fix: scope search_objects to configured database on MySQL/MariaDB (#332)

tianzhou · claude · web-flow · commit dcc6011a52a5 · 2026-06-09T03:32:54.000-07:00
* Fix: enable query plans on SQL Server via EXPLAIN SQL Server has no native EXPLAIN statement, and the bogus `explain`/ `showplan` entries in the read-only allow-list did nothing. The actual mechanism, SET SHOWPLAN_XML ON, is session scoped, must be the only statement in its batch, and is suppressed inside a transaction — so it could not be used through the pooled, stateless connector. Translate a leading `EXPLAIN <query>` into a SHOWPLAN_XML request run on a short-lived single-connection pool, giving SQL Server a Postgres/MySQL -like EXPLAIN. SHOWPLAN_XML compiles without executing, so it is read-only safe; the isolated session keeps SHOWPLAN state off the shared pool. Drop the dead `showplan` keyword. Closes #310 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Harden SQL Server EXPLAIN translation (PR review) Address Copilot review feedback on the EXPLAIN/SHOWPLAN flow: - Skip leading whitespace and SQL comments when detecting EXPLAIN, so a comment-prefixed EXPLAIN that passes the (comment-stripping) read-only validator is also translated instead of reaching the server untranslated. - Trim the extracted inner query. - Reject empty EXPLAIN and any SET SHOWPLAN inside the explained statement. SQL Server already blocks SET SHOWPLAN alongside other statements in a batch (verified: the DELETE does not execute), but this keeps the read-only guarantee self-contained rather than relying on server behavior. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * Treat comment-only EXPLAIN as empty (PR review) Validate the explained statement against comment/string-stripped SQL so `EXPLAIN /* comment */` raises the "requires a statement" error instead of running an empty batch. Reuses the strip already done for the SET SHOWPLAN guard. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> * fix: scope search_objects to configured database on MySQL/MariaDB search_objects without an explicit schema fanned out over connector.getSchemas(), which on MySQL/MariaDB returns every database on the server (INFORMATION_SCHEMA.SCHEMATA). This leaked tables, views, columns, procedures, and indexes from databases the user never configured, and made object_type="schema" list the whole instance. Introduce an optional Connector.getDefaultSchema() returning the schema a search should default to (the DSN database via DATABASE() on MySQL/MariaDB, or null when none is configured). The tool layer now resolves the search scope as: explicit schema -> connector default -> full getSchemas() list. Validation of an explicit schema still uses the full list, so deliberate cross-database access is preserved. Also exclude system databases (information_schema, performance_schema, mysql, sys) from getSchemas() on MySQL/MariaDB, matching the PostgreSQL connector which already hides pg_catalog et al. Connectors whose getSchemas() is already scoped to the connected database (PostgreSQL, SQL Server, SQLite) need no change. Fixes #323 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
diff --git a/src/connectors/__tests__/mariadb.integration.test.ts b/src/connectors/__tests__/mariadb.integration.test.ts
@@ -19,7 +19,7 @@ class MariaDBTestContainer implements TestContainer {
 class MariaDBIntegrationTest extends IntegrationTestBase<MariaDBTestContainer> {
   constructor() {
     const config: DatabaseTestConfig = {
-      expectedSchemas: ['testdb', 'information_schema'],
+      expectedSchemas: ['testdb'],
       expectedTables: ['users', 'orders', 'products'],
       supportsStoredProcedures: false, // Disabled due to container privilege restrictions
       supportsComments: true,
@@ -182,6 +182,19 @@ describe('MariaDB Connector Integration Tests', () => {
   mariadbTest.createSSLTests();
 
