npm - mssql-mcp - Versions diffs - 1.0.2 → 1.0.3 - Mend

mssql-mcp 1.0.2 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/index.js +4 -29
package/package.json +1 -1

package/dist/index.js CHANGED Viewed

@@ -24,7 +24,7 @@ class MSSQLMCPServer {
     constructor() {
         this.server = new McpServer({
             name: "mssql-mcp-server",
-            version: "1.0.2",
+            version: "1.0.3",
         });
         this.setupTools();
         this.setupResources();
@@ -82,32 +82,6 @@ class MSSQLMCPServer {
                 if (!this.pool) {
                     throw new Error("No database connection. Please connect first using connect_database tool.");
                 }
-                // Security: Basic SQL injection pattern detection
-                const suspiciousPatterns = [
-                    /;\s*(drop|delete|truncate|alter|create|exec|execute)\s+/i,
-                    /union\s+select/i,
-                    /'\s*or\s+['"]?\w/i,
-                    /--\s*\w/,
-                    /\/\*.*\*\//,
-                    /xp_\w+/i,
-                    /sp_\w+/i
-                ];
-                if (!parameters || Object.keys(parameters).length === 0) {
-                    // Only check for dangerous patterns if no parameters are used
-                    const hasSuspiciousPattern = suspiciousPatterns.some(pattern => pattern.test(query));
-                    if (hasSuspiciousPattern) {
-                        console.warn("⚠️  Potentially dangerous SQL query detected:", query.substring(0, 100));
-                        return {
-                            content: [
-                                {
-                                    type: "text",
-                                    text: "⚠️  Security Warning: This query contains potentially dangerous patterns. Please use parameterized queries for user input.",
-                                },
-                            ],
-                            isError: true,
-                        };
-                    }
-                }
                 const request = this.pool.request();
                 // Add parameters if provided (recommended for security)
                 if (parameters) {
@@ -374,7 +348,8 @@ class MSSQLMCPServer {
                 }
                 if (orderBy) {
                     // Validate ORDER BY clause for basic security
-                    const orderByPattern = /^[a-zA-Z0-9_,\s]+(ASC|DESC)?$/i;
+                    // Allow dotted identifiers, bracketed identifiers, commas, spaces and optional ASC/DESC per column
+                    const orderByPattern = /^([\[\]a-zA-Z0-9_.]+(\s+(ASC|DESC))?)(\s*,\s*[\[\]a-zA-Z0-9_.]+(\s+(ASC|DESC))?)*$/i;
                     if (!orderByPattern.test(orderBy)) {
                         throw new Error("Invalid ORDER BY clause. Only column names, commas, spaces, ASC, and DESC are allowed.");
                     }
@@ -618,7 +593,7 @@ class MSSQLMCPServer {
             console.error('❌ Unhandled Rejection at:', promise, 'reason:', reason);
             shutdown('unhandledRejection');
         });
-        console.log("🚀 Starting MSSQL MCP Server v1.0.2...");
+        console.log("🚀 Starting MSSQL MCP Server v1.0.3...");
         console.log("🔒 Security features enabled:");
         console.log("   - SQL injection protection: Enabled");
         console.log("   - Input validation: Enhanced");

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "mssql-mcp",
-  "version": "1.0.2",
+  "version": "1.0.3",
   "description": "MCP Server for MS SQL Server integration with Claude Desktop, Cursor, Windsurf and VS Code",
   "main": "dist/index.js",
   "type": "module",