claude-database-tools

input-validation.test.ts•8.6 kB

import { describe, it, expect } from 'vitest'; /** * Tests for input validation across the application */ describe('Input Validation Security', () => { describe('Table Name Validation', () => { const tableNameRegex = /^[\w\d_\.]+$/; describe('Valid Table Names', () => { it('should accept simple table name', () => { expect(tableNameRegex.test('users')).toBe(true); }); it('should accept schema-qualified name', () => { expect(tableNameRegex.test('dbo.users')).toBe(true); }); it('should accept name with underscores', () => { expect(tableNameRegex.test('user_accounts')).toBe(true); }); it('should accept name with numbers', () => { expect(tableNameRegex.test('users2024')).toBe(true); }); it('should accept three-part name', () => { expect(tableNameRegex.test('database.dbo.users')).toBe(true); }); }); describe('Invalid Table Names - SQL Injection Attempts', () => { it('should reject semicolon (statement separator)', () => { expect(tableNameRegex.test('users;DROP')).toBe(false); }); it('should reject single quotes', () => { expect(tableNameRegex.test("users'--")).toBe(false); }); it('should reject double quotes', () => { expect(tableNameRegex.test('users"')).toBe(false); }); it('should reject comment markers', () => { expect(tableNameRegex.test('users--')).toBe(false); expect(tableNameRegex.test('users/*')).toBe(false); }); it('should reject parentheses', () => { expect(tableNameRegex.test('users()')).toBe(false); }); it('should reject equals sign', () => { expect(tableNameRegex.test('users=1')).toBe(false); }); it('should reject spaces', () => { expect(tableNameRegex.test('user accounts')).toBe(false); }); it('should reject newlines', () => { expect(tableNameRegex.test('users\nDROP')).toBe(false); }); it('should reject tabs', () => { expect(tableNameRegex.test('users\tDROP')).toBe(false); }); it('should reject angle brackets', () => { expect(tableNameRegex.test('users<script>')).toBe(false); }); }); }); describe('Column Name Escaping', () => { function escapeColumnName(name: string): string { return `[${name}]`; } it('should wrap column in brackets', () => { expect(escapeColumnName('name')).toBe('[name]'); }); it('should handle column with spaces', () => { expect(escapeColumnName('first name')).toBe('[first name]'); }); it('should handle reserved words', () => { expect(escapeColumnName('select')).toBe('[select]'); expect(escapeColumnName('user')).toBe('[user]'); }); }); describe('Parameterized Query Building', () => { it('should use @param placeholders for values', () => { const columns = ['name', 'email']; const values = columns.map((_, i) => `@value${i}`).join(', '); expect(values).toBe('@value0, @value1'); expect(values).not.toContain("'"); }); it('should use unique param names for multiple records', () => { const columns = ['name']; const records = [{}, {}]; const valueClauses = records.map((_, ri) => `(${columns.map((_, ci) => `@value${ri}_${ci}`).join(', ')})` ); expect(valueClauses[0]).toBe('(@value0_0)'); expect(valueClauses[1]).toBe('(@value1_0)'); }); }); describe('WHERE Clause Requirements', () => { function validateWhereClause(whereClause: string | undefined): boolean { return !!whereClause && whereClause.trim() !== ''; } it('should reject undefined WHERE clause', () => { expect(validateWhereClause(undefined)).toBe(false); }); it('should reject empty WHERE clause', () => { expect(validateWhereClause('')).toBe(false); }); it('should reject whitespace-only WHERE clause', () => { expect(validateWhereClause(' ')).toBe(false); expect(validateWhereClause('\t\n')).toBe(false); }); it('should accept valid WHERE clause', () => { expect(validateWhereClause('id = 1')).toBe(true); }); it('should accept complex WHERE clause', () => { expect(validateWhereClause("id = 1 AND status = 'active'")).toBe(true); }); }); describe('Delete Confirmation Requirement', () => { function validateDeleteConfirmation(confirm: any): boolean { return confirm === true; } it('should reject undefined