   describe('MariaDB-specific Features', () => {
+    it('should exclude server-level system databases from getSchemas()', async () => {
+      const schemas = await mariadbTest.connector.getSchemas();
+      expect(schemas).toContain('testdb');
+      expect(schemas).not.toContain('information_schema');
+      expect(schemas).not.toContain('performance_schema');
+      expect(schemas).not.toContain('mysql');
+      expect(schemas).not.toContain('sys');
+    });
+
+    it('should report the DSN-configured database as the default schema', async () => {
+      expect(await mariadbTest.connector.getDefaultSchema!()).toBe('testdb');
+    });
+
     it('should execute multiple statements with native support', async () => {
       // First insert the test data
       await mariadbTest.connector.executeSQL(`
diff --git a/src/connectors/__tests__/mysql.integration.test.ts b/src/connectors/__tests__/mysql.integration.test.ts
@@ -19,7 +19,7 @@ class MySQLTestContainer implements TestContainer {
 class MySQLIntegrationTest extends IntegrationTestBase<MySQLTestContainer> {
   constructor() {
     const config: DatabaseTestConfig = {
-      expectedSchemas: ['testdb', 'information_schema'],
+      expectedSchemas: ['testdb'],
       expectedTables: ['users', 'orders', 'products'],
       supportsStoredProcedures: false, // Disabled due to container privilege restrictions
       supportsComments: true,
@@ -176,6 +176,19 @@ describe('MySQL Connector Integration Tests', () => {
   mysqlTest.createSSLTests();
 
   describe('MySQL-specific Features', () => {
+    it('should exclude server-level system databases from getSchemas()', async () => {
+      const schemas = await mysqlTest.connector.getSchemas();
+      expect(schemas).toContain('testdb');
+      expect(schemas).not.toContain('information_schema');
+      expect(schemas).not.toContain('performance_schema');
+      expect(schemas).not.toContain('mysql');
+      expect(schemas).not.toContain('sys');
+    });
+
+    it('should report the DSN-configured database as the default schema', async () => {
+      expect(await mysqlTest.connector.getDefaultSchema!()).toBe('testdb');
+    });
+
     it('should execute multiple statements with native support', async () => {
       // First insert the test data
       await mysqlTest.connector.executeSQL(`
diff --git a/src/connectors/interface.ts b/src/connectors/interface.ts
@@ -156,6 +156,19 @@ export interface Connector {
    */
   getSchemas(): Promise<string[]>;
 
+  /**
+   * Get the schema that searches should default to when no schema is specified.
+   *
+   * Returns a single schema name when the connection is scoped to one (e.g. the
+   * database named in a MySQL/MariaDB DSN), or null when there is no configured
+   * scope and callers should fall back to getSchemas() (the full list).
+   *
+   * Connectors whose getSchemas() is already scoped to the connected database
+   * (PostgreSQL, SQL Server, SQLite) may omit this or return null.
+   * @returns Promise with the default schema name, or null for the full list
+   */
+  getDefaultSchema?(): Promise<string | null>;
+
   /**
    * Get all tables in the database or in a specific schema
    * @param schema Optional schema name. If not provided, implementation should use the default schema:
diff --git a/src/connectors/mariadb/index.ts b/src/connectors/mariadb/index.ts
@@ -156,10 +156,13 @@ export class MariaDBConnector implements Connector {
     }
 
     try {
-      // In MariaDB, schemas are equivalent to databases
+      // In MariaDB, schemas are equivalent to databases. Exclude server-level
+      // system databases so the list matches the user-facing schemas only
+      // (parity with the PostgreSQL connector, which hides pg_catalog et al.).
       const rows = await this.pool.query(`
-        SELECT SCHEMA_NAME 
+        SELECT SCHEMA_NAME
         FROM INFORMATION_SCHEMA.SCHEMATA
+        WHERE SCHEMA_NAME NOT IN ('information_schema', 'performance_schema', 'mysql', 'sys')
         ORDER BY SCHEMA_NAME
       `) as any[];
 
@@ -574,6 +577,19 @@ export class MariaDBConnector implements Connector {
     return rows[0].DB;
   }
 
+  /**
+   * Default search scope = the database named in the DSN. DATABASE() returns
+   * null when the connection was opened without a database, in which case
+   * callers fall back to the full server-wide schema list.
+   */
+  async getDefaultSchema(): Promise<string | null> {
+    if (!this.pool) {
+      throw new Error("Not connected to database");
+    }
+    const rows = await this.pool.query("SELECT DATABASE() AS DB") as any[];
+    return rows[0]?.DB ?? null;
+  }
+
   async executeSQL(sql: string, options: ExecuteOptions, parameters?: any[]): Promise<SQLResult> {
     if (!this.pool) {
       throw new Error("Not connected to database");
diff --git a/src/connectors/mysql/index.ts b/src/connectors/mysql/index.ts
@@ -169,10 +169,13 @@ export class MySQLConnector implements Connector {
     }
 
