Skip to content

v1.3.1 — Security Hardening & Error Handling

Choose a tag to compare

View all tags
@gunvertugberk gunvertugberk released this 13 Apr 19:12
· 3 commits to master since this release
v1.3.1
b2da773
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Security

  • Database allow/block list bypass fixedexecute_query, execute_mutation, execute_ddl, and export_query now enforce isDatabaseAllowed when the optional database parameter is supplied
  • get_query_plan hardened — now extracts security from resolveServer, enforces isDatabaseAllowed and validateQuery on user-supplied SQL
  • Numeric interpolation sanitizedget_wait_stats, get_space_usage, get_backup_history, get_query_store_stats, sample_table, generate_insert_scripts, and generate_test_data now validate top/count as safe integers before SQL interpolation
  • describe_procedure parameterizedOBJECT_ID call now uses @param binding instead of manual single-quote escaping
  • Schema allow/block list enforcedget_foreign_keys, get_indexes, get_constraints, get_triggers, and describe_procedure now check isSchemaAllowed

Fixed

  • All schema.ts and procedure.ts handlers now wrapped in try/catch — errors return structured { isError: true } instead of crashing the MCP transport
  • execute_ddl now accepts TRUNCATE statements (previously rejected by regex despite passing validateQuery)
  • execute_procedure — added separate schema parameter and escapes schema/procedure independently (previously escapeIdentifier wrapped the entire dotted name as one identifier)
  • execute_mutation — regex type check now runs before validateQuery (consistent with execute_ddl ordering)
  • export_query — replaced dynamic await import() of security utilities with static imports
  • generateCreateTable helper — uses escapeIdentifier() instead of raw bracket interpolation

Full Changelog: v1.3.0...v1.3.1

Assets 2
Loading