confirmation', () => { expect(validateDeleteConfirmation(undefined)).toBe(false); }); it('should reject false confirmation', () => { expect(validateDeleteConfirmation(false)).toBe(false); }); it('should reject string "true"', () => { expect(validateDeleteConfirmation('true')).toBe(false); }); it('should reject number 1', () => { expect(validateDeleteConfirmation(1)).toBe(false); }); it('should accept boolean true only', () => { expect(validateDeleteConfirmation(true)).toBe(true); }); }); describe('JSON Input Parsing', () => { it('should safely parse valid JSON object', () => { const input = '{"name": "test", "value": 123}'; const parsed = JSON.parse(input); expect(parsed).toEqual({ name: 'test', value: 123 }); }); it('should safely parse valid JSON array', () => { const input = '[{"name": "a"}, {"name": "b"}]'; const parsed = JSON.parse(input); expect(parsed).toHaveLength(2); }); it('should throw on prototype pollution attempt', () => { // JSON.parse doesn't execute __proto__, but we should test awareness const input = '{"__proto__": {"polluted": true}}'; const parsed = JSON.parse(input); // The object has __proto__ as a regular property, not prototype pollution expect(parsed.__proto__).toEqual({ polluted: true }); // But the actual prototype is not polluted expect(({} as any).polluted).toBeUndefined(); }); it('should throw on invalid JSON', () => { expect(() => JSON.parse('{invalid}')).toThrow(); expect(() => JSON.parse("{'key': 'value'}")).toThrow(); // Single quotes expect(() => JSON.parse('{key: "value"}')).toThrow(); // Unquoted key }); }); describe('Query Length Limits', () => { const MAX_QUERY_LENGTH = 10000; function validateQueryLength(query: string): boolean { return query.length <= MAX_QUERY_LENGTH; } it('should accept query at max length', () => { const query = 'SELECT ' + 'a'.repeat(MAX_QUERY_LENGTH - 7); expect(validateQueryLength(query)).toBe(true); }); it('should reject query exceeding max length', () => { const query = 'SELECT ' + 'a'.repeat(MAX_QUERY_LENGTH); expect(validateQueryLength(query)).toBe(false); }); }); describe('Result Set Limits', () => { const MAX_RECORDS = 10000; function limitResults<T>(data: T[]): T[] { return data.length > MAX_RECORDS ? data.slice(0, MAX_RECORDS) : data; } it('should not modify results under limit', () => { const data = Array(100).fill({ id: 1 }); expect(limitResults(data)).toHaveLength(100); }); it('should truncate results exceeding limit', () => { const data = Array(15000).fill({ id: 1 }); expect(limitResults(data)).toHaveLength(MAX_RECORDS); }); }); describe('Column Name Sanitization', () => { function sanitizeColumnName(name: string): string { return name.replace(/[^\w\s-_.]/g, ''); } it('should preserve valid column names', () => { expect(sanitizeColumnName('user_name')).toBe('user_name'); expect(sanitizeColumnName('firstName')).toBe('firstName'); }); it('should remove script tags', () => { expect(sanitizeColumnName('name<script>')).toBe('namescript'); }); it('should remove special characters', () => { // The regex preserves hyphens as they're valid in column names // Only quotes and semicolons are removed expect(sanitizeColumnName("name';")).toBe('name'); expect(sanitizeColumnName("name<>")).toBe('name'); }); it('should preserve spaces in column names', () => { expect(sanitizeColumnName('first name')).toBe('first name'); }); it('should preserve hyphens', () => { expect(sanitizeColumnName('user-id')).toBe('user-id'); }); it('should preserve dots', () => { expect(sanitizeColumnName('user.name')).toBe('user.name'); }); }); });

Loading blob content...

Latest Blog Posts

Don't Use Large Strings as Cache Keys
By punkpeye on January 11, 2026.
markdown
node-js
cache
What are Claude Skills?
By punkpeye on January 10, 2026.
mcp
skills
How to Test MCP Streamable HTTP Endpoints Using cURL
By punkpeye on January 2, 2026.
tutorial
bash

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Cyronius/claude-database-tools'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

input-validation.test.ts•8.6 kB