de en es ja ko ru zh

IoTDB MCP Server

Official

by apache

Overview Schema Related Servers Score Discussions

Python

Hybrid

iotdb-mcp-server
src
iotdb_mcp_server

server.py•22.1 KiB

# Licensed to the Apache Software Foundation (ASF) under one # or more contributor license agreements. See the NOTICE file # distributed with this work for additional information # regarding copyright ownership. The ASF licenses this file # to you under the Apache License, Version 2.0 (the # "License"); you may not use this file except in compliance # with the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, # software distributed under the License is distributed on an # "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY # KIND, either express or implied. See the License for the # specific language governing permissions and limitations # under the License. # # Security patch for CVE-2026-XXXXX (path traversal vulnerability leading to RCE) # Author: Mohammed Tanveer (threatpointer) # Date: 2026-01-12 # import logging import datetime import asyncio import os import uuid import re import pandas as pd from typing import Dict, Any, List, Union from iotdb.Session import Session from iotdb.SessionPool import SessionPool, PoolConfig from iotdb.utils.SessionDataSet import SessionDataSet from iotdb.table_session import TableSession from iotdb.table_session_pool import TableSessionPool, TableSessionPoolConfig from fastmcp import FastMCP from mcp.types import TextContent from iotdb_mcp_server.config import Config # Initialize FastMCP server mcp = FastMCP("iotdb_mcp_server") # Configure logging logging.basicConfig( level=logging.INFO, format="%(asctime)s - %(name)s - %(levelname)s - %(message)s" ) logger = logging.getLogger("iotdb_mcp_server") config = Config.from_env_arguments() db_config = { "host": config.host, "port": config.port, "user": config.user, "password": config.password, "database": config.database, "sql_dialect": config.sql_dialect, "export_path": config.export_path, } max_pool_size = 100 # Increased from 100 for better concurrency logger.info(f"IoTDB Config: {db_config}") # Ensure export directory exists if not os.path.exists(config.export_path): try: os.makedirs(config.export_path) logger.info(f"Created export directory: {config.export_path}") except Exception as e: logger.warning( f"Failed to create export directory {config.export_path}: {str(e)}" ) def sanitize_filename(filename: str, base_dir: str) -> str: """ Sanitize and validate filename to prevent path traversal attacks. Security patch for CVE-2026-XXXXX Author: Mohammed Tanveer (threatpointer) Date: 2026-01-12 Args: filename: The user-provided filename base_dir: The base directory for exports (must be absolute path) Returns: The sanitized absolute filepath Raises: ValueError: If the filename contains invalid characters or attempts path traversal Security measures: - Rejects any path separators or traversal sequences before processing - Validates allowed characters (alphanumeric, underscore, hyphen, dot) - Resolves absolute path and verifies it stays within base_dir boundary - Prevents directory traversal, symlink attacks, and path manipulation """ if not filename: raise ValueError("Filename cannot be empty") # First, reject any path separators or traversal patterns before processing # This catches attacks before os.path.basename can process them if "/" in filename or "\\" in filename or ".." in filename: raise ValueError( "Invalid filename: path separators and directory traversal sequences are not allowed" ) # Remove any directory components - only keep the base filename # (This is now a safety check since we already blocked separators) filename = os.path.basename(filename) # Validate characters - only allow alphanumeric, underscore, hyphen, and dot if not re.match(r"^[a-zA-Z0-9_\-\.]