.join(', ') };
+    }
+
+    return { isValid: true, data: validatedItems };
+  }
+
+  /**
+   * Validate email format (for potential user management features)
+   */
+  static validateEmail(email: string): ValidationResult {
+    const emailSchema = z.string().email();
+    try {
+      emailSchema.parse(email);
+      return { isValid: true };
+    } catch (error) {
+      return { isValid: false, error: 'Invalid email format' };
+    }
+  }
+
+  /**
+   * Validate URL format
+   */
+  static validateUrl(url: string): ValidationResult {
+    const urlSchema = z.string().url();
+    try {
+      urlSchema.parse(url);
+      return { isValid: true };
+    } catch (error) {
+      return { isValid: false, error: 'Invalid URL format' };
+    }
+  }
+
+  /**
+   * Check if a string contains only safe characters for logging
+   */
+  static isSafeForLogging(text: string): boolean {
+    // Check for sensitive patterns that shouldn't be logged
+    const sensitivePatterns = [
+      /password\s*[=:]\s*[^\s&]+/gi,
+      /pwd\s*[=:]\s*[^\s&]+/gi,
+      /secret\s*[=:]\s*[^\s&]+/gi,
+      /token\s*[=:]\s*[^\s&]+/gi,
+      /key\s*[=:]\s*[^\s&]+/gi,
+      /(mysql|postgresql?):\/\/[^@]+:[^@]+@/gi, // Connection strings with credentials
+    ];
+
+    return !sensitivePatterns.some(pattern => pattern.test(text));
+  }
+
+  /**
+   * Sanitize text for safe logging by masking sensitive information
+   */
+  static sanitizeForLogging(text: string): string {
+    if (!text) return '';
+
+    return text
+      // Mask passwords in URLs
+      .replace(/((?:mysql|postgresql?):\/\/[^:]+:)[^@]+(@)/gi, '$1***$2')
+      // Mask password parameters
+      .replace(/(password\s*[=:]\s*)[^\s&]+/gi, '$1***')
+      .replace(/(pwd\s*[=:]\s*)[^\s&]+/gi, '$1***')
+      .replace(/(secret\s*[=:]\s*)[^\s&]+/gi, '$1***')
+      .replace(/(token\s*[=:]\s*)[^\s&]+/gi, '$1***')
+      .replace(/(key\s*[=:]\s*)[^\s&]+/gi, '$1***');
+  }
+}

package/src/validators/query-validator.ts

@@ -0,0 +1,267 @@
+import { DatabaseType, ValidationResult } from '../database/types.js';
+
+export class QueryValidator {
+  // Keywords that are forbidden in queries
+  private static readonly FORBIDDEN_KEYWORDS = [
+    'INSERT', 'UPDATE', 'DELETE', 'DROP', 'CREATE',
+    'ALTER', 'TRUNCATE', 'REPLACE', 'MERGE', 'CALL',
+    'EXEC', 'EXECUTE', 'LOAD', 'IMPORT', 'BULK',
+    'GRANT', 'REVOKE', 'SET', 'USE', 'START',
+    'BEGIN', 'COMMIT', 'ROLLBACK', 'SAVEPOINT',
+    'LOCK', 'UNLOCK', 'FLUSH', 'RESET', 'PURGE',
+    'KILL', 'SHUTDOWN', 'RESTART', 'COPY'
+  ];
+
+  // Allowed keywords for read-only operations
+  private static readonly ALLOWED_KEYWORDS = [
+    'SELECT', 'SHOW', 'DESCRIBE', 'DESC', 'EXPLAIN',
+    'ANALYZE', 'CHECK', 'CHECKSUM', 'OPTIMIZE', 'WITH', 'VALUES'
+  ];
+
+  // Dangerous functions that should be blocked
+  private static readonly FORBIDDEN_FUNCTIONS = [
+    'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE',
+    'SYSTEM', 'USER_DEFINED_FUNCTION', 'BENCHMARK',
+    'PG_READ_FILE', 'PG_LS_DIR', 'PG_EXECUTE'
+  ];
+
+  static validateQuery(query: string, type: DatabaseType = DatabaseType.MySQL): ValidationResult {
+    if (!query || query.trim().length === 0) {
+      return {
+        isValid: false,
+        error: 'Query cannot be empty'
+      };
+    }
+
+    const normalizedQuery = this.normalizeQuery(query);
+
+    // Check for forbidden keywords
+    const forbiddenCheck = this.checkForbiddenKeywords(normalizedQuery);
+    if (!forbiddenCheck.isValid) {
+      return forbiddenCheck;
+    }
+
+    // Check for forbidden functions
