prism-mcp-server 15.5.1 → 15.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/storage/sqlite.js +16 -0
- package/package.json +1 -1
package/dist/storage/sqlite.js
CHANGED
|
@@ -732,6 +732,16 @@ export class SqliteStorage {
|
|
|
732
732
|
// (e.g., { project: "eq.my-app", archived_at: "is.null" }).
|
|
733
733
|
// This parser converts those into SQL WHERE clauses + args so
|
|
734
734
|
// handlers work identically with both Supabase and SQLite.
|
|
735
|
+
// Bug 8.1: column names in WHERE clauses are interpolated directly into SQL.
|
|
736
|
+
// Values are parameterized (safe), but an unvalidated key like
|
|
737
|
+
// "1=1 OR summary" would inject arbitrary SQL into the condition.
|
|
738
|
+
// This allowlist is the same defense-in-depth pattern used in patchLedger.
|
|
739
|
+
static ALLOWED_FILTER_COLUMNS = new Set([
|
|
740
|
+
"id", "project", "user_id", "conversation_id", "summary",
|
|
741
|
+
"archived_at", "deleted_at", "is_rollup", "role", "event_type",
|
|
742
|
+
"created_at", "updated_at", "session_date", "importance", "title",
|
|
743
|
+
"agent_name", "last_accessed_at", "confidence_score", "rollup_count",
|
|
744
|
+
]);
|
|
735
745
|
parsePostgRESTFilters(params) {
|
|
736
746
|
const conditions = [];
|
|
737
747
|
const args = [];
|
|
@@ -779,6 +789,12 @@ export class SqliteStorage {
|
|
|
779
789
|
limit = parseInt(value, 10);
|
|
780
790
|
continue;
|
|
781
791
|
}
|
|
792
|
+
// Bug 8.1 guard: reject any key that isn't in the known column allowlist.
|
|
793
|
+
// Prevents SQL injection via column-name interpolation.
|
|
794
|
+
if (!SqliteStorage.ALLOWED_FILTER_COLUMNS.has(key)) {
|
|
795
|
+
throw new Error(`[SqliteStorage] parsePostgRESTFilters: rejected unknown filter column "${key}". ` +
|
|
796
|
+
`Allowed: ${[...SqliteStorage.ALLOWED_FILTER_COLUMNS].join(", ")}`);
|
|
797
|
+
}
|
|
782
798
|
// PostgREST filter operators
|
|
783
799
|
if (value.startsWith("eq.")) {
|
|
784
800
|
// Handle boolean mapping: SQLite uses 0/1 for booleans
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "prism-mcp-server",
|
|
3
|
-
"version": "15.5.
|
|
3
|
+
"version": "15.5.2",
|
|
4
4
|
"mcpName": "io.github.dcostenco/prism-coder",
|
|
5
5
|
"description": "Prism Coder — Cognitive memory + tool-calling intelligence for AI agents. Mind Palace persistent memory (BFCL Gold Certified, 100% Tool-Call Accuracy, 54 Agent Skills, Zero-Search HDC/HRR retrieval, HIPAA-hardened local-first storage, SLERP-optimized GRPO alignment) plus the prism-coder:7b / 14b open-weights LLM fleet.",
|
|
6
6
|
"module": "index.ts",
|