ealmeida/mcp-outline-postgresql
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Security and code quality bug fixes

Browse Source 
Security:
- Fix potential SQL injection in Savepoint class by sanitizing savepoint names
  - Only allow alphanumeric characters and underscores
  - Prefix with "sp_" if name starts with number
  - Limit to 63 characters (PostgreSQL identifier limit)

Code quality:
- Add missing radix parameter to parseInt calls in:
  - collections.ts (4 occurrences)
  - groups.ts (1 occurrence)
  - revisions.ts (1 occurrence)
  - users.ts (1 occurrence)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Emanuel Almeida
2026-01-31 15:36:07 +00:00
parent b4ba42cbf1
commit 22601e1680
5 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/tools/collections.ts
View File

@@ -93,7 +93,7 @@ export const collectionsTools: BaseTool<any>[] = [
countQuery += ` AND "teamId" = $1`;
}
const countResult = await pool.query(countQuery, countParams);
const totalCount = parseInt(countResult.rows[0].count);
const totalCount = parseInt(countResult.rows[0].count, 10);
return {
content: [
@@ -614,7 +614,7 @@ export const collectionsTools: BaseTool<any>[] = [
// Get total count
const countQuery = 'SELECT COUNT(*) FROM documents WHERE "collectionId" = $1 AND "deletedAt" IS NULL';
const countResult = await pool.query(countQuery, [collectionId]);
const totalCount = parseInt(countResult.rows[0].count);
const totalCount = parseInt(countResult.rows[0].count, 10);
return {
content: [
@@ -842,7 +842,7 @@ export const collectionsTools: BaseTool<any>[] = [
// Get total count
const countQuery = 'SELECT COUNT(*) FROM collection_users WHERE "collectionId" = $1';
const countResult = await pool.query(countQuery, [collectionId]);
const totalCount = parseInt(countResult.rows[0].count);
const totalCount = parseInt(countResult.rows[0].count, 10);
return {
content: [
@@ -1069,7 +1069,7 @@ export const collectionsTools: BaseTool<any>[] = [
// Get total count
const countQuery = 'SELECT COUNT(*) FROM collection_groups WHERE "collectionId" = $1';
const countResult = await pool.query(countQuery, [collectionId]);
const totalCount = parseInt(countResult.rows[0].count);
const totalCount = parseInt(countResult.rows[0].count, 10);
return {
content: [