+$", filename): raise ValueError( "Invalid filename: only alphanumeric characters, underscore, hyphen, and dot are allowed" ) # Prevent filenames that are just dots or empty after sanitization if not filename or filename in (".", ".."): raise ValueError("Invalid filename") # Prevent filenames that start with a dot followed by a dot (like ..something) if filename.startswith(".."): raise ValueError("Invalid filename: cannot start with '..'") # Construct the full path filepath = os.path.join(base_dir, filename) # Resolve to absolute path (resolves symlinks and normalizes path) filepath_real = os.path.realpath(filepath) basedir_real = os.path.realpath(base_dir) # Ensure the resolved path is within the base directory boundary # This prevents path traversal even with symlinks or complex path manipulation if ( not filepath_real.startswith(basedir_real + os.sep) and filepath_real != basedir_real ): raise ValueError( f"Path traversal detected: file must be within export directory" ) return filepath_real if config.sql_dialect == "tree": # Configure connection pool with optimized settings pool_config = PoolConfig( node_urls=[str(config.host) + ":" + str(config.port)], user_name=config.user, password=config.password, fetch_size=1024, # Fetch size for queries time_zone="UTC+8", # Consistent timezone max_retry=3, # Connection retry attempts ) # Optimize pool size based on expected concurrent queries wait_timeout_in_ms = 5000 # Increased from 3000 for better reliability session_pool = SessionPool(pool_config, max_pool_size, wait_timeout_in_ms) @mcp.tool() async def metadata_query(query_sql: str) -> list[TextContent]: """Execute metadata queries on IoTDB to explore database structure and statistics. Args: query_sql: The metadata query to execute. Supported queries: - SHOW DATABASES [path]: List all databases or databases under a specific path - SHOW TIMESERIES [path]: List all time series or time series under a specific path - SHOW CHILD PATHS [path]: List child paths under a specific path - SHOW CHILD NODES [path]: List child nodes under a specific path - SHOW DEVICES [path]: List all devices or devices under a specific path - COUNT TIMESERIES [path]: Count time series under a specific path - COUNT NODES [path]: Count nodes under a specific path - COUNT DEVICES [path]: Count devices under a specific path - if path is not provided, the query will be applied to root.** Examples: SHOW DATABASES root.** SHOW TIMESERIES root.ln.** SHOW CHILD PATHS root.ln SHOW CHILD PATHS root.ln.*.* SHOW CHILD NODES root.ln SHOW DEVICES root.ln.** COUNT TIMESERIES root.ln.** COUNT NODES root.ln COUNT DEVICES root.ln """ session = None try: session = session_pool.get_session() stmt = query_sql.strip().upper() # Process SHOW DATABASES if ( stmt.startswith("SHOW DATABASES") or stmt.startswith("SHOW TIMESERIES") or stmt.startswith("SHOW CHILD PATHS") or stmt.startswith("SHOW CHILD NODES") or stmt.startswith("SHOW DEVICES") or stmt.startswith("COUNT TIMESERIES") or stmt.startswith("COUNT NODES") or stmt.startswith("COUNT DEVICES") ): res = session.execute_query_statement(query_sql) return prepare_res(res, session) else: session.close() raise ValueError( "Unsupported metadata query. Please use one of the supported query types." ) except Exception as e: if session: session.close() logger.error(f"Failed to execute metadata query: {str(e)}") raise @mcp.tool() async def select_query(query_sql: str) -> list[TextContent]: """Execute a SELECT query on the IoTDB tree SQL dialect. Args: query_sql: The SQL query to execute (using TREE dialect, time using ISO 8601 format, e.g. 2017-11-01T00:08:00.000). SQL Syntax: SELECT [LAST] selectExpr [, selectExpr] ... [INTO intoItem [, intoItem] ...] FROM prefixPath [, prefixPath] ... [WHERE whereCondition] [GROUP BY { ([startTime, endTime), interval [, slidingStep]) | LEVEL = levelNum [, levelNum] ... | TAGS(tagKey [, tagKey] ... | VARIATION(expression[,delta][,ignoreNull=true/false]) | CONDITION(expression,[keep>/>=/=/</<=]threshold[,ignoreNull=true/false]) | SESSION(timeInterval) | COUNT(expression, size[,ignoreNull=true/false]) }] [HAVING havingCondition] [ORDER BY sortKey {ASC | DESC}] [FILL ({PREVIOUS | LINEAR | constant}) (, interval=DURATION_LITERAL)?)] [SLIMIT seriesLimit] [SOFFSET seriesOffset] [LIMIT rowLimit] [OFFSET rowOffset] [ALIGN BY {TIME | DEVICE}] Examples: select temperature from root.ln.wf01.wt01 where time < 2017-11-01T00:08:00.000 select status, temperature from root.ln.wf01.wt01 where (time > 2017-11-01T00:05:00.000 and time < 2017-11-01T00:12:00.000) or (time >= 2017-11-01T16:35:00.000 and time <= 2017-11-01T16:37:00.000) select * from root.ln.