     try {
-      // In MySQL, schemas are equivalent to databases
+      // In MySQL, schemas are equivalent to databases. Exclude server-level
+      // system databases so the list matches the user-facing schemas only
+      // (parity with the PostgreSQL connector, which hides pg_catalog et al.).
       const [rows] = (await this.pool.query(`
-        SELECT SCHEMA_NAME 
+        SELECT SCHEMA_NAME
         FROM INFORMATION_SCHEMA.SCHEMATA
+        WHERE SCHEMA_NAME NOT IN ('information_schema', 'performance_schema', 'mysql', 'sys')
         ORDER BY SCHEMA_NAME
       `)) as [any[], any];
 
@@ -587,6 +590,19 @@ export class MySQLConnector implements Connector {
     return rows[0].DB;
   }
 
+  /**
+   * Default search scope = the database named in the DSN. DATABASE() returns
+   * null when the connection was opened without a database, in which case
+   * callers fall back to the full server-wide schema list.
+   */
+  async getDefaultSchema(): Promise<string | null> {
+    if (!this.pool) {
+      throw new Error("Not connected to database");
+    }
+    const [rows] = (await this.pool.query("SELECT DATABASE() AS DB")) as [any[], any];
+    return rows[0]?.DB ?? null;
+  }
+
   async executeSQL(sql: string, options: ExecuteOptions, parameters?: any[]): Promise<SQLResult> {
     if (!this.pool) {
       throw new Error("Not connected to database");
diff --git a/src/tools/__tests__/search-objects.test.ts b/src/tools/__tests__/search-objects.test.ts
@@ -1305,4 +1305,88 @@ describe('search_database_objects tool', () => {
       expect(asteriskParsed.data.results.map((r: any) => r.name)).toEqual(['user*data']);
     });
   });
+
+  describe('default schema scoping', () => {
+    // Simulates a MySQL/MariaDB connector whose getSchemas() lists every
+    // database on the server, but getDefaultSchema() reports the DSN-configured
+    // database. Searches without an explicit schema must stay within the default.
+    beforeEach(() => {
+      mockConnector = createMockConnector('mysql');
+      (mockConnector as any).getDefaultSchema = vi.fn();
+      mockGetCurrentConnector.mockReturnValue(mockConnector);
+      vi.mocked(mockConnector.getSchemas).mockResolvedValue([
+        'configured_db',
+        'other_db',
+        'third_db',
+      ]);
+      vi.mocked(mockConnector.getTables).mockImplementation(async (schema?: string) => {
+        if (schema === 'configured_db') return ['orders'];
+        if (schema === 'other_db') return ['secrets'];
+        return ['misc'];
+      });
+    });
+
+    it('scopes table search to the default schema and never fans out to other databases', async () => {
+      vi.mocked((mockConnector as any).getDefaultSchema).mockResolvedValue('configured_db');
+
+      const handler = createSearchDatabaseObjectsToolHandler();
+      const result = await handler(
+        { object_type: 'table', pattern: '%', detail_level: 'names' },
+        null
+      );
+
+      const parsed = parseToolResponse(result);
+      expect(parsed.data.results.map((r: any) => r.schema)).toEqual(['configured_db']);
+      expect(parsed.data.results.map((r: any) => r.name)).toEqual(['orders']);
+      // Only the configured database should have been inspected.
+      expect(mockConnector.getTables).toHaveBeenCalledTimes(1);
+      expect(mockConnector.getTables).toHaveBeenCalledWith('configured_db');
+    });
+
+    it('scopes schema listing to the default schema', async () => {
+      vi.mocked((mockConnector as any).getDefaultSchema).mockResolvedValue('configured_db');
+
+      const handler = createSearchDatabaseObjectsToolHandler();
+      const result = await handler(
+        { object_type: 'schema', pattern: '%', detail_level: 'names' },
+        null
+      );
+
+      const parsed = parseToolResponse(result);
+      expect(parsed.data.results.map((r: any) => r.name)).toEqual(['configured_db']);
+    });
+
+    it('falls back to the full schema list when no default is configured (null)', async () => {
+      vi.mocked((mockConnector as any).getDefaultSchema).mockResolvedValue(null);
+
+      const handler = createSearchDatabaseObjectsToolHandler();
+      const result = await handler(
+        { object_type: 'table', pattern: '%', detail_level: 'names' },
+        null
+      );
+
+      const parsed = parseToolResponse(result);
+      expect(parsed.data.results.map((r: any) => r.schema)).toEqual([
+        'configured_db',
+        'other_db',
+        'third_db',
+      ]);
+    });
+
+    it('honors an explicit schema filter targeting a non-default database', async () => {
+      vi.mocked((mockConnector as any).getDefaultSchema).mockResolvedValue('configured_db');
+
+      const handler = createSearchDatabaseObjectsToolHandler();
+      const result = await handler(
+        { object_type: 'table', pattern: '%', schema: 'other_db', detail_level: 'names' },
+        null
+      );
+
+      const parsed = parseToolResponse(result);
+      expect(parsed.data.results.map((r: any) => r.schema)).toEqual(['other_db']);
+      expect(parsed.data.results.map((r: any) => r.name)).toEqual(['secrets']);
+      // getDefaultSchema must not override an explicit caller-provided schema.
+      expect((mockConnector as any).getDefaultSchema).not.toHaveBeenCalled();
+    });
+  });
 });
diff --git a/src/tools/search-objects.ts b/src/tools/search-objects.ts
@@ -66,6 +66,26 @@ function likePatternToRegex(pattern: string): RegExp {
   return new RegExp(`^${escaped}$`, "i");
 }
 
