Skip to content

Security fixes#3

Open
chicri wants to merge 2 commits into
bilims:mainfrom
chicri:security-fixes
Open

Security fixes#3
chicri wants to merge 2 commits into
bilims:mainfrom
chicri:security-fixes

Conversation

@chicri
Copy link
Copy Markdown

@chicri chicri commented Apr 15, 2026

Security Fixes

  • SQL Injection Protection: Enhanced keyword blacklist, improved pattern detection for UNION/OR injection, time-based blind injection, hex encoding. Comment stripping prevents SEL/**/ECT bypass attacks.
  • Identifier Escaping: All tools now consistently use escapeIdentifier() with bracket notation instead of quote escaping (get-foreign-keys, get-table-stats, list-views).
  • SSRF Prevention: isValidCallbackUrl() restricts BLUE_PROMPT_CALLBACK_URL to localhost only (localhost, 127.0.0.1, ::1).
  • Credential Handling: getConfig() redacts password with ********, username removed from startup logs.
  • Trust Server Certificate: Defaults to false (was true).

New Features

  • --test-connection / -t CLI flag: Debug connectivity issues with helpful error suggestions based on error type.

Documentation

  • Added Claude Code CLI setup guide for Windows (%USERPROFILE%.claude.json) and macOS/Linux
  • Improved troubleshooting section with error type table and fixes

Tests

  • 53 security tests covering all attack vectors

chicri and others added 2 commits April 15, 2026 13:07
@chicri
Security fixes: SQL injection, SSRF, credential handling
0262762 
- SQL injection protection: Enhanced keyword blacklist, improved pattern
  detection for UNION/OR injection, time-based blind injection, hex
  encoding. Comment stripping prevents SEL/**/ECT bypass.

- Identifier escaping: All tools now consistently use escapeIdentifier()
  with bracket notation instead of quote escaping (get-foreign-keys,
  get-table-stats, list-views).

- SSRF prevention: isValidCallbackUrl() restricts BLUE_PROMPT_CALLBACK_URL
  to localhost only (localhost, 127.0.0.1, ::1).

- Credential handling: getConfig() redacts password with ********,
  username removed from startup logs.

- trustServerCertificate defaults to false (was true).

- New --test-connection CLI flag for debugging connectivity issues
  with helpful error suggestions.

- 53 security tests covering all attack vectors.

Co-Authored-By: MiniMax-M2.7 <model@minimax.io>
@chicri
docs: Add Claude Code CLI setup guide and troubleshooting improvements
b0babdb 
- Add Windows configuration via %USERPROFILE%\.claude.json
- Add macOS/Linux JSON config alternative
- Document --test-connection and -t flags for debugging
- Add error type table with fixes for common connection issues
- Restore troubleshooting checklist step for read permissions
- Add SQLSERVER_PORT to config examples

Co-Authored-By: MiniMax-M2.7 <model@minimax.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chicri