** where time > 1 order by time desc limit 10; Supported Aggregate Functions: SUM COUNT MAX_VALUE MIN_VALUE AVG VARIANCE MAX_TIME MIN_TIME ... """ session = None try: session = session_pool.get_session() stmt = query_sql.strip().upper() # Regular SELECT queries if stmt.startswith("SELECT"): res = session.execute_query_statement(query_sql) return prepare_res(res, session) else: session.close() raise ValueError("Only SELECT queries are allowed for select_query") except Exception as e: if session: session.close() logger.error(f"Failed to execute select query: {str(e)}") raise @mcp.tool() async def export_query( query_sql: str, format: str = "csv", filename: str = None ) -> list[TextContent]: """Execute a query and export the results to a CSV or Excel file. Args: query_sql: The SQL query to execute (using TREE dialect, time using ISO 8601 format, e.g. 2017-11-01T00:08:00.000) format: Export format, either "csv" or "excel" (default: "csv") filename: Optional filename for the exported file. If not provided, a unique filename will be generated. SQL Syntax: SELECT ⟨select_list⟩ FROM ⟨tables⟩ [WHERE ⟨condition⟩] [GROUP BY ⟨groups⟩] [HAVING ⟨group_filter⟩] [FILL ⟨fill_methods⟩] [ORDER BY ⟨order_expression⟩] [OFFSET ⟨n⟩] [LIMIT ⟨n⟩]; Returns: Information about the exported file and a preview of the data (max 10 rows) """ session = None try: session = session_pool.get_session() stmt = query_sql.strip().upper() if stmt.startswith("SELECT") or stmt.startswith("SHOW"): # Execute the query res = session.execute_query_statement(query_sql) # Create a pandas DataFrame df = res.todf() # Close the session session.close() # Generate unique filename with timestamp timestamp = int(datetime.datetime.now().timestamp()) if filename is None: # Generate a unique filename if not provided filename = f"dump_{uuid.uuid4().hex[:4]}_{timestamp}" if format.lower() == "csv": if filename.lower().endswith(".csv"): filename = filename[:-4] # Sanitize filename to prevent path traversal attacks filepath = sanitize_filename(f"{filename}.csv", config.export_path) df.to_csv(filepath, index=False) elif format.lower() == "excel": if filename.lower().endswith(".xlsx"): filename = filename[:-5] # Sanitize filename to prevent path traversal attacks filepath = sanitize_filename(f"{filename}.xlsx", config.export_path) df.to_excel(filepath, index=False) else: raise ValueError("Format must be either 'csv' or 'excel'") # Generate preview (first 10 rows) preview_rows = min(10, len(df)) preview_data = [] preview_data.append(",".join(df.columns)) # Header for i in range(preview_rows): preview_data.append(",".join(map(str, df.iloc[i]))) # Return information return [ TextContent( type="text", text=f"Query results exported to {filepath}\n\nPreview (first {preview_rows} rows):\n" + "\n".join(preview_data), ) ] else: raise ValueError("Only SELECT or SHOW queries are allowed for export") except Exception as e: if session: session.close() logger.error(f"Failed to export query: {str(e)}") raise def prepare_res(_res: SessionDataSet, _session: Session) -> list[TextContent]: columns = _res.get_column_names() result = [] while _res.has_next(): record = _res.next() if columns[0] == "Time": timestamp = record.get_timestamp() # formatted_time = datetime.datetime.fromtimestamp(timestamp/1000).strftime('%Y-%m-%dT%H:%M:%S.%f')[:-3] row = record.get_fields() result.append(str(timestamp) + "," + ",".join(map(str, row))) else: row = record.get_fields() result.append(",".join(map(str, row))) _session.close() return [ TextContent( type="text", text="\n".join([",".join(columns)] + result), ) ] elif config.sql_dialect == "table": session_pool_config = TableSessionPoolConfig( node_urls=[str(config.host) + ":" + str(config.port)], username=config.user, password=config.password, max_pool_size=max_pool_size, # Increased from 5 for better concurrency database=None if len(config.database) == 0 else config.database, ) session_pool = TableSessionPool(session_pool_config) @mcp.tool() async def read_query(query_sql: str) -> list[TextContent]: """Execute a SELECT query on the IoTDB. Please use table sql_dialect when generating SQL queries. Args: query_sql: The SQL query to execute (using TABLE dialect, time using ISO 8601 format, e.g. 2017-11-01T00:08:00.000) """ table_session = None try: table_session = session_pool.get_session() stmt = query_sql.strip().upper() # Regular SELECT queries if ( stmt.startswith("SELECT") or stmt.startswith("DESCRIBE") or stmt.startswith("SHOW") ): res = table_session.execute_query_statement(query_sql) return prepare_res(res, table_session) else: table_session.close() raise ValueError("Only