feat(security): remove sql_query_delete and sql_query_update operations (#7)

monotykamary · web-flow · commit ede503410705 · 2025-03-30T18:42:38.000+07:00
diff --git a/README.md b/README.md
@@ -234,8 +234,6 @@ DATABASE_URL=postgres://user:password@localhost:5432/db npx github:dwarvesf/mcp-
 
 -   `sql_query_read`: Execute SELECT queries
 -   `sql_query_create`: Execute CREATE/INSERT statements
--   `sql_query_update`: Execute UPDATE statements
--   `sql_query_delete`: Execute DELETE statements
 
 ### DuckDB Tools
 
diff --git a/src/handlers.ts b/src/handlers.ts
@@ -42,9 +42,7 @@ export function createToolHandlers(pgPool: Pool | null, duckDBConn: DuckDBConnec
         }
 
         case "sql_query_create":
-        case "sql_query_read":
-        case "sql_query_update":
-        case "sql_query_delete": {
+        case "sql_query_read": {
           if (!pgPool) {
             throw new Error("PostgreSQL connection not initialized");
           }
diff --git a/src/tools/index.ts b/src/tools/index.ts
@@ -1,12 +1,10 @@
-import { sqlQueryCreateTool, sqlQueryReadTool, sqlQueryUpdateTool, sqlQueryDeleteTool } from './sql/index.js';
+import { sqlQueryCreateTool, sqlQueryReadTool } from './sql/index.js';
 import { duckDBReadTool } from './duckdb/index.js';
 import { gcsDirectoryTreeTool } from './gcs/index.js';
 
 export const tools = [
   sqlQueryCreateTool,
   sqlQueryReadTool,
-  sqlQueryUpdateTool,
-  sqlQueryDeleteTool,
   duckDBReadTool,
   gcsDirectoryTreeTool
 ];
diff --git a/src/tools/sql/delete.ts b/src/tools/sql/delete.ts
diff --git a/src/tools/sql/index.ts b/src/tools/sql/index.ts
@@ -1,4 +1,2 @@
 export { sqlQueryCreateTool } from './create.js';
-export { sqlQueryReadTool } from './read.js';
-export { sqlQueryUpdateTool } from './update.js';
-export { sqlQueryDeleteTool } from './delete.js'; 
+export { sqlQueryReadTool } from './read.js'; 
diff --git a/src/tools/sql/update.ts b/src/tools/sql/update.ts

Original file line number	Diff line number	Diff line change
`@@ -42,9 +42,7 @@ export function createToolHandlers(pgPool: Pool \| null, duckDBConn: DuckDBConnec`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`case "sql_query_create":`
`45`		`- case "sql_query_read":`
`46`		`- case "sql_query_update":`
`47`		`- case "sql_query_delete": {`
	`45`	`+ case "sql_query_read": {`
`48`	`46`	`if (!pgPool) {`
`49`	`47`	`throw new Error("PostgreSQL connection not initialized");`
`50`	`48`	`}`