SQL: Attempt to use cratedb-sqlparse for implementing read-only mode

amotl · amotl · commit f99eca63da61 · 2025-05-10T22:13:42.000+02:00
diff --git a/cratedb_mcp/__main__.py b/cratedb_mcp/__main__.py
@@ -2,8 +2,9 @@
 import httpx
 from mcp.server.fastmcp import FastMCP
 
-from .knowledge import DOCUMENTATION_INDEX, Queries, sql_expression_permitted
+from .knowledge import DOCUMENTATION_INDEX, Queries
 from .settings import DOCS_CACHE_TTL, HTTP_URL
+from .util.sql import sql_is_permitted
 
 # Configure Hishel, an httpx client with caching.
 # Define one hour of caching time.
@@ -22,7 +23,7 @@ def query_cratedb(query: str) -> list[dict]:
 @mcp.tool(description="Send a SQL query to CrateDB, only 'SELECT' queries are allows, queries that"
                       " modify data, columns or are otherwise deemed un-safe are rejected.")
 def query_sql(query: str):
-    if not sql_expression_permitted(query):
+    if not sql_is_permitted(query):
         raise ValueError('Only queries that have a SELECT statement are allowed.')
     return query_cratedb(query)
 
diff --git a/cratedb_mcp/knowledge.py b/cratedb_mcp/knowledge.py
@@ -1,12 +1,4 @@
 # ruff: noqa: E501
-import logging
-
-import sqlparse
-
-from cratedb_mcp.settings import PERMIT_ALL_STATEMENTS
-
-logger = logging.getLogger(__name__)
-
 