SELECT queries are allowed for read_query") except Exception as e: if table_session: table_session.close() logger.error(f"Failed to execute query: {str(e)}") raise @mcp.tool() async def list_tables() -> list[TextContent]: """List all tables in the IoTDB database.""" table_session = None try: table_session = session_pool.get_session() res = table_session.execute_query_statement("SHOW TABLES") result = ["Tables_in_" + db_config["database"]] # Header while res.has_next(): result.append(str(res.next().get_fields()[0])) table_session.close() return [TextContent(type="text", text="\n".join(result))] except Exception as e: if table_session: table_session.close() logger.error(f"Failed to list tables: {str(e)}") raise @mcp.tool() async def describe_table(table_name: str) -> list[TextContent]: """Get the schema information for a specific table Args: table_name: name of the table to describe """ table_session = None try: table_session = session_pool.get_session() res = table_session.execute_query_statement( "DESC " + table_name + " details" ) return prepare_res(res, table_session) except Exception as e: if table_session: table_session.close() logger.error(f"Failed to describe table {table_name}: {str(e)}") raise @mcp.tool() async def export_table_query( query_sql: str, format: str = "csv", filename: str = None ) -> list[TextContent]: """Execute a query and export the results to a CSV or Excel file. Args: query_sql: The SQL query to execute (using TABLE dialect, time using ISO 8601 format, e.g. 2017-11-01T00:08:00.000) format: Export format, either "csv" or "excel" (default: "csv") filename: Optional filename for the exported file. If not provided, a unique filename will be generated. SQL Syntax: SELECT ⟨select_list⟩ FROM ⟨tables⟩ [WHERE ⟨condition⟩] [GROUP BY ⟨groups⟩] [HAVING ⟨group_filter⟩] [FILL ⟨fill_methods⟩] [ORDER BY ⟨order_expression⟩] [OFFSET ⟨n⟩] [LIMIT ⟨n⟩]; Returns: Information about the exported file and a preview of the data (max 10 rows) """ table_session = None try: table_session = session_pool.get_session() stmt = query_sql.strip().upper() if ( stmt.startswith("SELECT") or stmt.startswith("SHOW") or stmt.startswith("DESCRIBE") or stmt.startswith("DESC") ): # Execute the query res = table_session.execute_query_statement(query_sql) # Create a pandas DataFrame df = res.todf() # Close the session table_session.close() # Generate unique filename with timestamp timestamp = int(datetime.datetime.now().timestamp()) if filename is None: filename = f"dump_{uuid.uuid4().hex[:4]}_{timestamp}" if format.lower() == "csv": if filename.lower().endswith(".csv"): filename = filename[:-4] # Sanitize filename to prevent path traversal attacks filepath = sanitize_filename(f"{filename}.csv", config.export_path) df.to_csv(filepath, index=False) elif format.lower() == "excel": if filename.lower().endswith(".xlsx"): filename = filename[:-5] # Sanitize filename to prevent path traversal attacks filepath = sanitize_filename(f"{filename}.xlsx", config.export_path) df.to_excel(filepath, index=False) else: raise ValueError("Format must be either 'csv' or 'excel'") # Generate preview (first 10 rows) preview_rows = min(10, len(df)) preview_data = [] preview_data.append(",".join(df.columns)) # Header for i in range(preview_rows): preview_data.append(",".join(map(str, df.iloc[i]))) # Return information return [ TextContent( type="text", text=f"Query results exported to {filepath}\n\nPreview (first {preview_rows} rows):\n" + "\n".join(preview_data), ) ] else: raise ValueError( "Only SELECT, SHOW or DESCRIBE queries are allowed for export" ) except Exception as e: if table_session: table_session.close() logger.error(f"Failed to export table query: {str(e)}") raise def prepare_res( _res: SessionDataSet, _table_session: TableSession ) -> list[TextContent]: columns = _res.get_column_names() result = [] while _res.has_next(): row = _res.next().get_fields() result.append(",".join(map(str, row))) _table_session.close() return [ TextContent( type="text", text="\n".join([",".join(columns)] + result), ) ] def main(): logger.info("iotdb_mcp_server running with stdio transport") # Initialize and run the server mcp.run(transport="stdio") if __name__ == "__main__": main()

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/apache/iotdb-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

server.py•22.1 KiB