+    const functionCheck = this.checkForbiddenFunctions(normalizedQuery);
+    if (!functionCheck.isValid) {
+      return functionCheck;
+    }
+
+    // Check if query starts with an allowed keyword
+    const allowedCheck = this.checkAllowedStart(normalizedQuery);
+    if (!allowedCheck.isValid) {
+      return allowedCheck;
+    }
+
+    // Check for SQL injection patterns
+    const injectionCheck = this.checkSqlInjectionPatterns(normalizedQuery, type);
+    if (!injectionCheck.isValid) {
+      return injectionCheck;
+    }
+
+    // Check for suspicious patterns
+    const suspiciousCheck = this.checkSuspiciousPatterns(normalizedQuery);
+    if (!suspiciousCheck.isValid) {
+      return suspiciousCheck;
+    }
+
+    return {
+      isValid: true,
+      warnings: this.getWarnings(normalizedQuery)
+    };
+  }
+
+  private static normalizeQuery(query: string): string {
+    // Remove comments and normalize whitespace
+    return query
+      .replace(/--[^\r\n]*/g, '') // Remove -- comments
+      .replace(/\/\*[\s\S]*?\*\//g, '') // Remove /* */ comments
+      .replace(/\s+/g, ' ') // Normalize whitespace
+      .trim()
+      .toUpperCase();
+  }
+
+  private static checkForbiddenKeywords(query: string): ValidationResult {
+    for (const keyword of this.FORBIDDEN_KEYWORDS) {
+      // Use word boundaries to avoid false positives
+      const regex = new RegExp(`\\b${keyword}\\b`, 'i');
+      if (regex.test(query)) {
+        return {
+          isValid: false,
+          error: `Forbidden keyword detected: ${keyword}. Only read-only operations are allowed.`
+        };
+      }
+    }
+    return { isValid: true };
+  }
+
+  private static checkForbiddenFunctions(query: string): ValidationResult {
+    for (const func of this.FORBIDDEN_FUNCTIONS) {
+      if (query.includes(func)) {
+        return {
+          isValid: false,
+          error: `Forbidden function detected: ${func}. This function is not allowed for security reasons.`
+        };
+      }
+    }
+    return { isValid: true };
+  }
+
+  private static checkAllowedStart(query: string): ValidationResult {
+    const firstWord = query.split(' ')[0];
+
+    if (!this.ALLOWED_KEYWORDS.includes(firstWord)) {
+      return {
+        isValid: false,
+        error: `Query must start with one of: ${this.ALLOWED_KEYWORDS.join(', ')}`
+      };
+    }
+
+    return { isValid: true };
+  }
+
+  private static checkSqlInjectionPatterns(query: string, type: DatabaseType): ValidationResult {
+    const suspiciousPatterns = [
+      /;\s*(SELECT|INSERT|UPDATE|DELETE|DROP|CREATE|ALTER)/i, // Multiple statements
+      /UNION\s+(ALL\s+)?SELECT/i, // Union-based injection
+      /'\s*(OR|AND)\s*'[^']*'\s*=/i, // Quote-based injection
+      /'\s*(OR|AND)\s*\d+\s*=\s*\d+/i, // Numeric injection
+      /CONCAT\s*\(\s*0x[0-9a-f]+/i, // Hex concatenation
+      /(SLEEP|BENCHMARK)\s*\(/i, // Time-based attacks
+    ];
+
+    if (type === DatabaseType.MySQL) {
+        suspiciousPatterns.push(/INFORMATION_SCHEMA\.\w+\s+(WHERE|AND|OR)/i);
+    }
+
+    for (const pattern of suspiciousPatterns) {
+      if (pattern.test(query)) {
+        return {
+          isValid: false,
+          error: 'Query contains suspicious patterns that may indicate SQL injection'
+        };
+      }
+    }
+
+    return { isValid: true };
+  }
+
+  private static checkSuspiciousPatterns(query: string): ValidationResult {
+    // Check for extremely long queries (potential DoS)
+    if (query.length > 10000) {
+      return {
+        isValid: false,
+        error: 'Query is too long. Maximum allowed length is 10,000 characters.'
