ealmeida/mcp-outline-postgresql
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): Resolve 21 SQL injection vulnerabilities and add transactions

Browse Source 
Security fixes (v1.2.2):
- Fix SQL injection in analytics.ts (16 occurrences)
- Fix SQL injection in advanced-search.ts (1 occurrence)
- Fix SQL injection in search-queries.ts (1 occurrence)
- Add validateDaysInterval(), isValidISODate(), validatePeriod() to security.ts
- Use make_interval(days => N) for safe PostgreSQL intervals
- Validate UUIDs BEFORE string construction

Transaction support:
- bulk-operations.ts: 6 atomic operations with withTransaction()
- desk-sync.ts: 2 operations with transactions
- export-import.ts: 1 operation with transaction

Rate limiting:
- Add automatic cleanup of expired entries (every 5 minutes)

Audit:
- Archive previous audit docs to docs/audits/2026-01-31-v1.2.1/
- Create new AUDIT-REQUEST.md for v1.2.2 verification

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Emanuel Almeida
2026-01-31 14:47:41 +00:00
parent 7895f31394
commit 7c83a9e168
14 changed files with 3195 additions and 487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
CHANGELOG.md
View File

@@ -2,6 +2,30 @@
All notable changes to this project will be documented in this file.
## [1.2.2] - 2026-01-31
### Security
- **SQL Injection Prevention:** Fixed 21 SQL injection vulnerabilities across analytics, advanced-search, and search-queries modules
- Replaced string interpolation with parameterized queries for all user inputs
- Added `validateDaysInterval()` function for safe interval validation
- Added `isValidISODate()` function for date format validation
- Added `validatePeriod()` function for period parameter validation
- All UUID validations now occur BEFORE string construction
- Using `make_interval(days => N)` for safe interval expressions
- **Transaction Support:** Added atomic operations for bulk operations
- `bulk-operations.ts`: All 6 bulk operations now use transactions
- `desk-sync.ts`: Create project doc and link task use transactions
- `export-import.ts`: Import markdown folder uses transactions
- **Rate Limiting:** Added automatic cleanup of expired entries (every 5 minutes)
### Changed
- Refactored security utilities with new validation functions
- Improved error messages for invalid input parameters
## [1.2.1] - 2026-01-31
### Added