+/**
+ * Resolve the set of schemas a search should scope to when the caller did not
+ * pass an explicit `schema` filter.
+ *
+ * Prefers the connector's default schema (e.g. the database named in a
+ * MySQL/MariaDB DSN) so searches don't leak across every database on the
+ * server. When the connector reports no default (null) — or doesn't implement
+ * getDefaultSchema at all — it falls back to the full getSchemas() list, which
+ * for PostgreSQL/SQL Server/SQLite is already scoped to the connected database.
+ */
+async function resolveDefaultSchemas(connector: Connector): Promise<string[]> {
+  if (connector.getDefaultSchema) {
+    const defaultSchema = await connector.getDefaultSchema();
+    if (defaultSchema) {
+      return [defaultSchema];
+    }
+  }
+  return connector.getSchemas();
+}
+
 /**
  * Get row count estimate for a table.
  * Prefers the connector's native statistics-based method (e.g. pg_class.reltuples)
@@ -123,7 +143,7 @@ async function searchSchemas(
   detailLevel: DetailLevel,
   limit: number
 ): Promise<any[]> {
-  const schemas = await connector.getSchemas();
+  const schemas = await resolveDefaultSchemas(connector);
   const regex = likePatternToRegex(pattern);
   const matched = schemas.filter((schema: string) => regex.test(schema)).slice(0, limit);
 
@@ -170,7 +190,7 @@ async function searchTables(
   if (schemaFilter) {
     schemasToSearch = [schemaFilter];
   } else {
-    schemasToSearch = await connector.getSchemas();
+    schemasToSearch = await resolveDefaultSchemas(connector);
   }
 
   // Search tables in each schema
@@ -374,7 +394,7 @@ async function searchColumns(
   if (schemaFilter) {
     schemasToSearch = [schemaFilter];
   } else {
-    schemasToSearch = await connector.getSchemas();
+    schemasToSearch = await resolveDefaultSchemas(connector);
   }
 
   // Search columns in tables and views across schemas
@@ -463,7 +483,7 @@ async function searchProcedures(
   if (schemaFilter) {
     schemasToSearch = [schemaFilter];
   } else {
-    schemasToSearch = await connector.getSchemas();
+    schemasToSearch = await resolveDefaultSchemas(connector);
   }
 
   // Search procedures/functions in each schema
@@ -532,7 +552,7 @@ async function searchIndexes(
   if (schemaFilter) {
     schemasToSearch = [schemaFilter];
   } else {
-    schemasToSearch = await connector.getSchemas();
+    schemasToSearch = await resolveDefaultSchemas(connector);
   }
 
   // Search indexes in tables across schemas
