Fix: Restrict write_query to INSERT, UPDATE, DELETE

[eilonc-dev]

Fixes a vulnerability in the sqlite server's write_query tool by enforcing stricter SQL command validation.

Description

The write_query tool was intended to only execute INSERT, UPDATE, or DELETE statements as per the documentation. However, the existing validation only blocked SELECT statements, leaving the endpoint open to other potentially harmful or unintended SQL commands (e.g., PRAGMA, ATTACH, DROP). This change updates the validation logic to strictly allow only queries starting with INSERT, UPDATE, or DELETE (case-insensitive).

Server Details

• Server: sqlite
• Changes to: tools (specifically, the write_query tool implementation)

Motivation and Context

This change is needed to address a security vulnerability where the write_query endpoint could execute arbitrary SQL commands beyond the intended scope (INSERT, UPDATE, DELETE). It aligns the actual behavior with the documented functionality and prevents potential misuse.

How Has This Been Tested?

The code change directly addresses the identified vulnerability by implementing stricter input validation. Manual testing confirmed that only INSERT, UPDATE, and DELETE queries are now accepted. Further testing with an LLM client could be performed to verify behavior in integrated scenarios. Tested scenarios:

• Sending INSERT, UPDATE, DELETE queries (should succeed).
• Sending SELECT queries (should fail with ValueError).
• Sending other SQL commands like CREATE TABLE, DROP TABLE, PRAGMA (should fail with ValueError).

Breaking Changes

This change is non-breaking for clients correctly using the write_query tool according to documentation (i.e., only sending INSERT, UPDATE, or DELETE). It might be considered a breaking change only for clients that were incorrectly relying on the previous permissive behavior to execute other SQL commands, but that usage was unintended and insecure.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Protocol Documentation
• My changes follows MCP security best practices
• I have updated the server's README accordingl
• I have tested this with an LLM client
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have documented all environment variables and configuration options

Additional context

The fix involves checking if the uppercase, stripped query string startswith one of the allowed prefixes ("INSERT", "UPDATE", "DELETE"). This provides a clear and secure validation mechanism aligned with the tool's documented purpose.

SELECT query:

PRAGMA query:

[olaservo]

Thanks for contributing this PR. This server has been moved to the archived repository at https://github.com/modelcontextprotocol/servers-archived to reduce maintenance overhead, so we can focus our efforts on a smaller set of core servers.
Since we're no longer accepting contributions to this server, we won't be able to merge this PR. If you're interested in contributing similar functionality, we recommend checking out the alternatives listed in the Readme.