mcp-go-mysql

The project demonstrates a strong focus on security, implementing a multi-layered defense against common database attacks. It features comprehensive SQL injection, path traversal, and command injection prevention (23+ SQLi patterns blocked), explicit blocking of dangerous SQL operations (e.g., DROP DATABASE, DELETE/UPDATE without WHERE), configurable DDL blocking, and a table access whitelist. Credentials are handled via environment variables and masked in logs. Connection pooling, context timeouts, and TLS support are documented. A robust security test suite is included, covering various CVEs, CWEs, and injection types, with recommendations for `govulncheck` and `staticcheck`. A minor concern is the `allowNativePasswords=true` option in the DSN used by `internal/mysql.go::getDB()`. While the primary `internal/client.go::Connect()` method (used for core tools like 'query' and 'execute') does not include this, `internal/mysql.go`'s `getDB()` is used by `internal/analysis.go` (e.g., ExplainQuery) and some simpler list/describe functions. This specific DSN setting could allow unencrypted password transmission for those particular calls if the MySQL server itself is not configured to enforce TLS, potentially downgrading security for these operations.