fix: comprehensive security and code quality improvements

Security Fixes:
- Fixed SQL injection vulnerabilities in index_advisor.py (4 locations)
  * Converted analyze_workload query to use parameterized queries
  * Fixed get_existing_indexes to use parameterized queries
  * Fixed get_index_health duplicate/unused index queries
- Fixed SQL injection vulnerabilities in hypopg_service.py (5 locations)
  * Used psycopg.sql.Identifier for safe table/column name escaping
  * Added access method validation (whitelist-based)
  * Converted all HypoPG function calls to parameterized queries
- Added whitelist validation for ORDER BY clauses in tools_performance.py

Author: isdaniel

src/pgtuner_mcp/__init__.py

@@ -4,8 +4,31 @@
 A Model Context Protocol (MCP) server for AI-powered PostgreSQL performance tuning.
 """
 
+from importlib.metadata import version, PackageNotFoundError
+
 from .server import main
 from .__main__ import run
 
-__version__ = "0.1.0"
+
+def _get_version() -> str:
+    """Get version from package metadata or fallback to pyproject.toml."""
+    try:
+        return version("pgtuner_mcp")
+    except PackageNotFoundError:
+        # Fallback: read from pyproject.toml if package is not installed
+        try:
+            from pathlib import Path
+            import tomllib
+
+            pyproject_path = Path(__file__).parent.parent.parent / "pyproject.toml"
+            if pyproject_path.exists():
+                with open(pyproject_path, "rb") as f:
+                    data = tomllib.load(f)
+                return data.get("project", {}).get("version", "0.0.0")
+        except Exception:
+            pass
+        return "0.0.0"
+
+
+__version__ = _get_version()
 __all__ = ["main", "run"]

src/pgtuner_mcp/services/__init__.py

@@ -2,13 +2,12 @@
 
 from .hypopg_service import HypoPGService
 from .index_advisor import IndexAdvisor
-from .sql_driver import DbConnPool, RowResult, SqlDriver
+from .sql_driver import DbConnPool, SqlDriver
 from .user_filter import UserFilter, get_user_filter
 
 __all__ = [
     "DbConnPool",
     "SqlDriver",
-    "RowResult",
     "HypoPGService",
     "IndexAdvisor",
     "UserFilter",

src/pgtuner_mcp/services/hypopg_service.py

@@ -11,6 +11,8 @@
 from dataclasses import dataclass
 from typing import Any
 
+from psycopg import sql
+
 from .sql_driver import (
     SqlDriver,
     check_extension_available,
@@ -162,22 +164,43 @@ async def create_index(
         """
         await self.ensure_available()
 
-        # Build the CREATE INDEX statement
-        qualified_table = f"{schema}.{table}" if schema else table
-        columns_str = ", ".join(columns)
-
-        create_stmt = f"CREATE INDEX ON {qualified_table} USING {using} ({columns_str})"
+        # Build the CREATE INDEX statement using safe SQL composition
+        # Use sql.Identifier for proper escaping of table and column names
+        if schema:
+            table_ident = sql.Identifier(schema, table)
+        else:
+            table_ident = sql.Identifier(table)
+
+        # Validate and whitelist the index access method
+        valid_access_methods = {"btree", "hash", "brin", "bloom", "gist", "gin", "spgist"}
+        if using.lower() not in valid_access_methods:
+            raise ValueError(f"Invalid index access method: {using}")
+
+        columns_ident = sql.SQL(", ").join(sql.Identifier(col) for col in columns)
+
+        # Build the base CREATE INDEX statement
+        create_stmt = sql.SQL("CREATE INDEX ON {} USING {} ({})").format(
+            table_ident,
+            sql.SQL(using),  # validated above
+            columns_ident
+        )
 
         if include:
-            include_str = ", ".join(include)
-            create_stmt += f" INCLUDE ({include_str})"
+            include_ident = sql.SQL(", ").join(sql.Identifier(col) for col in include)
+            create_stmt = sql.Composed([create_stmt, sql.SQL(" INCLUDE ("), include_ident, sql.SQL(")")])
 
         if where:
-            create_stmt += f" WHERE {where}"
+            # WHERE clause is user-provided SQL expression - use as-is but document the risk
+            # Note: The WHERE clause is intentionally passed through as the user's filter expression
+            create_stmt = sql.Composed([create_stmt, sql.SQL(" WHERE "), sql.SQL(where)])
 