+      };
+    }
+
+    // Check for excessive nesting
+    const nestedCount = (query.match(/\(/g) || []).length;
+    if (nestedCount > 50) {
+      return {
+        isValid: false,
+        error: 'Query has too many nested expressions. Maximum allowed is 50.'
+      };
+    }
+
+    return { isValid: true };
+  }
+
+  private static getWarnings(query: string): string[] {
+    const warnings: string[] = [];
+
+    // Warn about potentially slow operations
+    if (query.includes('SELECT *')) {
+      warnings.push('Using SELECT * may return large result sets. Consider specifying specific columns.');
+    }
+
+    if (query.includes('ORDER BY') && !query.includes('LIMIT')) {
+      warnings.push('ORDER BY without LIMIT may be slow on large tables.');
+    }
+
+    if (query.includes('LIKE %') || query.includes("LIKE '%")) {
+      warnings.push('Leading wildcard in LIKE patterns may cause slow queries.');
+    }
+
+    // Check for cross-joins
+    if (query.match(/FROM\s+\w+\s*,\s*\w+/i) && !query.includes('WHERE')) {
+      warnings.push('Potential cartesian product detected. Consider adding WHERE conditions.');
+    }
+
+    return warnings;
+  }
+
+  // Validate table and column names to prevent injection through identifiers
+  static validateIdentifier(identifier: string): ValidationResult {
+    if (!identifier || identifier.trim().length === 0) {
+      return {
+        isValid: false,
+        error: 'Identifier cannot be empty'
+      };
+    }
+
+    // MySQL/PostgreSQL identifier rules (simplified common)
+    const validIdentifier = /^[a-zA-Z_][a-zA-Z0-9_$]*$|^`[^`]+`$/;
+
+    if (!validIdentifier.test(identifier.trim())) {
+      return {
+        isValid: false,
+        error: 'Invalid identifier format. Use only letters, numbers, underscore, and dollar sign.'
+      };
+    }
+
+    // Check length (common limit is 64 characters)
+    const cleanIdentifier = identifier.replace(/[`"]/g, '');
+    if (cleanIdentifier.length > 64) {
+      return {
+        isValid: false,
+        error: 'Identifier too long. Maximum length is 64 characters.'
+      };
+    }
+
+    return { isValid: true };
+  }
+
+  // Sanitize user input
+  static sanitizeInput(input: string): string {
+    if (!input) return '';
+
+    // Remove null bytes and control characters
+    return input
+      .replace(/\0/g, '')
+      .replace(/[\x00-\x08\x0B\x0C\x0E-\x1F\x7F]/g, '')
+      .trim();
+  }
+
+  // Check if a query is a simple read operation
+  static isSimpleReadQuery(query: string): boolean {
+    const normalized = this.normalizeQuery(query);
+    const firstWord = normalized.split(' ')[0];
+
+    return ['SELECT', 'SHOW', 'DESCRIBE', 'DESC', 'EXPLAIN', 'WITH', 'VALUES'].includes(firstWord);
+  }
+
+  // Estimate query complexity
+  static getQueryComplexity(query: string): 'low' | 'medium' | 'high' {
+    const normalized = this.normalizeQuery(query);
+    let complexity = 0;
+
+    // Count joins
+    complexity += (normalized.match(/\bJOIN\b/g) || []).length * 2;
+
+    // Count subqueries
+    complexity += (normalized.match(/\bSELECT\b/g) || []).length - 1;
+
+    // Count aggregation functions
+    complexity += (normalized.match(/\b(COUNT|SUM|AVG|MAX|MIN|GROUP_CONCAT)\b/g) || []).length;
+
+    // Count sorting and grouping
+    if (normalized.includes('ORDER BY')) complexity += 1;
+    if (normalized.includes('GROUP BY')) complexity += 2;
+    if (normalized.includes('HAVING')) complexity += 1;
+
+    if (complexity <= 2) return 'low';
+    if (complexity <= 6) return 'medium';
+    return 'high';
+  }
+}

package/tsconfig.json

@@ -0,0 +1,30 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "resolveJsonModule": true,
+    "allowSyntheticDefaultImports": true,
+    "experimentalDecorators": true,
+    "emitDecoratorMetadata": true,
+    "lib": ["ES2022", "DOM"]
+  },
+  "include": [
+    "src/**/*"
+  ],
+  "exclude": [
+    "node_modules",
+    "dist",
+    "**/*.test.ts",
+    "**/*.spec.ts"
+  ]
+}