 class Queries:
     TABLES_METADATA = """
@@ -108,48 +100,3 @@ class Queries:
         "link": "https://raw.githubusercontent.com/crate/cratedb-guide/9ab661997d7704ecbb63af9c3ee33535957e24e6/docs/performance/optimization.rst"
     }
 ]
-
-
-def sql_expression_permitted(expression: str) -> bool:
-    """
-    Validate the SQL expression, only permit read queries by default.
-
-    When the `CRATEDB_MCP_PERMIT_ALL_STATEMENTS` environment variable is set,
-    allow all types of statements.
-
-    FIXME: Revisit implementation, it might be too naive or weak.
-           Issue:    https://github.com/crate/cratedb-mcp/issues/10
-           Question: Does SQLAlchemy provide a solid read-only mode, or any other library?
-    """
-    outcome = _sql_expression_permitted(expression)
-    if outcome is True:
-        logger.info(f"Permitted SQL expression: {expression}")
-    else:
-        logger.warning(f"Denied SQL expression: {expression}")
-    return outcome
-
-
-def _sql_expression_permitted(expression: str) -> bool:
-
-    if not expression:
-        return False
-
-    if PERMIT_ALL_STATEMENTS:
-        return True
-
-    # Parse the SQL statement.
-    parsed = sqlparse.parse(expression.strip())
-    if not parsed:
-        return False
-
-    # Check for multiple statements (potential SQL injection).
-    if len(parsed) > 1:
-        return False
-
-    # Check if the expression is valid and if it's a SELECT statement,
-    # also trying to consider `SELECT ... INTO ...` statements.
-    operation = parsed[0].get_type().upper()
-    tokens = [str(item).upper() for item in parsed[0]]
-    if operation != 'SELECT' or (operation == 'SELECT' and 'INTO' in tokens):
-        return False
-    return True
diff --git a/cratedb_mcp/util/__init__.py b/cratedb_mcp/util/__init__.py
diff --git a/cratedb_mcp/util/sql.py b/cratedb_mcp/util/sql.py
@@ -0,0 +1,140 @@
+import dataclasses
+import logging
+import typing as t
+
+import cratedb_sqlparse
+import sqlparse
+
+from cratedb_mcp.settings import PERMIT_ALL_STATEMENTS
+
+logger = logging.getLogger(__name__)
+
+
+def sql_is_permitted(expression: str) -> bool:
+    """
+    Validate the SQL expression, only permit read queries by default.
+
+    When the `CRATEDB_MCP_PERMIT_ALL_STATEMENTS` environment variable is set,
+    allow all types of statements.
+
+    FIXME: Revisit implementation, it might be too naive or weak.
+           Issue:    https://github.com/crate/cratedb-mcp/issues/10
+           Question: Does SQLAlchemy provide a solid read-only mode, or any other library?
+    """
+    is_dql = SqlFilter(expression=expression, permit_all=PERMIT_ALL_STATEMENTS).is_dql
+    if is_dql is True:
+        logger.info(f"Permitted SQL expression: {expression}")
+    else:
+        logger.warning(f"Denied SQL expression: {expression}")
+    return is_dql
+
+
+@dataclasses.dataclass
+class SqlFilter:
+    """
+    Manage an SQL expression for filtering purposes.
+    Here, most importantly: Permit read-only SQL SELECT DQL statements only.
+    """
+    expression: str
+    permit_all: bool = False
+
+    _parsed_cratedb: t.Any = dataclasses.field(init=False, default=None)
+    _parsed_sqlparse: t.Any = dataclasses.field(init=False, default=None)
+
+    def __post_init__(self) -> None:
+        if self.expression:
+            self.expression = self.expression.strip()
+
+    def parse_cratedb(self):
+        """
+        Parse expression using `cratedb-sqlparse` library.
+        """
+        if self._parsed_cratedb is None:
+            self._parsed_cratedb = cratedb_sqlparse.sqlparse(self.expression)
+        return self._parsed_cratedb
+
+    def parse_sqlparse(self):
+        """
+        Parse expression using traditional `sqlparse` library.
+        """
+        if self._parsed_sqlparse is None:
+            self._parsed_sqlparse = sqlparse.parse(self.expression)
+        return self._parsed_sqlparse
+
+    @property
+    def is_dql(self) -> bool:
+        """
+        Whether the statement is a DQL statement, which effectively invokes read-only operations only.
+        """
+
+        if not self.expression:
+            return False
+
+        if self.permit_all:
+            return True
+
+        # Parse the SQL statement using `cratedb-sqlparse`.
+        parsed = self.parse_cratedb()
+
+        # Reject multiple statements to prevent potential SQL injections.
+        if len(parsed) > 1:
+            return False
+
+        # Check if the expression is valid and if it's a DQL/SELECT statement,
+        # also trying to consider `SELECT ... INTO ...` and evasive
+        # `SELECT * FROM users; \uff1b DROP TABLE users` statements.
+        return self.is_select and not self.is_camouflage
+
+    @property
+    def is_select(self) -> bool:
+        """
+        Whether the expression is an SQL SELECT statement.
+        """
+        return self.operation == 'SELECT'
+
+    @property
+    def operation(self) -> str:
+        """
+        The SQL operation: SELECT, INSERT, UPDATE, DELETE, CREATE, etc.
+        """
+        return self._parsed_cratedb[0].type.upper()
+
+    @property
+    def is_camouflage(self) -> bool:
+        """
+        Innocent-looking `SELECT` statements can evade filters.
+        """
+        return self.is_select_into or self.is_evasive
+
+    @property
+    def is_select_into(self) -> bool:
+        """
+        Use traditional `sqlparse` for catching `SELECT ... INTO ...` statements.
+
+        Note: With `cratedb-sqlparse`, we can't find the `INTO` token at all?
+
+        Examples:
+
+            SELECT * INTO foobar FROM bazqux
+            SELECT * FROM bazqux INTO foobar
+        """
+        parsed = self.parse_sqlparse()
+        tokens = [str(item).upper() for item in parsed[0]]
+        return "INTO" in tokens
+
+    @property
+    def is_evasive(self) -> bool:
+        """
+        Use traditional `sqlparse` for catching evasive SQL statements.
+
+        A practice picked up from CodeRabbit was to reject multiple statements
+        to prevent potential SQL injections. Is it a viable suggestion?
+
+        Note: This currently does not work with `cratedb-sqlparse`?
+
+        Examples:
+
+            SELECT * FROM users; \uff1b DROP TABLE users
+        """
+        parsed = self.parse_sqlparse()
+        return len(parsed) > 1
diff --git a/docs/backlog.md b/docs/backlog.md
@@ -3,6 +3,7 @@
 ## Iteration +1
 - Docs: HTTP caching
 - Docs: Load documentation index from custom outline file
+- SQL: Extract `SqlFilter` or `SqlGateway` functionality to `cratedb-sqlparse`
 
 ## Done
 - SQL: Stronger read-only mode
diff --git a/pyproject.toml b/pyproject.toml
@@ -21,6 +21,7 @@ dynamic = [
 ]
 dependencies = [
   "attrs",
+  "cratedb-sqlparse==0.0.14",
   "hishel<0.2",
   "mcp[cli]>=1.5.0",
   "sqlparse<0.6",
diff --git a/tests/test_knowledge.py b/tests/test_knowledge.py
@@ -1,5 +1,4 @@
-import cratedb_mcp
-from cratedb_mcp.knowledge import DOCUMENTATION_INDEX, Queries, sql_expression_permitted
+from cratedb_mcp.knowledge import DOCUMENTATION_INDEX, Queries
 
 
 def test_documentation_index():
@@ -19,98 +18,3 @@ def test_queries():
     assert "LEFT JOIN" in Queries.TABLES_METADATA
 