-        # Create the hypothetical index
+        # Convert to string for hypopg_create_index (which expects a SQL statement as text)
+        create_stmt_str = create_stmt.as_string()
+
+        # Create the hypothetical index using parameterized query
         result = await self.driver.execute_query(
-            f"SELECT * FROM hypopg_create_index($${create_stmt}$$)"
+            "SELECT * FROM hypopg_create_index(%s)",
+            [create_stmt_str]
         )
 
         if not result:
@@ -208,11 +231,24 @@ async def create_index_from_sql(self, create_index_sql: str) -> HypotheticalInde
 
         Returns:
             HypotheticalIndex with the created index info
+
+        Note:
+            The create_index_sql parameter is expected to be a valid CREATE INDEX
+            statement. This method uses parameterized queries to pass the statement
+            to hypopg_create_index(), which only processes CREATE INDEX statements
+            and ignores any other SQL.
         """
         await self.ensure_available()
 
+        # Validate that it looks like a CREATE INDEX statement
+        normalized = create_index_sql.strip().upper()
+        if not normalized.startswith("CREATE") or "INDEX" not in normalized:
+            raise ValueError("Invalid CREATE INDEX statement")
+
+        # Use parameterized query - hypopg_create_index only processes CREATE INDEX
         result = await self.driver.execute_query(
-            f"SELECT * FROM hypopg_create_index($${create_index_sql}$$)"
+            "SELECT * FROM hypopg_create_index(%s)",
+            [create_index_sql]
         )
 
         if not result:
@@ -275,7 +311,8 @@ async def get_index_definition(self, indexrelid: int) -> str | None:
         """
         try:
             result = await self.driver.execute_query(
-                f"SELECT hypopg_get_indexdef({indexrelid}) as indexdef"
+                "SELECT hypopg_get_indexdef(%s) as indexdef",
+                [indexrelid]
             )
             if result:
                 return result[0].get("indexdef")
@@ -295,7 +332,8 @@ async def get_index_size(self, indexrelid: int) -> int | None:
         """
         try:
             result = await self.driver.execute_query(
-                f"SELECT hypopg_relation_size({indexrelid}) as size"
+                "SELECT hypopg_relation_size(%s) as size",
+                [indexrelid]
             )
             if result:
                 return result[0].get("size")
@@ -317,7 +355,8 @@ async def drop_index(self, indexrelid: int) -> bool:
 
         try:
             await self.driver.execute_query(
-                f"SELECT hypopg_drop_index({indexrelid})"
+                "SELECT hypopg_drop_index(%s)",
+                [indexrelid]
             )
             logger.info(f"Dropped hypothetical index: {indexrelid}")
             return True
@@ -356,7 +395,8 @@ async def hide_index(self, indexrelid: int) -> bool:
 
         try:
             result = await self.driver.execute_query(
-                f"SELECT hypopg_hide_index({indexrelid})"
+                "SELECT hypopg_hide_index(%s)",
+                [indexrelid]
             )
             if result:
                 return result[0].get("hypopg_hide_index", False)
@@ -378,7 +418,8 @@ async def unhide_index(self, indexrelid: int) -> bool:
 
         try:
             result = await self.driver.execute_query(
-                f"SELECT hypopg_unhide_index({indexrelid})"
+                "SELECT hypopg_unhide_index(%s)",
+                [indexrelid]
             )
             if result:
                 return result[0].get("hypopg_unhide_index", False)