SkyGra opened a new issue, #62: URL: https://github.com/apache/doris-mcp-server/issues/62
Hi, version: 0.6.0 I found 5 bugs, i have solve some problems of them,some not. 1. **SQL injection protection** ofent misjudges correct SQL as `SQL injection`, such as when sql statements includes comment string `--`, or `where dt between '2025-07-01' and '2025-07-31'`. I modified the code about the regex match in https://github.com/apache/doris-mcp-server/blob/2613912df3c1531473e23c543aedd5dfadd8eae6/doris_mcp_server/utils/security.py#L944 So the regex match maybe not a good way to avoid SQL injection. 2. Token-Based authorization fails to achieve the expected results. Specifically, when I configured db user "a" in the configuration file .env,enable token-Based authorization and configured db user "b" in the configuration file tokens.json,everytime the `exec_query ` tool will use the user "a" but not user "b"。That is to say, user "b" bound to the token was not used, it's wrong. 3. When call `exec_query ` tool , if we set the parameter `db_name`, it does not work, because it will use the default `db_name` which is configured in .env. 4. MCP Server port is inconsistent in `start_server.sh` with `.env`. The `start_server.sh` still use `MCP_PORT` to lanunch `doris mcp server`, so when find the mcp process by `ps -aux | grep mcp`, the mcp process will still show `--port 3000 `, even though we have already modified the port to 4000. Of course, the actual port will use 4000, because the code use `SERVER_PORT`, but it easilly misleading us. 5. When our sql start with `with`, it will not return any result, because the code will filter the result in https://github.com/apache/doris-mcp-server/blob/2613912df3c1531473e23c543aedd5dfadd8eae6/doris_mcp_server/utils/db.py#L99. Thanks. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