 
-def test_sql_expression_select_permitted():
-    """Regular SQL SELECT statements are permitted"""
-    assert sql_expression_permitted("SELECT 42") is True
-    assert sql_expression_permitted(" SELECT 42") is True
-    assert sql_expression_permitted("select 42") is True
-
-
-def test_sql_expression_select_rejected():
-    """Bogus SQL SELECT statements are rejected"""
-    assert sql_expression_permitted(r"--\; select 42") is False
-
-
-def test_sql_expression_insert_allowed(mocker):
-    """When explicitly allowed, permit any kind of statement"""
-    mocker.patch.object(cratedb_mcp.knowledge, "PERMIT_ALL_STATEMENTS", True)
-    assert sql_expression_permitted("INSERT INTO foobar") is True
-
-
-def test_sql_expression_select_multiple_rejected():
-    """Multiple SQL statements are rejected"""
-    assert sql_expression_permitted("SELECT 42; SELECT 42;") is False
-
-
-def test_sql_expression_create_rejected():
-    """DDL statements are rejected"""
-    assert sql_expression_permitted("CREATE TABLE foobar AS SELECT 42") is False
-
-
-def test_sql_expression_insert_rejected():
-    """DML statements are rejected"""
-    assert sql_expression_permitted("INSERT INTO foobar") is False
-
-
-def test_sql_expression_select_into_rejected():
-    """SELECT+DML statements are rejected"""
-    assert sql_expression_permitted("SELECT * INTO foobar FROM bazqux") is False
-
-
-def test_sql_expression_empty_rejected():
-    """Empty statements are rejected"""
-    assert sql_expression_permitted("") is False
-
-
-def test_sql_expression_almost_empty_rejected():
-    """Quasi-empty statements are rejected"""
-    assert sql_expression_permitted(" ") is False
-
-
-def test_sql_expression_none_rejected():
-    """Void statements are rejected"""
-    assert sql_expression_permitted(None) is False
-
-
-def test_sql_expression_multiple_statements_rejected():
-    assert sql_expression_permitted("SELECT 42; INSERT INTO foo VALUES (1)") is False
-
-
-def test_sql_expression_with_comments_rejected():
-    assert sql_expression_permitted(
-        "/* Sneaky comment */ INSERT /* another comment */ INTO foo VALUES (1)") is False
-
-
-def test_sql_expression_update_rejected():
-    """UPDATE statements are rejected"""
-    assert sql_expression_permitted("UPDATE foobar SET column = 'value'") is False
-
-
-def test_sql_expression_delete_rejected():
-    """DELETE statements are rejected"""
-    assert sql_expression_permitted("DELETE FROM foobar") is False
-
-
-def test_sql_expression_truncate_rejected():
-    """TRUNCATE statements are rejected"""
-    assert sql_expression_permitted("TRUNCATE TABLE foobar") is False
-
-
-def test_sql_expression_drop_rejected():
-    """DROP statements are rejected"""
-    assert sql_expression_permitted("DROP TABLE foobar") is False
-
-
-def test_sql_expression_alter_rejected():
-    """ALTER statements are rejected"""
-    assert sql_expression_permitted("ALTER TABLE foobar ADD COLUMN newcol INTEGER") is False
-
-
-def test_sql_expression_case_manipulation_rejected():
-    """Statements with case manipulation to hide intent are rejected"""
-    assert sql_expression_permitted("SeLeCt * FrOm users; DrOp TaBlE users") is False
-
-
-def test_sql_expression_unicode_evasion_rejected():
-    """Statements with unicode characters to evade filters are rejected"""
-    assert sql_expression_permitted("SELECT * FROM users; \uFF1B DROP TABLE users") is False
diff --git a/tests/test_util.py b/tests/test_util.py

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ dynamic = [`
`21`	`21`	`]`
`22`	`22`	`dependencies = [`
`23`	`23`	`"attrs",`
	`24`	`+ "cratedb-sqlparse==0.0.14",`
`24`	`25`	`"hishel<0.2",`
`25`	`26`	`"mcp[cli]>=1.5.0",`
`26`	`27`	`"sqlparse<0.6",`