mcp-clickhouse

SQL injection vulnerability in run_select_query and run_chdb_select_query

Both functions accept raw SQL queries without parameterization. From mcp_server.py: 'def run_select_query(query: str)' directly executes user input. The chDB prompt explicitly encourages direct SQL construction with f-strings: 'result = run_chdb_select_query(f"SELECT * FROM file('{temp_file}', 'CSV') LIMIT 10")'. No evidence of query sanitization or parameterization.

Path traversal vulnerability in file() table function usage

The chDB functionality accepts arbitrary file paths through user queries without validation. From chdb_prompt.py: 'file('path/to/file.csv')' and Python code shows temp file paths constructed from user input are directly used in queries. No path sanitization or restriction to safe directories is implemented.

Credentials exposed in environment variables and logs

From mcp_env.py: password = os.environ['CLICKHOUSE_PASSWORD'], username = os.environ['CLICKHOUSE_USER']. No encryption or secure storage. Error messages in test files show full stack traces that could leak credentials. The get_client_config() method returns password in plain dict that could be logged.

Arbitrary URL and S3 access through table functions

From chdb_prompt.py: 'url('https://example.com/data.csv')' and 's3('s3://bucket/path/file.csv')' functions allow users to query arbitrary external resources. This enables data exfiltration and SSRF attacks. No allowlist or validation of URLs/S3 paths.

Insufficient input validation on database and table names

Functions like list_tables() and list_databases() use LIKE filters from user input. From test_tool.py: 'list_tables(self.test_db, like=f"{self.test_table}%")' shows direct string interpolation. While some SQL injection is mitigated by the ClickHouse client library, special characters and patterns are not sanitized.

No authentication for default stdio transport

From test_auth_config.py: 'assert config.auth_disabled is False' and 'assert config.auth_token is None' by default. The server can run with transport='stdio' without authentication. From mcp_env.py: auth is not enforced for stdio transport, allowing unauthenticated local access.

Temporary file handling creates race condition

From chdb_prompt.py: 'with tempfile.NamedTemporaryFile(mode='w', delete=False)' creates files with predictable names that persist after write. The cleanup in finally block has a TOCTOU vulnerability where an attacker could read/modify the file between creation and deletion.

Overly permissive bind host configuration

No rate limiting or query timeout controls exposed

Page tokens use simple encoding without integrity checks